A couple of outlets are reporting that Apple has hired David Rice to be their new head of global security, starting in March.
Rice graduated from the U.S. Naval Academy in 1994 and earned a Masters in Information Warfare and Systems Engineering from the Naval Postgraduate School. He worked as a Special Duty Cryptologic Officer in the Navy and as a Global Network Vulnerability Analyst for the National Security Agency (NSA). He has also been an instructor for the SANS Institute. His most recent role is that of director with the cyber security consultancy The Monterey Group.
Rice is perhaps best known in security circles for authoring the 2007 tome Geekonomics. The book presents software vulnerabilities in the context of being the same kind of threats to U.S. infrastructure as threats to physical infrastructure, like a bridge (thus the cover of the book). You can get a feel for his work on the Geekonomics – The Real Cost of Insecure Software blog.
Geekonomics - The Real Cost of Insecure Software
The primary theme of the book is well traveled in the information security space, Bruce Schneier has for years tackled the same idea: that software companies are being let off the hook for imposing a hidden cost on the marketplace via passing along software defects. The primary reasons are based on some combination of carelessness and an unwillingness to take the measures needed to reduce the number of security defects introduced in new code, driven by a lack of any real incentive for software companies to implement such measures.
A user of software is, for the most part, limited in what they can seek for remuneration when software fails to the actual cost of the software itself, even though serious security defects can lead to costs far in excess of the price of the software. This handling in the legal liability space has provided software vendors a shield against the actual costs of the liability they create in introducing code into the marketplace absent adequate testing.
Rice estimates this hidden cost of software being passed on to consumers at approximately $180 billion annually and frames solutions in a regulatory and legal context, including potentially even a tax on software insecurity.
They Just Hired a Critic
Interestingly, Rice is rather outspoken when it comes to his distaste for how large software companies write software. For example, the following statement on large software firms appears in a 2008 Forbes interview:
“Companies like Oracle or Microsoft say their software is unbreakable or trustworthy. But those statements are vacuous and cheap to make, and there's no consequences for when they're wrong.”
He does not leave Apple out of the equation:
“When you're buying Oracle's or Apple's software there's no notion of what you're getting into. Some say Apple is more secure than Microsoft. That's a totally subjective statement, there's no objective measurement going on--the risk is invisible. So the market really can't choose to buy more secure software.”
I give Apple kudos for recognizing that someone who has rationally studied the problem, and candidly reported on it, is a good candidate to have running information security. It is better in any case than someone who will blow sunshine up your rear end all day long.
A Hiring Trend
Apple has brought on security talent as of late, having hired Window Snyder (formerly of Mozilla and Microsoft) last March and Ivan Krstic (former OLPC security chief) in May of 2009.
The motivation, beyond putting a good security practice in place, would seem to be penetration of the enterprise market for the company’s devices. Apple has sold a hell of a lot of devices marketing to the retail space (4 million Macs, 16 million iPhones, 19 million iPods, and 7 million iPads according to the company’s recently released results for the previous financial quarter). This thorough penetration of the consumer retail market has spilled over into the enterprise environment: much of what talking heads refer to when they start discussing “the threat of IT consumerization to enterprise security” refers to this effect. That is simply, devices not manufactured or programmed with the corporate IT environment in mind are nonetheless being introduced into the environment regardless, and technology departments are left to figure out how to manage them in that context.
Driven by the same design features that have propelled consumer purchases, more than a couple of the “privileged few” in corporate environments have demanded their local IT department support iPhones and iPads for them of late. To their credit, Apple has recognized some of the needs of the enterprise IT environment with support for such commonly required features on corporate mobile devices such as data encryption in storage and transit, remote kill switches, password policies and the like: iPad in Business – Security Overview.
Apple’s continuing formal support of the built in security features needed by corporate information security departments, and the addition of a powerful internal voice to those concerns within the company like David Rice, would appear to be a godsend to beleaguered information security managers trying to keep up with user desires-desires fueled in part by the explosive success of Apple's devices themselves.