Why the security industry never actually makes us secure

SAN FRANCISCO--Every year, security vendors gather at the RSA conference here to reaffirm their commitment to fencing out hackers and keeping data safe. And every year, corporate and government Web sites continue to fall victim to basic attacks. Heck, ubersecurity firm RSA itself was compromised not that long ago, as was digital certificate heavyweight VeriSign, even if it didn't admit it for two years.

In other words, very little changes from year to year beyond the buzzwords du jour bruited about by security vendors. "It's Groundhog Day," says Josh Corman, director of security intelligence at Akamai.

Art Coviello, executive chairman of RSA, at least had the presence of mind to be humble, acknowledging in his keynote that current "security models" are inadequate. Yet he couldn't help but lapse into rah-rah boosterism by the end of his speech. "Never have so many companies been under attack, including RSA," he said. "Together we can learn from these experiences and emerge from this hell, smarter and stronger than we were before."

Really? History would suggest otherwise. Instead of finally locking down our data and fencing out the shadowy forces who want to steal our identities, the security industry is almost certain to present us with more warnings of newer and scarier threats and bigger, more dangerous break-ins and data compromises and new products that are quickly outdated. Lather, rinse, repeat.

"The cybersecurity cycle will go on for the rest of our lives," predicts Rod Beckstrom, president and CEO of ICANN and former director of the U.S. National Cybersecurity Center. "The industry takes a long time to evolve."

Of course, while it's evolving, the rest of us are still coming to grips with existing vulnerabilities--to say nothing of trying to figure out which future problems are going to pose us the biggest headaches. This is a world, after all, with keyloggers that record bank account information. With "advanced persistent threats," or APTs, that conduct long-term industrial espionage. With government secrets left on unencrypted laptops and malware like Stuxnet apparently designed to sabotage national nuclear-arms programs.

The industry's sluggishness is enough to breed pervasive cynicism in some quarters. Critics like Corman are quick to note that if security vendors really could do what they promise, they'd simply put themselves out of business. "The security industry is not about securing you; it's about making money," Corman says. "Minimum investment to get maximum revenue."

Even if you're not quite as jaded as Corman, there are still two big--maybe insuperable--obstacles lying between us and security Nirvana. First, there's the seemingly endless arms race between hackers and defenders, one that shows no sign of slowing anytime soon.

Second, there's the fact that attackers are--at least for now--much more motivated to get in than companies are to keep them out.

Put together, it's enough to make almost anyone despair. One executive at a top security firm who asked not to be identified admitted that technology innovation is lagging behind the criminal hackers, whose motivation is greater than the level of risk corporations feel they face.

"Never before have so many spent so much and accomplished so little," he said.

Part of the problem is the increasing pervasiveness of networked computers, software, and social networks. There are more targets for attackers to hit. Twenty years ago we didn't have mobile phones and Facebook and Internet-connected power-grid controllers. Digital thieves are sneaking in new side doors before companies even realize they're unlocked.

And the attackers are fast learners, able to devise new methods for getting into computer systems even when strong defenses are in place. When antivirus software blocked malware, lurking villains came up with cunning social engineering tricks to lure you to the malware.

Making matters worse is the fact that the white hats are riding lame stallions and firing rusty revolvers. Models like antivirus signature updating--which protects only against known threats--are fundamentally broken, yet many companies still rely on them. The promises of Public Key Infrastructure have not materialized. Some hope that analysis of Big Data--the tons of log and network information housed within corporate systems--can identify points of weakness and block hackers. We'll see.

"We're fighting the problems, but they're not solvable," said David Perry, president of G Data Software North America. "Everyone has expected the magic bullet forever, but there is none."

Companies and consumers still want an easy fix, though--and that often plays right into the hands of hackers. When you see headlines about identity fraud and data breaches, it's much easier to buy a new antimalware package than to really analyze the problem and switch gears. "There's a mentality that we can solve the problem with another product," said Mary Landesman, senior security researcher at Cisco. If only it were true.

Getting companies to devote time and money to adequately address their security issues is particularly difficult because they often don't think there's a problem until they've been compromised. And for some, too much knowledge can be a bad thing. "Part of the problem might be plausible deniability, that if the company finds something, there will be an SEC filing requirement," Landesman said.

Of course, it would help if software in general was less buggy. Some security experts are pushing for a more proactive approach to security much like preventative medicine can help keep you healthy. The more secure the software code, the fewer bugs and the less chance of attackers getting in.

"Most of RSA, especially on the trade show floor, is reactive security and the idea behind that is protect broken stuff from the bad people," said Gary McGraw, chief technology officer at Cigital. "But that hasn't been working very well. It's like a hamster wheel."

This concept helped Microsoft improve its battered image 10 years ago after being hammered by viruses that infected tons of computers by exploiting holes in Windows. Microsoft launched its Software Development Lifecycle program to focus on building software with security in mind and it has been a success, making its products some of the most secure in the industry.

That sort of solution, though, isn't particularly scalable, especially not with coders churning out apps and applications to meet the demand for new apps on new devices. "We know how to build software with fewer bugs per square inch and we are getting much better at that," McGraw said. "The problem is we're building more square miles of code than ever before."

There is no easy answer, because there are so many aspects to security, said Bruce Schneier, chief security technology officer at BT.

"The fundamental problems are about using technology, implementation, user interface, installations, updates, all of those ancillary things," he said. "And there are economic barriers that people who deploy the technology don't have financial motivations to do so.... The person in charge of the problem doesn't have the ability to fix it and the person with the ability to fix it isn't in charge."

And no one wants to pay money to provide security for anyone else. Like pollution, security incidents are something everyone potentially contributes to and suffers as a result of. "This might be a fundamental mismatch that the market cannot resolve," without government intervention, Schneier said.