This article can also be found in the Premium Editorial Download "Information Security magazine: Reflections on the impact of Sarbanes-Oxley."
Download it now to read this article plus other related content.
You're right about the endpoints not getting any better. I've written again and again how measures like two-factor authentication aren't going to make electronic banking any more secure. The problem is if someone has stuck a Trojan on your computer, it doesn't matter how many ways you authenticate to the banking server; the Trojan is going to perform illicit transactions after you authenticate.
It's the same with a lot of our secure protocols. SSL, SSH, PGP and so on all assume the endpoints are secure, and the threat is in the communications system. But we know the real risks are the endpoints.
And a misguided attempt to solve this is going to dominate computing by 2017. I mentioned software-as-a-service, which you point out is really a trick that allows businesses to lock up their customers for the long haul. I pointed to the iPhone, whose draconian rules about who can write software for that platform accomplishes much the same thing. We could also point to Microsoft's Trusted Computing, which is being sold as a security measure but is really another lock-in mechanism designed to keep users from switching to "unauthorized" software or OSes.
I'm reminded of the post-9/11 anti-terrorist hysteria--we've confused security with
| control, and instead of building systems for real security, we're building systems of control. Think of ID checks everywhere, the no-fly list, warrantless eavesdropping, broad surveillance, data mining, and all the systems to check up on scuba divers, private pilots, peace activists and other groups of people. These give us negligible security, but put a whole lot of control in the government's hands.
Computing is heading in the same direction, although this time it is industry that wants control over its users. They're going to sell it to us as a security system--they may even have convinced themselves it will improve security--but it's fundamentally a control system. And in the long run, it's going to hurt security.
Imagine we're living in a world of Trustworthy Computing, where no software can run on your Windows box unless Microsoft approves it. That brain drain you talk about won't be a problem, because security won't be in the hands of the user. Microsoft will tout this as the end of malware, until some hacker figures out how to get his software approved. That's the problem with any system that relies on control: Once you figure out how to hack the control system, you're pretty much golden. So instead of a zillion pesky worms, by 2017 we're going to see fewer but worse super worms that sail past our defenses.
By then, though, we'll be ready to start building real security. As you pointed out, networks will be so embedded into our critical infrastructure--and there'll probably have been at least one real disaster by then--that we'll have no choice. The question is how much we'll have to dismantle and build over to get it right.
This was first published in January 2008