The Future of Computer Security: A Question of Analogies

Friday I expect to be on a panel at Gnomedex called “The Future of Security.” In preparation, I’ve been putting some thought not so much into the future of security, but into how we even go about figuring out that future.
Let’s start with some basic facts – the axioms of security if you will:

  • There will always be “bad guys” who try to break into systems, write viruses, steal, etc. They’ve existed throughout history, and there’s no reason to expect them to vanish from cyberspace.
  • Technology alone will never provide perfect security. Every walled city ultimately fell. However, technology may, for a while, provide “good enough” security.

The challenge with predicting Internet security is that the Internet is a new phenomena. We don’t really know where it’s going or what it will be like in 20 years. Even though we are in some ways better off than those who pioneered the Internet, because we’re at least paying some attention to security, that is offset by a huge increase in complexity (and complexity is the enemy of security).

In predicting the future, we try reaching for analogies from the past. But in doing so it’s sometimes tough to choose the right analogy. For example: those who expected “nation building” in Iraq to be analogous to post WWII Europe seem to have been woefully mistaken.

There are two analogies that I currently find useful in thinking about Internet security. One is inspired by the information superhighway, a term has lost some of its popularity but remains useful. In this analogy, the original ARPA-Net was the equivalent of dirt roads. Visitors rode primitive Model-T vehicles, at relatively low speeds. There were few accidents, no seat belts and no drivers ed.

As the highway system grew into its modern form, accidents became more common. Society dealt with this in two ways – using technology to make both cars and highways safer, and instituting strict requirements for drivers education. Even so, accidents still occur in huge numbers, but we’re presumably better off than if nothing had been done.

On the information superhighway some work has been done on safety features. Computers have antivirus tools and firewalls available, though like seatbelts they are optional and not always used. ISPs are adding security features to the “highway” itself. But we have no equivalent to driver’s ed – any clown can buy a system and get on the highway without learning a thing about security. I’m not suggesting we legislate computer security classes, but I wonder – what if a major ISP like AOL raised their prices $5 overall, but offered a $10 discount to anyone who passed an online security quiz?

The other analogy I like is the biological analogy. It’s not a new one – many elements of computer security are named for their biological analogs. The security implications of this analogy suggest that computer security is not a problem to be solved, but a chronic condition. That spam, viruses and hoaxes are destined to become a permanent part of the Internet that might, like today’s bacteria, even have beneficial results (I know of people who have cleaned up a severely infected computer by just buying a new one – which is presumably good for the economy). The book “The Shockwave Rider” portrays an Internet that follows this model, with some surprising consequences (it’s a great book and I highly recommend it). Of course this analogy has its disturbing sides – everyone dies, after all.

I’m looking forward to seeing what my fellow panelists think about the future of security, and if there are other relevant analogies that might work. I’d be interested in hearing your view either here, or even better, if you’re at Gnomedex please introduce yourself and let me know what you think.

4 Responses to “The Future of Computer Security: A Question of Analogies”

  1. Lonnie Rolland Says:

    Increased or improve security could be part of education. But that wall fly because people innately like to be stupid and lazy.

    Security improvement could be part of the operating system. That tactic could probably work a lot better if John Q. Public trusted the operating system seller. And then there’s also the money. Why should I paid in order to have an improve security product? If the security is flawed should not be operating system seller fix it for free?

    I believe the best tactic is with the standards and protocols. I’m sure there’s a way where the person can still keep his anonymity and at the same time share with the world his trustworthiness.

  2. Mike Gale Says:

    I’m sure the Internet won’t follow a pattern directly analogous to the physical world but as you say it has pointers. Of the top of my head without analysis here’s some thoughts:

    Arms race (will someone develop stealthed, autonomous, global hawk weapons, the cyber soldier of the future)
    Cops and Robbers (forensics continually improving, DNA analysis, cat burglars, ram raiders, great train robbery)
    Terrorism (Kamikaze, infrastructure destruction, blow up the oil pipes, car bombs, (9/11)
    Shops on the street (plate glass, security guards, cameras, night safes, shutters, little cash on premises)
    Home security (live there (cocooning), neighbours keep an eye open…)
    Earthquake, fire, riot and acts of God….
    Vanadalism (graffiti, break it for fun…
    Tomb robbers (we may never know the wealth of the “important pharoahs” ’cause of this, is archaeology just scientific tomb robbing…)
    ‘Nuff

  3. Jeremy Brayton Says:

    “what if a major ISP like AOL raised their prices $5 overall, but offered a $10 discount to anyone who passed an online security quiz?”

    Simple: People would move to another ISP. AOL already holds a lot of people’s hands now but introduce a price hike and a quiz most people can’t or won’t try to pass and they’ll simply switch. It would take every ISP doing this for it to work, though the idea is a very solid one. It’s just highly unlikely everyone across the board would adopt something like that.

    I agree that it’s something that will be addressed in the coming years if it’s not already. Security is a major problem whether people will address it or not. It’s why most of us lock our doors now, which is something no one in America did 50-60 years ago. We’ve secured our homes, now we have to start locking the “doors” on the computer. You are right in your analogy though and it’s the best way to look at it. The physical world is what drives us and what we use to innovate and how we solve problems. We use existing examples in nature as a guide and they work remarkably well.

  4. damian Says:

    then someone would be selling the answers for $2

Leave a Reply

Comments are moderated - allow 24-48 hours for your comment to appear.