It’s the Economics, Techie

Computer security isn’t a technological problem — it’s an economic one.

That is the message Bruce Schneier, CTO of Counterpane
Internet Security and the author of “Beyond Fear: Thinking Sensibly About
Security in an Uncertain World,” repeated throughout his keynote address
here Thursday at the infoSecurity Conference in New York’s Jacob K. Javits
Center.

Schneier, a security technologist, said the future of security is getting
harder to predict and warned the several hundred tech professionals on hand
that they must start paying attention to the economics of security if they
hoped for technology to keep pace.

“To understand the difference it’s necessary to understand the basic
economic incentives of companies and how businesses are affected by
liabilities,” he said.

The key is to think of security not in absolutes, but rather in terms of
sensible trade-offs, said Schneier.

Schneier argued that profit-making ventures refuse to make decisions based
on both short- and long-term profitability. Organizations, he says, find it
cheaper to weather the occasional bad press and fix public problems after
the fact, rather design security properly from the beginning.

However, until the cost paradigms shift, there will continue to be shoddy
software and insecure security practices, he said.

“The problem is that most of the costs of insecure software fall on the
users.”

In economics, this is known as an externality: an effect of a decision not
borne by the decision maker, according to Schneier.

“When ChoicePoint leaked data they weren’t the victim — you were,” he told
the audience. “The loss was to us.”

“Depending on where you put liability, security improves or it doesn’t,” he
added, noting that ChoicePoint had calculated its risks of losing data, and
had weighed the financial burdens of protecting it no matter the cost.
Ultimately the data service chose a certain level of protection before it
would allow the information to be compromised.

“Put the liability on the responsible party than we can do something,” he
said. That liability usually comes through legislation or lawsuits,
according to Schneier.


And those losses, as in the case of ChoicePoint
last February
, signal another important shift in how companies need to
protect themselves.

The problem is the inadequacy of computer and network-security systems
originally geared to protect against the cracker who hacks as a hobby, not
the career criminal.

“Criminal attacks represent a new threat for most organizations,” Schneier
said.

A recent example is the discovery this week of the latest
Sober variant
that will automatically download some unknown code on
Jan. 5, 2006, the anniversary of the founding of the Nazi party and the eve
of a major German political convention.

Schneier also said the governments attempt to create a national
identification card was nothing more than selling the American public
another “bill of goods” that “won’t make us any safer.” In fact, he argued,
the money invested in the program would divert much needed money in security
matters that actually need addressing.

“Security is a process, it is not a product,” he said.

News Around the Web