April 2004 87

S E C U R I T Y

C omputer security is at a cross-roads. It’s failing regularlyand with increasingly seriousresults. CEOs are starting tonotice. When they finally get

fed up, they’ll demand improve-ments—either that or they’ll abandonthe Internet, which seems unlikely.

And they’ll get the improvementsthey demand. Corporate America canbe an enormously powerful motivatoronce it gets going.

This is why I believe computer secu-rity will eventually improve. I don’tthink the improvements will come inthe short term or without considerableresistance, but I do think that corpo-rate boardrooms—not computer sci-ence laboratories—will fuel the engineof improvement.

As such, the solutions won’t haveanything to do with technology. Realsecurity improvement will only comethrough liability—holding softwaremanufacturers accountable for thesecurity and, more generally, the qual-ity of their products.

This is an enormous change, and onethe computer industry is not going toaccept without a fight.

BUSINESS RISK MANAGEMENTBut I’m getting ahead of myself here.

Let me explain why I think the conceptof liability can solve the problem.

Computer security is not a problemthat technology can solve. Security solu-

tions have a technological component,but security is fundamentally a businessproblem. Companies approach securityas they do any other business uncer-tainty—in terms of risk management.Organizations optimize their activitiesas a cost-risk ratio. Understanding thesemotivations is key to understanding thestate of computer security today.

It makes no sense to spend more onsecurity than the original cost of theproblem, just as it makes no sense topay liability damages when spendingmoney on security is cheaper. Busi-nesses look for financial sweet spots—adequate security at a reasonable cost,for example—and if a security solutiondoesn’t make business sense, a com-pany won’t implement it.

This way of thinking about securityexplains some otherwise puzzling secu-rity realities. For example, historically,most organizations haven’t spent a lotof money on network security. Why?Because the development and imple-mentation costs are significant: time,expense, reduced functionality, frus-

trated end users. On the other hand, thecosts of ignoring security and gettinghacked have been—in the larger schemeof things—relatively small. We in thecomputer security field like to thinkthey’re enormous, but they haven’treally affected company bottom lines.

From the CEO’s perspective, therisks include the possibility of badpress, network downtime, and angrycustomers—none of which is perma-nent. There’s also some regulatorypressure from audits or lawsuits,which adds to costs, but on balance asmart organization does what every-one else does—and no more.

Things are changing—slowly, butthey’re changing. The risks are increas-ing and, as a result, so is the spending.

PRODUCTION ECONOMICSThis same kind of economic reason-

ing explains why software vendorsspend so little effort securing theirproducts. We in computer security tendto think the vendors are all a bunch offools, but they’re behaving completelyrationally from their own point of view.

Adding good security to softwareproducts incurs essentially the samecosts as increasing network security—large expenditures, reduced function-ality, delayed product releases, annoyedusers, while the costs of ignoring secu-rity are minor—occasional bad pressand maybe some users switching tocompetitors’ products.

Microsoft doesn’t bear the financiallosses to industry worldwide due tovulnerabilities in the Windows operat-ing system, so Microsoft doesn’t havethe financial incentive to fix them. Ifthe CEO of a major software company

Hacking theBusiness Climate forNetwork SecurityBruce Schneier, Counterpane Internet Security

We need to change the economics of security, giving the businesses in the best position to fix the problem the motivation to do so.

88 Computer

S e c u r i t y

told the board of directors that hewould be cutting the company’s earn-ings per share by one-third because hewas going to address security reallyseriously—no more pretending—theboard would fire him. If I were on theboard, I would fire him. Any smartsoftware vendor will talk big aboutsecurity but do as little as possible,because that’s what makes the mosteconomic sense.

Think about why firewalls succeededin the marketplace. It’s not becausethey’re effective. Most firewalls areconfigured so poorly that they barelywork, and technology offers othermore effective security solutions, suchas e-mail encryption, that have neverseen widespread deployment.

Firewalls are ubiquitous becausecorporate auditors started demandingthem. This changed the cost equationfor businesses. The cost of adding afirewall includes the purchase, instal-lation, and maintenance expenses aswell as user annoyance, but the cost ofnot having a firewall is failing an audit.

Even worse, a company without afirewall could be accused of not fol-lowing industry best practices in a law-suit. The result: Companies havefirewalls all over their networks,whether they do any actual good or not.

A BUSINESS SOLUTIONAs scientists, we are awash in secu-

rity technologies. We know how tobuild more secure operating systems,access-control systems, and networks.

To be sure, there are still technolog-ical problems, and research continues.But in the real world, network securityis a business problem. The only way tofix it is to concentrate on business moti-vations. We need to change the eco-nomic costs and benefits of security. Weneed to make the organizations in thebest position to fix the problem wantto fix it.

To do that, I have a three-step pro-gram. None of the steps has anythingto do with technology; they all have todo with businesses, economics, andpeople.

Step 1: Enforce liabilitiesThis is essential. Vendors currently

suffer no real consequences for produc-ing software with poor security features.In economic terms, the costs of low-quality security are an externality—adecision’s cost that is borne by peopleother than those making the decision.

Even worse, the marketplace oftenrewards low-quality software. Moreprecisely, it rewards new features andtimely release dates, even if they comeat the expense of quality.

If we expect software vendors toreduce the number of features, lengthendevelopment cycles, and invest insecure software development processes,they must be liable for security vulner-abilities in their products. If we expectCEOs to spend significant resources ontheir companies’ network security, theymust be liable for mishandling theircustomers’ data. Basically, we have totweak the risk equation so the CEOcares about actually fixing the problem.Putting pressure on the balance sheet isthe best way to do that.

This could happen in several differ-ent ways. Legislatures could impose lia-bility on the computer industry byforcing software manufacturers to livewith the same product liability laws thataffect other industries. If software man-ufacturers produce a defective product,they should be liable for damages.

Even without this legislative impera-tive, courts could start imposing liabil-ity-like penalties on software manu-facturers and users. In fact, this is start-ing to happen. A US judge forced theDepartment of Interior to take its net-work offline because it couldn’t guar-antee the safety of American Indiandata entrusted to it. Several companieshave been penalized for using customerdata in violation of privacy promises orfor collecting data through misrepre-sentation or fraud. Judges have issued

restraining orders against companieswith insecure networks that cybercrim-inals use as conduits for attacks.

Alternatively, the industry could gettogether and define its own liabilitystandards.

Clearly this isn’t an all-or-nothingissue. A typical software attackinvolves many parties: the companythat sold the software with the vulner-ability in the first place; the person whowrote the attack tool; the attacker whoused the tool to break into a network;and the network owner, who wasentrusted with defending that network.

One hundred percent of the liabilityshouldn’t fall on the software vendor.Nor should 100 percent fall on the net-work owner, as it does today.

However it happens, rational liabil-ity changes everything. Currently, asoftware company has no economicreason to refrain from offering morefeatures, more complexity, more ver-sions. Liability forces software com-panies to think twice before changingsomething. Liability forces companiesto protect the data entrusted to them.

Step 2: Allow parties to transfer liabilities

Once liability forces CEOs to careabout security, they will turn to insur-ance companies for help. Insurancecompanies are in the business of lia-bility transfer. From a CEO’s perspec-tive, insurance turns variable-cost risksinto fixed-cost expenses, and CEOslike fixed-cost expenses because theycan budget them.

Insurance companies aren’t stupid.They’re going to move into cyberin-surance in a big way. And when theydo, they’re going to drive the computersecurity industry—just as they drivethe security industry in the brick-and-mortar world.

CEOs don’t buy security for com-pany warehouses—strong locks, win-dow bars, or an alarm system—because it makes them feel safe. Theybuy it because company insurance ratesgo down. The same thing will hold truefor computer security. Once insurance

Rational liability changes everything.

companies are writing enough policies,they will start charging different pre-miums for different security levels.

Even without legislated liability,CEOs will start noticing how theirinsurance rates change. And once theystart buying security products on thebasis of insurance premiums, the insur-ance industry will wield enormouspower in the marketplace, determiningwhich security products are ubiquitousand which are ignored.

The insurance companies will payfor actual losses, so they have a greatincentive to be rational about riskanalysis and security product effec-tiveness. This is different from a bunchof auditors deciding that firewalls areimportant. Insurance companies willhave a financial incentive to get it right.They will demand real results.

And software companies will re-spond, increasing their products’ secu-rity to make them competitive in thisnew “cost plus insurance cost” world.

Step 3: Provide mechanisms to reduce risk

Once insurance companies startdemanding real product security, thecomputer industry will undergo a seachange. Insurance companies willreward companies that provide realsecurity and punish companies thatdon’t. This reward system will beentirely market driven. Security willimprove because the insurance indus-try will push for improvements, just asit has in fire, electrical, and automobilesafety as well as in banking and otherindustry security mechanisms.

Moreover, insurance companies willwant security implemented in standardmodels that help them build pricingpolicies. Insuring a network thatchanges every month or a product thatis updated every few months will bemuch harder than insuring a productthat never changes. The computer fieldnaturally changes quickly, which makesit different to some extent from otherinsurance-driven industries. Insurancecompanies will nevertheless look tosecurity processes that they can rely on.

Editor: William A. Arbaugh, Dept. of Computer Science, University ofMaryland at College Park;waa@cs.umd.edu

A ctually, this isn’t a three-step pro-gram. It’s a one-step programwith two inevitable conse-

quences. Enforce liability, and every-thing else will flow from it.

Much of Internet security is a com-mons—an area used by a communityas a whole. In our society, we protectour commons—the environment, work-ing conditions, food and drug produc-tion, accounting practices—throughlaws that punish those companies thatexploit them unscrupulously. This kindof thinking is what gives us bridges thatdon’t collapse, clean air and water, andsanitary restaurants. Further, we don’tlive in a “buyer beware” society; wehold companies liable when they takeadvantage of buyers.

There’s no reason to treat softwareany different from other products.Today, Firestone can produce a tirewith a single systemic flaw and they’reliable, but Microsoft can produce anoperating system with systemic flawsdiscovered every week and not beliable. Today, if a home builder sellsyou a house with hidden flaws thatmake it easier for burglars to break in,you can sue the home builder; if a soft-ware company sells you a software sys-tem with the same problem, you’restuck with the damages.

This makes no sense, and it’s the pri-mary reason security is so bad today. Ihave a lot of faith in the marketplaceand in human ingenuity. Give the com-panies in the best position to fix theproblem a financial incentive to fix theproblem, and fix it they will. �

Bruce Schneier is CTO of CounterpaneInternet Security, Inc., and author ofBeyond Fear: Thinking Sensibly AboutSecurity in an Uncertain World (Coper-nicus Books, 2003). Contact him atschneier@counterpane.com.

www.computer.org/join/grades.htm

GIVE YOUR CAREER A BOOST�

UPGRADE YOUR MEMBERSHIP

Advancing in the IEEEComputer Society canelevate your standing inthe profession.

Application to Senior-grade membership recognizes

✔ ten years or more of professional expertise

Nomination to Fellow-grade membership recognizes

✔ exemplary accomplishments in computer engineering

REACHHIGHER