SAN JOSE Calif. -- If only firewalls were as impenetrable as the virtual wall that often exists between IT and executives in enterprise environments.
Most often, the biggest impediment to network security isn't necessarily a technological problem, but an issue with an enterprise's risk management model, said Bruce Schneier, chief technology officer with Counterpane Internet Security, speaking Wednesday at the RSA Conference 2002.
"CEOs will tell you to do enough so that they are not sued for not following acceptable best practices," Schneier said. "CEOs only do what everyone else does. Why have firewalls succeeded? It's not because they're effective. They succeed because the value proposition changed. Firewalls are easy to install and they're cheap. And, if you don't add one, you'll fail a security audit and that matters to a CEO. CEOs don't care about PKI or e-mail encryption and that's why those things failed."
Security: A risk that must be managed
CEOs often want to adopt a military model of threat avoidance where security is absolute; but that isn't possible, Schneier said, because products aren't perfect and neither are the people using them.
"Business needs to view security as a risk that must be managed," Schneier said. "Security must make business sense to the executive level -- adequate security at a reasonable cost."
Unfortunately, Schneier points out, the enemy is capable of doing sophisticated damage with relatively little expertise. Also, as new problems evolve, IT managers and security professionals have to deal with them, as well as the bevy of old exploits and attacks that do not go away.
Rather than rushing out for the latest and greatest tool, Schneier suggests that IT look toward the real world for a solution.
"There is no technical solution to prevent murder, yet we all feel safe. And it's not because we're wearing Kevlar armor, or riding in tanks or live in a fortress," he said. "We must figure out why we are safe in the real world and apply those principals to make our networks and the Internet safe."
Changing the executive level's analysis of risk management is central to this proposition.
"Security must affect the bottom line in an obvious way. It's hard to get a CEO's attention," Schneier said.
How to get your CEO's attention
Schneier suggests four steps:
- Enforce liability for porous software
- Allow parties to transfer liability (insurance)
- Provide mechanisms to reduce risk
- Rational prosecution leads to deterrence
On liability, Schneier said that software companies should not be exempt from normal product liability. In short, if companies are not held accountable, no one can do anything about the problem because it is not in anyone's financial interest to fix the problem. Federal regulations, industry standard or legal action could begin a turnaround in terms of liability. But, Schneier acknowledges problems in assigning liability and in the international nature of the Internet making uniform liability difficult. Also, open-source software development could essentially end if free does not equal exempt.
Insurance, Schneier said, could be the linchpin for network security.
"Insurance turns a variable cost into a fixed cost," Schneier said. "That's what companies like. Insurance is a CEO's primary risk management tool."
Pros, cons of getting insurance companies involved
Ultimately, hacking insurance could be ubiquitous, Schneier said. And those companies are going to demand standards to in order to protect the enterprise, in a similar way to the Underwriter's Laboratory's influence over electrical components. Their clout will be significant, Schneier said.
"That kind of scares me," said crypto developer Braham Windeler of Wells Fargo Bank. "That brings up the question of how companies are going to get certified by insurance companies. That would make it difficult for smaller product vendors and [will] force consolidation. That may be a good thing, but I'm all for smaller companies competing on the same playing field."
As for mechanisms that reduce risk, Schneier said, outsourcing is a real-world parallel that could also lead to industry standardization.
"It's the only way to make security scale," Schneier said. "It's what the insurance industry will want. They'd rather certify 10 outsourcers than a million security companies."
Outsourcing is not perfect, Schneier said, but it is cheaper than the alternative. "Outsourcing is what we do in the real world. We outsource our fire, police and medical needs," Schneier said. "People point out the risks of outsourcing, but we're used to these risks. We outsource half of our eating habits to fast-food restaurants where the food is prepared by 15-to-18 year olds who don't clean their rooms, don't shower, aren't certified and are working for minimum wage."
The key, he said, is to outsource technical expertise, not management. "It's bad to outsource business decisions," he said.
The Internet: A lawless society
Prosecution is the best deterrent to the lawless society that is the Internet right now, Schneier said.
"We feel safe because we live in a lawful society where criminals are prosecuted and our population is educated. We haven't done that on the Internet," Schneier said. "Prosecution is important to achieve computer security."
Inherent problems: It's difficult to backtrack computer attacks, in particular pairing up the attacker with the attacking computer.
"We have to tweak risk management until management cares," Schneier said.
FOR MORE INFORMATION: