SAN FRANCISCO--Every year, security vendors gather at the RSA conference
here to reaffirm their commitment to fencing out hackers and keeping
data safe. And every year, corporate and government Web sites continue
to fall victim to basic attacks. Heck, ubersecurity firm RSA itself was compromised not that long ago, as was digital certificate heavyweight VeriSign, even if it didn't admit it for two years.
In other words, very little changes from year to year beyond the buzzwords du jour bruited about by security vendors. "It's Groundhog Day," says Josh Corman, director of security intelligence at Akamai.
Art Coviello, executive chairman of RSA, at least had the presence of
mind to be humble, acknowledging in his keynote that current "security
models" are inadequate. Yet he couldn't help but lapse into rah-rah
boosterism by the end of his speech. "Never have so many companies been
under attack, including RSA," he said. "Together we can learn from these
experiences and emerge from this hell, smarter and stronger than we
were before."
Really? History would suggest otherwise. Instead of
finally locking down our data and fencing out the shadowy forces who
want to steal our identities, the security industry is almost certain to
present us with more warnings of newer and scarier threats and bigger,
more dangerous break-ins and data compromises and new products that are
quickly outdated. Lather, rinse, repeat.
"The cybersecurity cycle will go on for the rest of our lives," predicts
Rod Beckstrom, president and CEO of ICANN and former director of the
U.S. National Cybersecurity Center. "The industry takes a long time to
evolve."
Of course, while it's evolving, the rest of us are still coming to grips
with existing vulnerabilities--to say nothing of trying to figure out
which future problems are going to pose us the biggest headaches. This
is a world, after all, with keyloggers that record bank account
information. With "advanced persistent threats," or APTs, that conduct
long-term industrial espionage. With government secrets left on unencrypted laptops and malware like Stuxnet apparently designed to sabotage national nuclear-arms programs.
The industry's sluggishness is enough to breed pervasive cynicism in
some quarters. Critics like Corman are quick to note that if security
vendors really could do what they promise, they'd simply put themselves
out of business. "The security industry is not about securing you; it's
about making money," Corman says. "Minimum investment to get maximum
revenue."
Even if you're not quite as jaded as Corman, there are still two
big--maybe insuperable--obstacles lying between us and security Nirvana.
First, there's the seemingly endless arms race between hackers and
defenders, one that shows no sign of slowing anytime soon.
Second, there's the fact that attackers are--at least for now--much more
motivated to get in than companies are to keep them out.
Put together, it's enough to make almost anyone despair. One executive
at a top security firm who asked not to be identified admitted that
technology innovation is lagging behind the criminal hackers, whose
motivation is greater than the level of risk corporations feel they
face.
"Never before have so many spent so much and accomplished so little," he said.
Part of the problem is the increasing pervasiveness of networked
computers, software, and social networks. There are more targets for
attackers to hit. Twenty years ago we didn't have mobile phones and
Facebook and Internet-connected power-grid controllers. Digital thieves
are sneaking in new side doors before companies even realize they're
unlocked.
And the attackers are fast learners, able to devise
new methods for getting into computer systems even when strong defenses
are in place. When antivirus software blocked malware, lurking villains
came up with cunning social engineering tricks to lure you to the
malware.
Making matters worse is the fact that the white hats are riding lame stallions and firing rusty revolvers. Models like antivirus signature updating--which
protects only against known threats--are fundamentally broken, yet many
companies still rely on them. The promises of Public Key Infrastructure
have not materialized. Some hope that analysis of Big Data--the tons of
log and network information housed within corporate systems--can
identify points of weakness and block hackers. We'll see.
"We're fighting the problems, but they're not solvable," said David
Perry, president of G Data Software North America. "Everyone has
expected the magic bullet forever, but there is none."
Companies
and consumers still want an easy fix, though--and that often plays right
into the hands of hackers. When you see headlines about identity fraud
and data breaches, it's much easier to buy a new antimalware package
than to really analyze the problem and switch gears. "There's a
mentality that we can solve the problem with another product," said Mary
Landesman, senior security researcher at Cisco. If only it were true.
Getting companies to devote time and money to adequately address their
security issues is particularly difficult because they often don't think
there's a problem until they've been compromised. And for some, too
much knowledge can be a bad thing. "Part of the problem might be
plausible deniability, that if the company finds something, there will
be an SEC filing requirement," Landesman said.
Of course, it
would help if software in general was less buggy. Some security experts
are pushing for a more proactive approach to security much like
preventative medicine can help keep you healthy. The more secure the
software code, the fewer bugs and the less chance of attackers getting
in.
"Most of RSA, especially on the trade show floor, is
reactive security and the idea behind that is protect broken stuff from
the bad people," said Gary McGraw, chief technology officer at Cigital.
"But that hasn't been working very well. It's like a hamster wheel."
This concept helped Microsoft improve its battered image 10 years ago
after being hammered by viruses that infected tons of computers by
exploiting holes in Windows. Microsoft launched its Software Development
Lifecycle program to focus on building software with security in mind
and it has been a success, making its products some of the most secure in the industry.
That sort of solution, though, isn't particularly scalable, especially
not with coders churning out apps and applications to meet the demand
for new apps on new devices. "We know how to build software with fewer
bugs per square inch and we are getting much better at that," McGraw
said. "The problem is we're building more square miles of code than ever
before."
There is no easy answer, because there are so many aspects to
security, said Bruce Schneier, chief security technology officer at BT.
"The fundamental problems are about using technology, implementation,
user interface, installations, updates, all of those ancillary things,"
he said. "And there are economic barriers that people who deploy the
technology don't have financial motivations to do so.... The person in
charge of the problem doesn't have the ability to fix it and the person
with the ability to fix it isn't in charge."
And no one wants to
pay money to provide security for anyone else. Like pollution, security
incidents are something everyone potentially contributes to and suffers
as a result of. "This might be a fundamental mismatch that the market
cannot resolve," without government intervention, Schneier said.
No comments:
Post a Comment
You can comment here...