Security expert/pundit/provocateur Bruce Schneier, always entertaining, had one of those "He's right but so what?" columns on Wired.com last week.
The headline - "Do We Really Need a Security Industry?" - is the giveaway in that you'd expect Schneier's answer to the question to be no, just as you might expect the TV news tease "Big storm headed our way?" to mean that there's a big storm headed our way. We know better in the latter case, and you'll see the same in Schneier's essay. (Of course, the headline may be the work of a Wired editor.) Schneier writes:
"The primary reason the IT security industry exists is because IT products and services aren't naturally secure. If computers were already secure against viruses, there wouldn't be any need for antivirus products. If bad network traffic couldn't be used to attack computers, no one would bother buying a firewall. If there were no more buffer overflows, no one would have to buy products to protect against their effects. If the IT products we purchased were secure out of the box, we wouldn't have to spend billions every year making them secure."
See what I mean so far? He's right. Unassailably right, in fact. Go ahead and try to pick a fight with any sentence in that paragraph... And he's on a roll.
"Aftermarket security is actually a very inefficient way to spend our security dollars; it may compensate for insecure IT products, but doesn't help improve their security. Additionally, as long as IT security is a separate industry, there will be companies making money based on insecurity - companies who will lose money if the Internet becomes more secure."
That first sentence is constructed quite cleverly: Naturally, the best antivirus product on the market cannot "improve" the security of even the most porous IT product; the best you can expect is for the security product to "compensate" for the vulnerabilities. Just as the best home security system cannot increase the thickness of a door or the strength of a deadbolt. And as for the prospect of security companies losing money should the Internet become more secure, well, investors wager on the prospects of this happening every day - and they do not seem inclined to flock away from security companies.
Now Schneier begins to touch upon his real point:
"Fold security into the underlying products, and the companies marketing those products will have an incentive to invest in security upfront, to avoid having to spend more cash obviating the problems later. Their profits would rise in step with the overall level of security on the Internet. Initially we'd still be spending a comparable amount of money per year on security - on secure development practices, on embedded security and so on - but some of that money would be going into improving the quality of the IT products we're buying, and would reduce the amount we spend on security in future years."
The whereabouts of that initial "incentive to invest in security upfront" is something of a mystery - were it there today in sufficient quantities we wouldn't be having this discussion - but once located and widely acknowledged it's difficult to argue that the other pieces wouldn't fall into place. Today, however, the more prominent incentive for vendors is that so many customers appear perfectly comfortable buying today's level of security, so why should vendors invest the time, effort and money to provide more?
Next he hits the eject button.
"I know this is a utopian vision that I probably won't see in my lifetime, but the IT services market is pushing us in this direction. As IT becomes more of a utility, users are going to buy a whole lot more services than products. And by nature, services are more about results than technologies. Service customers - whether home users or multinational corporations - care less and less about the specifics of security technologies, and increasingly expect their IT to be integrally secure."
In the meantime - the very long meantime - IT hardware and software vendors will continue to swear their fidelity to security and fail to deliver the goods. The security industry will go on pumping out products that network professionals will continue to buy and deploy because their failure to do so will lead to their unemployment, among other nasty consequences. Market forces may eventually bring us Schneier's "utopian vision" of a standard IT infrastructure built upon ubiquitous and inherently secure services, but I'm turning 50 this year and like Schneier do not expect to see this happen in my lifetime.
He spends the balance of the column touting security services, which his company provides (not that there's anything wrong with it), and piling up caveats to counter this type of critique of the headline and top half of the piece.
So, do we really need a security industry?
Heck, yes... But we wouldn't if pigs could fly.