Complexity makes it both harder for us to secure our systems and easier for the attacker to find a weakness. Carl von Clausewitz talked about this with respect to war. Defenders have to defend against every possible attack, while attackers just have to find one weakness. It’s called “the position of the interior,” and complexity makes that position less tenable.
Complexity explains one of the most perplexing questions about computer security: Why isn't it getting better? We in the computer world are used to technology making things better. Moore's Law means that computers get more powerful. Graphics get better. Printing gets better. Video gets better. Networking gets better. Everything gets better -- except security. Why? Complexity is an explanation of that. The reality is that security really is improving, just not when measured against the complexity juggernaut. Every year there's new research, new techniques, and new products. But complexity is making things worse faster. So we're losing ground even as we improve.
The result is the Wild West: a lawless society. On the Internet, there really isn’t a rule of law imposed from above. It’s every man, or every network, for himself. Those that can afford bespoke security have it, but those who can't -- think home computer users -- have to make do. This is very much the world of Internet security. It’s hard to find Internet criminals, hard to build cases against them, and hard to prosecute them. Oh, there are the few high-profile exceptions, but by and large malicious hackers can commit Internet crime with impunity."
So, there you have it -- Bruce’s thoughts on the near-term future of computer security. And if his comments make you a little more despondent over the future, it might be piling on to realize that this time around almost no one disagrees with him. Usually it takes years for a lot of us to understand Bruce’s central points. This time we understand him with immediate clarity.
Even sadder is the fact that there are things we can do to resolve the key security issues but we, as a society, aren’t going to do them. It makes you wonder whether Bruce’s answer will be any different in another 5 years. Another 10 years? What tipping point event might have occurred –- how bad was it? -- to make us change the way we do business? Or is it possible for Internet crime to hum along at current levels, never getting better or worse, and we live with it as a normal cost of doing business, and living? My money is on the tipping point event. Luckily, when we do decide to get serious about computer security, there are intelligent voices, everywhere, that are ready to lend assistance.