Security industry is forced to deal with the same old issues

At the annual RSA conference, there was a consensus that developments are moving at a glacial rate, writes Karlin Lillington, in San Francisco

Despite years of confident predictions in the security and technology sector, that famous quote about the vagaries of the movie industry seems to apply: nobody knows anything.

At the annual RSA Data Security Conference here last week - the world's largest gathering of security industry professionals - the consensus among many of the leading international figures in the industry was that, in the words of cryptographer Professor Adi Shamir of the Weizmann Institute of Science, Israel: "Things have moved at glacial rates."

Prof Shamir reflected the views of fellow panelists on the conference's popular "Cryptographer's Roundtable" session.

Many expected 1997 to be "the year of hash functions" - encoding, or "hashing" information into strings of unreadable gibberish - he said, "but since then, very little has happened."

In a talk later the same day, Mr Bruce Schneier, CEO of security firm Counterpane and one of the most respected figures in the industry, was similarly wry.

"It used to be the year of PKI until they gave up on it," he said.

PKI, or public key infrastructure, is a system whereby encoded data can be sent between two parties whose identity can be verified through a trusted third party.

PKI was the focus of many security companies, including Irish firm Baltimore Technologies, in the late 90s.

Mr Schneier asked a standing room only audience: "Why is it always the same? Why do we not seem to be getting anywhere? We're still fighting buffer overflows, we're still fighting viruses."

On the cryptographer's panel, Mr Ron Rivest, Viterbi Professor of Computer Science, MIT, and the "R" in RSA, noted that computer science problems for the security industry are as serious as ever: "I regret to say that we're not any closer than we were in 1993."

Panelist Mr Paul Kocher, president and chief scientist, Cryptography Research, was more cynical: "We're backsliding at a ferocious pace."

So what is a security expert - much less a consumer trying to block viruses or a business trying to secure a company network - to do?

The problem, as many speakers over the five-day event noted, is that as soon as one problem is tackled, another springs up and, as computer systems and networks grow more complex, securing them becomes a far more difficult task.

Thus Mr Schneier advocated a security approach that keeps in mind the complexity of systems and their possible weaknesses rather than their strengths.

"Figuring out how a system fails is more important than figuring out how it works," he said.

Security itself adds layers of complexity to any system, he noted. "Security is not a feature - it makes everything harder."

Systems also tend to be protected in isolated bits rather than as a whole - partly because security has been seen as a host of individual problems, needing an antivirus programme here or a corporate firewall there.

However, speakers from Microsoft founder Mr Bill Gates - who announced his company would release an anti-virus product this year - to rival Mr John Thompson, CEO of anti-virus and internet security company Symantec, noted that this was no longer enough: "It's time to do more than raise red flags and block risk."

Network giant Cisco, which made an unprecedented 10 product and service announcements at RSA, has moved to provide more comprehensive security coverage, said senior vice president of Cisco's Security and Technology Group, Ms Jayshree Ullal.

"The number of threats is huge and the types of attacks are malicious," she said. "We are building tiers of defence to deal with tiers of attacks."

Cisco can no longer offer products and services without also considering inbuilt security, she said. "You have to be a security vendor if you're a network vendor."

Privacy issues are a key element of the overall security picture too. Security breaches can allow attackers access to personal data, including credit cards and bank account details and addresses and phone numbers, that are useful to practitioners of identity theft.

Sometimes, information is vulnerable due to weak systems, but compromises can also take place if unnecessary information is kept on systems rather than being destroyed. Overall, protecting privacy and obliterating unneeded or sensitive data is often not well thought out in data storage systems, said Mr Kocher on the cryptographer's panel: "Systems are set up to allow companies to collect, add and analyse data, but not to destroy it."

Collecting information for the sake of collecting it is also not a productive method of increasing security, said Mr Schneier, who suggested that the US government would be better off employing an additional 10,000 FBI agents to search for suspected terrorists than to force every American to carry an identification card.

National security came under fire at the conference from some of the people once central to US security policy planning.

Former White House security adviser Mr Richard Clark - who released a book last year that claimed the Bush administration was weak on national security before the attacks of September 11, 2001 - stated that the technology industry and the US government deserved fail grades for internet security.

He called for regulation of some industries, such as internet service providers, to force them to offer businesses and consumers effective protection. But other panel members said the regulation would stifle innovation in the security sector.

Meanwhile, hackers tried all week to breach the wireless network provided to conference attendees, with several dozen incidents reported.

The conference always attracts a number of attempts to breach its security - and attackers found a tempting target in the record 13,000 security-focused conference-goers.

As Mr Schneier said, security isn't a technology problem, but "a people problem".