Computer security's dubious future

As longtime readers already know, I’m a big fan of Bruce Schneier, CTO and founder of BT Counterpane. Besides being a cryptographic and computer security authority, cryptographic algorithm creator, and author of many best-selling books on security, Bruce produces some of the most relevant conversations on computer security. I consider his books, his Cryptogram newsletter, and his blog must-reads for anyone in computer security.

Bruce is a guy who pushes us to rethink our currently held paradigms. He lays bare unsubstantiated dogma. I don’t always agree with Bruce. But many of the potent ideas that I disagreed with when he espoused them a half decade ago, I find myself agreeing with years later, ideas like how two-factor authentication won’t stop malicious hackers from stealing gobs of money from the online banking industry, and how the biggest problem with security, in general, is us and our irrational ranking of threats.

I distinctly remember Bruce telling me a decade ago how computer security, with all of its advances, was more than likely going to get worse in the future. This was in the face of increasingly accurate anti-virus programs, improved patch management, and solid improvements in OS security across all platforms. He said this in the days of Windows 95 with almost no security, and today we’ve got User Access Control and security so tight on a Windows system that vendors are frequently complaining. At the time, Bruce was the only voice saying that computer security was going to get worse. And he was right.

But it’s a decade later now. ISS’ annual report announced that the number of vulnerabilities went down for the first time in a long time, along with the amount of spam. (Interestingly, they also said that 50 percent of reported vulnerabilities could not be fixed by a patch.) The latest evolving security technologies (such as IPv6, IPSec, Network Access Protection/Network Access Control, anti-malware software, and so on) are promising. End-user education is higher than it’s ever been. Many professional entities and governments are requiring baseline security compliance. My friends only send me half the hoax virus warning messages now that I used to receive.

So, I asked Bruce the same question again, “Will computer security get better or worse over the next decade?”

Here’s his response:

"Computer security is not likely to improve in the near future because of two reasons. One, bad guys are getting better at attacking us. And two, we’re not getting better at defending ourselves.

The overarching reason for both of these trends is complexity. Complexity is the worst enemy of security; as a system gets more complex, it gets less secure. There are several reasons for this, which I explained in an essay from 2000. And the Internet is the most complex machine mankind has ever built. We barely understand how it works, let alone how to secure it.