The challenges and problems of computer and network security won't be adequately addressed until companies can be held liable for their software and the use of their computer systems and until insurance companies begin to offer computer intrusion insurance, said Bruce Schneier, founder and chief technical officer of Counterpane Internet Security, Wednesday here at the RSA Conference 2002.
Insurance companies and liability laws need to come into play because the real problems of computer security are not technical problems, he said.
"Technology is not going to solve this," Schneier said. "Fundamentally, security is a business problem. It's a people problem."
Within companies, especially software companies, security is looked at as a trade-off, he said. More secure products cost more to produce and have fewer features, which angers customers, while the other option is less secure software that could result in bad press, angry customers or regulatory pressure. Faced with that choice, many companies will offer less-secure products because the risk is smaller, Schneier said.
However, when audits, costs and liability are injected into the equation, the business analysis changes, he said. Firewalls became standard parts of companies' security arsenals because without them companies could fail security audits, he said. Security is only driven by its ability to affect the bottom line, he said.
"The CEO (chief executive officer) is only going to do what everyone else does because that's the business analysis," Schneier said.
Security would affect the bottom line if developers were held liable for flaws in their software, he said.
"Software should not be exempt from normal product liability," he said. "If no one is accountable for a problem, no one will do anything about it."
When developers are liable for their products, they will want to transfer that liability to insurance companies to be able to predict costs and protect their bottom line, he said. This is the thinking that drives "real world" companies to insurance, he added.
"I think insurance is a big part of (improving) computer security," he said. "In the real world, insurance drives security."
Computer security will be aided by the presence of insurance companies in the market because insurance companies will look for a way to standardize models for determining the level of risk a potential customer poses, Schneier said. As they seek this model, they will make determinations about which products are more secure, which may, in turn, lead companies to use those more secure products in order to save money, he said.
"(Insurance companies) are going to want better products and services," he said.
Beyond insurance, companies will also be looking for ways to reduce their computer security risks, Schneier said. Because most companies won't be able afford their own security staffs to monitor their networks full time, the best option for reducing risk is outsourced security monitoring, he said.
"Outsourcing is the only way to make security scale," Schneier said, adding that security services such as what fire and police departments provide are essentially outsourced services. Computer security services that are good candidates for outsourcing include monitoring, vulnerability testing and implementation and installation, he said. Schneier's company, Counterpane, provides outsourced security monitoring services.
"Everything we want to do on the Internet we need to do securely," he said. "The limits of security end up being the limits of the Internet."
"The risks will always be with us," Schneier said. "The best thing we can do is manage the risk -- just like in the real world."
The RSA Conference 2002 runs through Friday in San Jose, California.