Devil's Advocate: Security software - can we get it right?

A new group hopes to get us started

Big companies are grumbling that they are not getting the security software they want. Earlier this year, the Jericho Forum was created to advance users' needs. It meets next week, to figure out the future for security standards and products.

It is a bold move and I wish it success. But it will need stronger support from its members than has been achieved by past initiatives. After all, it cuts across the whole culture of modern business. Ever since JK Galbraith published The Affluent Society, we have known that business tends to create products, then tries to persuade us that we need them.

That is exactly the complaint of the Jericho group. David Lacey, the chairman of the group, is concerned that security vendors are offering what they can build rather than what the users need. The aim for users is to achieve secure transfer of data between businesses, unhindered by boundary restrictions.

Now this raises questions along the lines of those discussed in last week's column. Who understands exactly what is needed? The problems are not simple. You can build a secure network that only admits organisations that can pass stringent criteria. The NHS did exactly that, and it worked well as long as the membership could be very tightly controlled.

But over time, it became apparent that some users within the NHS needed to have transactions with outsiders, such as social services departments in local authorities. Certifying even very large authorities presented practical and financial difficulties. Gradually the idea that only approved organisations could connect was supplanted by authentication of individual users.

Security problems are like that. They are very much inclined to spread out until they pose very general problems. In theory, the whole public key infrastructure is the foundation for universal authentication. Yet despite early expectations that a network of secure keys would proliferate throughout society, actual progress has petered out.

This illustrates a key issue for any initiative such as the Jericho Forum. Significant resources are needed to create a group that has any hope of truly understanding the problems to be solved. Although this involves large amounts of money, more importantly it requires high levels of skill. Not only does it need a high standard of technical ability, it also requires political and diplomatic skills.

Successful standards processes have to steer a course between the competing interests of the various parties. They have to be pragmatic and flexible, without losing the clarity that makes a standard useful. Speed of adaptation is essential to avoid becoming simply irrelevant. TCP/IP achieved this but the OSI communications protocols largely did not.

So, although a tough question for the Jericho Group is whether it can mobilise enough cash to create a vital process, finding the right people will also be a challenge. After all, the trend has been to regard IT as peripheral and to think that its problems can be simply passed to some outside organisation. But the outsourcing companies have an interest in looking at technology as a means to sell more services as much as to solve problems.

Standards groups have always had a tendency to be dominated by vendors, because they are willing to provide the needed resources. Naturally, there is a price to be paid for this and part of the price is the political manoeuvring of the rival vendors who seek to push the standards in favourable directions.

The most promising source of technical and sometimes political skills is obviously the open-source movement. It has demonstrated its ability to build powerful and flexible software in highly efficient ways. Open source is, though, under siege over issues such as software patents and the potential domination of large vendors. Its greatest achievements have been in relatively well-defined areas.

I hope that the Jericho Forum is more than just good intentions. To succeed, it will have to persuade its members to come up with substantial amounts of cash and create viable standards groups. It will also have to bring about a shift in the whole culture of technology development. Can it overcome the many hurdles standing in its way?