Are we losing the security war?

Companies are losing the battle to secure their IT systems from attacks by hackers and other threats, warned Bruce Schneier, the founder and chief technology officer of Counterpane Internet Security.

"I don't think, on the whole, we are winning the security war; I think we are losing it," Schneier said in a speech, which was webcast Wednesday at the Hack In The Box Security Conference (HITB) in Kuala Lumpur, Malaysia.

As systems get more complex, they get less secure, according to Schneier. Even as security technology improves, the complexity of modern IT systems has increased at a faster rate.

"The Internet is the most complex machine ever built," Schneier said. "This explains why security is getting worse."

In addition, the nature of the threat that companies face has changed in important ways. Where hacking was once considered a profession for hobbyists, a growing number of hackers are now criminals with a profit motive. "The nature of the attacks are changing because the adversaries are changing," Schneier warned. "They have different motivations, different skill sets and different risk aversions."

Hobbyists now represent the minority of hackers, according to Schneier. This change means hackers pose an even greater threat to companies. "The hobbyist is more interested in street cred, the criminal wants results," he said.

To turn the battle in its favor, the security industry must look beyond purely technical measures, according to Schneier. "Look for the economic levers," he said. "If you get the economic levers right, the technology will work. If you get the economics wrong, the technology will never work."

Externalities, an economic term used to describe the effects of one person's actions on another, are central to building effective security, Schneier said.

For example, U.S. banks do not spend heavily to defend against identity theft because they are not affected when such theft occurs. To the banks, this is an externality. However, when banks bear liability for a security breach, such as an unauthorized ATM withdrawal, they make the investments necessary to prevent these incidents from taking place, he said.

The same economic lessons can be applied to software vendors. To improve the security of software, Microsoft and others should be made liable for selling software that is not secure. "When you use buggy software and you lose data, that's your loss and not the software company's loss," Schneier said.

That needs to change, according to Schneier. "The organization that has the capability to mitigate the risk needs to be responsible for the risk," he said

HITB runs through Thursday, Sept. 21.