November 19, 2002, 9:42 AM — LAS VEGAS - Companies and home Internet users need to accept that the global computer network is inherently vulnerable to attacks, worms, trojans and anything else miscreants want to unleash on it, and then accept that securing the system is everyone's responsibility, a panel of security experts said here Monday at the Comdex trade show.
Security can't be accomplished through applying patches to vulnerable software, panelists agreed, though they varied in how best to make the Internet more secure and disagreed sharply in some areas, with Bruce Schneier, founder and chief technology officer of Counterpane Internet Security Inc., serving as the naysayer -- a role he seemed to relish.
"As a scientist, I can tell you that we have no clue how to write secure code," Schneier said, prompting agreement from John Weinschenk, vice president of the Enterprise Services Group at VeriSign Inc., who said the best that can be done is to protect corporate computer systems and Web sites so that if there is an attack they aren't taken out for a long, costly period.
"I think every software vendor here can do a better job of providing more secure software," Gene Hodges, president of Network Associates Inc., chimed in. As the discussion went on, though, it was that idea that led Schneier into one of his favorite topics -- liability.
The panelists were led by moderator Andrew Briney, editor-in-chief of Information Security Magazine, into chatting broadly about their views on whether there should be more government regulation related to securing cyberspace, and as the other panelists talked, Schneier went from grinning to smirking to shaking his head. Briney commented that Schneier seemed to be disagreeing and asked him which comments he found fault with to which Schneier replied: "Which part should I respond to -- I don't even know."
Then things got lively.
"The reason the software you buy isn't secure is that companies don't care," Schneier said. Software vendors care about profits and without a sufficient push from concerned users willing to pay more for security features, companies just are not going to slow the production cycle to add those features. Security is not a priority.
Microsoft Corp. with its ballyhooed Trustworthy Computing initiative drew particular invective. "Microsoft is producing software that is completely insecure," Schneier said, prompting scattered applause from the audience. "The reason is there is no liability for producing a shoddy product." If car makers produced vehicles that did not operate properly, they would be held liable and sued, but the same doesn't happen with software makers, Schneier said.