Archive for September 29th, 2004

The Future of Computer Security: A Question of Analogies

Wednesday, September 29th, 2004

Friday I expect to be on a panel at Gnomedex called “The Future of Security.” In preparation, I’ve been putting some thought not so much into the future of security, but into how we even go about figuring out that future.
Let’s start with some basic facts – the axioms of security if you will:

  • There will always be “bad guys” who try to break into systems, write viruses, steal, etc. They’ve existed throughout history, and there’s no reason to expect them to vanish from cyberspace.
  • Technology alone will never provide perfect security. Every walled city ultimately fell. However, technology may, for a while, provide “good enough” security.

The challenge with predicting Internet security is that the Internet is a new phenomena. We don’t really know where it’s going or what it will be like in 20 years. Even though we are in some ways better off than those who pioneered the Internet, because we’re at least paying some attention to security, that is offset by a huge increase in complexity (and complexity is the enemy of security).

In predicting the future, we try reaching for analogies from the past. But in doing so it’s sometimes tough to choose the right analogy. For example: those who expected “nation building” in Iraq to be analogous to post WWII Europe seem to have been woefully mistaken.

There are two analogies that I currently find useful in thinking about Internet security. One is inspired by the information superhighway, a term has lost some of its popularity but remains useful. In this analogy, the original ARPA-Net was the equivalent of dirt roads. Visitors rode primitive Model-T vehicles, at relatively low speeds. There were few accidents, no seat belts and no drivers ed.

As the highway system grew into its modern form, accidents became more common. Society dealt with this in two ways – using technology to make both cars and highways safer, and instituting strict requirements for drivers education. Even so, accidents still occur in huge numbers, but we’re presumably better off than if nothing had been done.

On the information superhighway some work has been done on safety features. Computers have antivirus tools and firewalls available, though like seatbelts they are optional and not always used. ISPs are adding security features to the “highway” itself. But we have no equivalent to driver’s ed – any clown can buy a system and get on the highway without learning a thing about security. I’m not suggesting we legislate computer security classes, but I wonder – what if a major ISP like AOL raised their prices $5 overall, but offered a $10 discount to anyone who passed an online security quiz?

The other analogy I like is the biological analogy. It’s not a new one – many elements of computer security are named for their biological analogs. The security implications of this analogy suggest that computer security is not a problem to be solved, but a chronic condition. That spam, viruses and hoaxes are destined to become a permanent part of the Internet that might, like today’s bacteria, even have beneficial results (I know of people who have cleaned up a severely infected computer by just buying a new one – which is presumably good for the economy). The book “The Shockwave Rider” portrays an Internet that follows this model, with some surprising consequences (it’s a great book and I highly recommend it). Of course this analogy has its disturbing sides – everyone dies, after all.

I’m looking forward to seeing what my fellow panelists think about the future of security, and if there are other relevant analogies that might work. I’d be interested in hearing your view either here, or even better, if you’re at Gnomedex please introduce yourself and let me know what you think.