If you’re lucky enough to work for a security company you can sit back for the next few years safe in the knowledge that your livelihood is safe and the industry you work in is set for boom times.
It may not feel quite that cosy yet, but give things time to warm up. Security systems, and the knowledge of how they work, are in demand. Like health services and education, it’s a fair bet that nobody ever considers themselves to need less security than they did last year.
The current engine of all this commercial joy is, or course, the apparently grim state of security. A number of factors have combined to prime growth. Threat levels have increased as computer expertise – and the industrious criminals looking to use it with menace – now operate worldwide. Even without hackers and crackers to contend with, network engineers are having to battle security threats at a time when they are also servicing ropy software systems designed to meet the standards of half a generation ago.
It’s as if a city was to experience an explosion in the number of professional burglars at the same time as old-fashioned door and window locks suddenly stopped working.
But there’s one influence on the growth equation that tends to be discounted even though it could end up being the most important of all – government. How is this influence being felt and where might it lead?
Traditionally, when you put the words ‘government’ and ‘computer systems’ in the same sentence you’re likely to be heading for trouble. When they’re not being accused by civil libertarians of wanting to use surveillance technology to plot a sequel to Orwell’s Nineteen Eighty-Four, governments are probably upsetting tech-heads with nannyish policy wheezes that claim to be ‘protecting’ people from the dangers of technology abuse – less ‘Big Brother’ than ‘Big Mother’.
Mostly, the influence of government on the security business is more mundane. Governments buy a lot of security systems and, importantly, are often an influence if not on the technologies themselves then the methodologies that ensure they are used and specified in appropriate ways.
None of this is new. Remember the fuss Microsoft made about Windows NT being C2-certified (a US Department of Defense security standard)? And this is only one of a throng of military, US and international security methodologies that have exerted commercial pull on the industry.
More recently, computing has faced increased regulation, some of which has been initiated by or sponsored by governments – the slow and rather chaotic emergence of laws to tackle spam being one example (though many would see this as an example of how difficult national governments can find the going when they try to legislate against globally-based threats).
It’s stating the obvious to say that governments are an important influence (currently economically beneficial) on the security industry because they buy, help standardise, and regulate its products, but recent developments suggest things are starting to go beyond this.
Trial by ID
In the UK (to pick only one example), the recently announced trial by the Home Office of chip-based ID cards is intended to a lead to a mandatory card to be carried by all citizens. As well as keeping tabs on a person’s address and national insurance number - helpful when controlling access to state services - the plan is to personalise the cards with embedded biometric data such as an iris scan or finger print. If you don’t have a card, you will either be breaking the law or you won’t exist - possibly both.
Leaving aside the issue of whether it is desirable for governments to hold databases of information on citizens in this integrated way, the ID card scheme marks an important moment for the world of security on a number of counts. It will commit the state to spending money over a long period of time, buying into still evolving technologies come what may. There will be plenty of business to be had for vendors with the right know-how.
On the other hand, by attempting to tie a person to an electronic identity the UK authorities are (whether they realise it or not) accepting the need to overhaul some of the fundamentals that underpin the whole idea of security in the early 21st Century. People will have to enter the system at some point and currently that means using either a birth certificate, a passport or, more informally, a driving license. These are not really guarantees of identity at all, although it is often assumed they are. A birth certificate records the delivery of a child some days or weeks after the event, passports (even biometric passports) are still a travel documents, while driving licenses prove only that the holder has passed a driving test.
Transforming and integrating such diverse fragments of ‘identity’ into something more reliable will take decades, huge cost and even then will also require a tightening up on the weakest part of any technology – the likelihood of errors and corruption in the people administering the system. It will also render obsolete many of the security systems and concepts we use today, and this will affect everyone including vendors, corporate customers and employees.
Given that other governments around the world are looking at similar ideas (the Chinese government is reported to be looking to put genetic data on an ID card) identity-based security requirements are bound to filter into businesses. Right now, ‘blended’ access to computer systems (involving smartcards and PIN numbers in conjunction with passwords) are becoming more common, and biometric systems are making inroads. But it’s all rather haphazard and certainly not mandatory. If the government wants biometric data on an ID cards as proof of identity, why would large corporation settle for less when letting you enter a building or log onto a network?
The computer security industry was born under the aegis of the IT boom, and has a lot of its bad habits such as high self-regard, mistrust of outsiders, US parochialism, and a tendency to over-rate its ability to solve problems in cost-effective ways. It is also still very fragmented, both technologically and as a business.
From now on it will have to change more rapidly than perhaps it realises and focus not simply on making money but on coming to grips with the centrality of security concepts to the future of IT. If it doesn’t grow up quickly enough it will learn the hard way that its biggest and potentially most profitable customer will turn out to be one Big Mother.