Computer Security Is No Sure Thing
By Richard Thieme

Two-thirds of the way through the process of writing his new book on computer security, cryptographer, mathematician and computer security guru Bruce Schneier made a horrifying discovery. He was writing the book to offer hope to his readers but he had no hope to offer.

His vision of the practice of computer security, based mostly on beautiful models rooted in complex yet elegant mathematical algorithms, was breaking up on the rocky shores of reality.

The realization affected him deeply, and he began missing deadlines, which was unusual for the disciplined author of the well respected Applied Cryptography, E-Mail Security and Protect Your Macintosh.

Schneier's realization shifted the way he saw the world of information security. And it came with a lesson for other businesses. When a theoretical model filters out more reality than it filters in, it is useless.

Schneier launched his company, Counterpane Systems, in 1990 with two focuses: design and analysis. On the design side, businesses would approach Counterpane with a list of information that needed to be protected and a list of known security threats. Counterpane would then design a secure system to protect the information.

On the analysis side, businesses would hire Counterpane to poke holes in existing security systems, probing for unexpected weaknesses. The company earned a strong reputation for this.

The problem was that even Counterpane's best work was subject to weaknesses that in theory could have been avoided. Overflow errors--a common coding problem that makes computers send too much information at once--would let outsiders hijack a client's network.

Or the clients themselves would choose weak passwords that could be broken by any number of software tools widely available on the Internet. Or conflicts in source code would make it impossible to install repairs to the system properly.

As he tried to develop a business model for a new computer security firm, Schneier concluded that nobody really wanted to buy security, at least not as he understood it: something he calls "the military model," which relies on secure pipelines for internal communications, avoiding outside threats.

But Schneier realized that security isn't always about avoiding threats; sometimes it's about managing them. For example, when Visa decided to insure poor-credit risks, the military model would have eliminated them from the pool altogether. But another model, "the insurance model," focuses on risk management instead, and that's the model that made money for credit-card companies like Visa.

So Counterpane shifted to the insurance model. The new company, Counterpane Internet Security, sells risk management, turning computer security from an expense into a profit center. The practical solution offered by Counterpane is not secure communications but detection and response in real time.

In his newest book, Secrets and Lies: Digital Security in a Networked World, Schneier emphasizes the limitations of technology and offers managed security monitoring as the solution of the future.

Managed security monitoring means real-time monitoring and a timely response to security threats. There are probably hundreds of companies in the U.S. that offer real-time network security monitoring services, but Counterpane is the only security firm that also monitors system logs and back-office systems daily, searching for new security threats and documented attacks, says Steve Hunt of Giga Information Group in Cambridge, Mass.

"The minds of cops and criminals are similar," says Schneier. "You can't teach that mentality. If you're not the kind of person who can't walk through a store without figuring out how to steal something, how to break the system, you'll never figure out how to make it better. You don't have to actually break into systems, but you do have to think that way."

After Schneier graduated from the University of Rochester with a degree in physics, he worked in cryptography for a government agency he refuses to name but that sounds as if it could be the National Security Agency, the government's supersecret code-breaking unit, which employs more mathematicians than any organization in the country.

It was at this government agency that he fostered his understanding of the military model. But he eventually concluded that working in a government think tank violated his commitment to the open source movement.

Bruce Schneier crusades against those who sell "security snake oil," which he says may be found throughout the security business.

The open source movement, exemplified by the Linux operating system, argues that software code is strengthened when everyone has a chance to examine it, identify flaws, and work cooperatively toward a common solution. According to this philosophy, proprietary code will always be the least secure and the most vulnerable to hackers.

Not surprisingly, most firms don't react well to this. When hackers exposed vulnerabilities in the proprietary code of the digital cellular industry, the industry responded with insults but couldn't hide the fact that their encryption algorithms had been permanently compromised. When the Motion Picture Association of America sued people posting DVD security codes on their Web sites, the user community simply began looking for other ways to break the code.

The timing of Schneier's wake-up call is no accident. Only a few years ago, computer networks weren't part of most people's everyday life. But Intel (nasdaq: INTC) Chairman Andy Grove's prediction that all commerce would become e-commerce has come true. The network has changed our thinking and behavior so much that we now take networked life for granted, and the lessons of real life apply to networked life.

Schneier has not thrown out cryptography altogether but sees it now as one part of a bigger system. He crusades against those who sell "security snake oil," which he says may be found throughout the security business.

Counterpane partners with other businesses to sell security products and services. A recent partnership with Lloyds of London ensures businesses against loss of revenue and information assets caused by security breaches. Counterpane Internet Security was officially born in July 1999, and its first products came to market this April. The firm now has about 20 customers and is staffing up its management team.

The company recently received an infusion of $27 million in venture capital from Goldman Sachs and Morgan Stanley, a strong vote of confidence. As is true with many other security companies, its primary challenge lies not in achieving technical excellence but in learning how to provide services to clients. If Bruce Schneier's ability to learn how to learn is an indicator of what Counterpane Internet Security can do, the company will fulfill its promise.

July 31, 2000

Originally published by Forbes Digital (forbes.com) on July 31, 2000. copyright (c) 2000 Forbes.com. All rights reserved.

BACK