I met Christopher Allen about a decade ago, when he ran Consensus Development, a company that made a commercial SSL toolkit. (Prior to that, he was involved in the startup of VeriSign, and in the development of the SSL reference implementation for Netscape.) I hadn't heard from him in a long time, and his recent essay, Security and Cryptography: The Bad Business of Fear, explains why. When he sold his company to Certicom in 1999, he signed a
5 3-year non-compete agreement. When it expired, he re-entered the security industry, expecting to find it much changed:
Internet time had still been moving fast back in 1999 and I wasn't sure how many generations had gone by in the security industry. One, two, more?
Actually, none, as it turns out.
Walking the floors of RSA last year, in the immense exhibit hall at the San Jose Convention Center, I did feel a sense of energy. The floor was still packed, and the carefully cut kiosks and the garish banners bespoke the millions put into the show by the exhibitors. The constant chatter was a deafening white noise, and whenever I veered too near a booth, there was a salesman very eager to tell me about his company's latest and greatest.
But, to a certain extent, that energy felt to me like a facade. There was nothing new; instead all the exhibitors were showing off the same technology that they were displaying five years ago. There was a bit of glitz and some extra chrome, perhaps a carefully redesigned product name, but beyond that there was a weird feeling of deja vu.
There were the same old tools that we've been using to deter hackers since the advent of the Morris Worm way back in 1989: products to detect intruders and safeguard your machines against them; firewalls; and VPNs. Maybe we've gotten a little better at figuring out expert rules, maybe we've improved our user interfaces, but these are slow, gradual upgrades, not quantum leaps.
To put it another way, we have been optimizing existing algorithms, not inventing new ones. The rest of this remarkable essay suggests what some of those new approaches might be. He considers the idea of insurance as a form of business risk management, something that Bruce Schneier has also been discussing lately. He notes that data security is not the same thing as data reliability: the latter is what we really want. And he suggests, finally, that alongside these approaches driven by fear, we need to develop new methods motivated by opportunity.
The possibilities are only limited by our imagination, if we can just think beyond current possibilities.
We have already seen the first wave of security technology; now we need to initiate a second, for I believe with the next wave the best is yet to come.
Well said. And welcome back, Chris!
Former URL: http://weblog.infoworld.com/udell/2004/02/25.html#a927