Companies are losing the battle to secure their IT systems from attacks by hackers and other threats, influential security expert Bruce Schneier has warned.
"I don't think, on the whole, we are winning the security war; I think we are losing it," said the founder and chief technology officer of Counterpane Internet Security in a speech, at the Hack In The Box Security Conference (HITB) in Malaysia.
As systems get more complex, they get less secure, according to Schneier. Even as security technology improves, the complexity of modern IT systems has increased at a faster rate.
"The Internet is the most complex machine ever built," Schneier said. "This explains why security is getting worse."
In addition, the nature of the threat that companies face has changed in important ways. Where hacking was once considered a profession for hobbyists, a growing number of hackers are now criminals with a profit motive.
"The nature of the attacks are changing because the adversaries are changing," Schneier warned. "They have different motivations, different skill sets and different risk aversions."
Hobbyists now represent the minority of hackers, according to Schneier. This change means hackers pose an even greater threat to companies. "The hobbyist is more interested in street cred, the criminal wants results," he said.
To turn the battle in its favour, the security industry must look beyond purely technical measures, according to Schneier. "Look for the economic levers," he said. "If you get the economic levers right, the technology will work. If you get the economics wrong, the technology will never work."
Externalities, an economic term used to describe the effects of one person's actions on another, are central to building effective security, Schneier said.
For example, U.S banks do not spend heavily to defend against identity theft because they are not affected when such theft occurs. To the banks, this is an externality. However, when banks bear liability for a security breach, such as an unauthorised ATM withdrawal, they make the investments necessary to prevent these incidents from taking place, he said.
The same economic lessons can be applied to software vendors. To improve the security of software, Microsoft and others should be made liable for selling software that is not secure. "When you use buggy software and you lose data, that's your loss and not the software company's loss," Schneier said.
That needs to change, according to Schneier. "The organisation that has the capability to mitigate the risk needs to be responsible for the risk," he said.