Bruce Schneier on the 10 year security outlook (it's worrisome)

Technology will evolve as computers become 100 times more powerful in 10 years. IT systems will become so interconnected that the risk of failures will escalate.
Written by Larry Dignan, Contributor on

Technology will evolve as computers become 100 times more powerful in 10 years. IT systems will become so interconnected that the risk of failures will escalate. And endpoints will never be secure.

Meanwhile, the same old crimes--fraud, theft, impersonation and counterfeiting--will remain old standbys as new technology leads to new attacks.

These are just some of the takeaways in a conversation posted by Bruce Schneier. In the discussion, which is from TechTarget's Information Security magazine's 10th anniversary issue (January, 2008), Schneier speaks with Marcus Ranum about security in 10 years. It's an interesting read definitely worth a look.

A few takeaways:

Crime will move quickly.

Schneier says:

Fraud, theft, impersonation and counterfeiting are perennial problems that have been around since the beginning of society. During the last 10 years, these crimes have migrated into cyberspace, and over the next 10, they will migrate into whatever computing, communications and commerce platforms we're using.

Ranum says:

You can't turn shovelware into reliable software by patching it a whole lot.

My take: Not terribly comforting. But not surprising either. Will the defenders be able to adapt fast enough? Probably not. Is there a better model than patching?

Cascading IT failure is inevitable.

Ranum says:

I believe it's increasingly likely that we'll suffer catastrophic failures in critical infrastructure systems by 2017. It probably won't be terrorists that do it, though. More likely, we'll suffer some kind of horrible outage because a critical system was connected to a non-critical system that was connected to the Internet so someone could get to MySpace -- ­and that ancillary system gets a piece of malware. Or it'll be some incomprehensibly complex software, layered with Band-Aids and patches, that topples over when some "merely curious" hacker pushes the wrong e-button. We've got some bad-looking trend lines; all the indicators point toward a system that is more complex, less well-understood and more interdependent. With infrastructure like that, who needs enemies?

Schneier says:

By 2017, the interconnections will be so critical that it will probably be cost-effective -- and low-risk -- for a terrorist organization to attack over the Internet. I also deride talk of cyberterror today, but I don't think I will in another 10 years.

My take: Infrastructure in the U.S. is fragile. And the problem is only getting worse. A massive IT blowup that takes out a power grid or even the Internet is highly likely. The only question is what the trigger will be.

IT services as utility could escalate risk.

Schneier says:

By 2017, people and organizations won't be buying computers and connectivity the way they are today. The world will be dominated by telcos, large ISPs and systems integration companies, and computing will look a lot like a utility. Companies will be selling services, not products: email services, application services, entertainment services. We're starting to see this trend today, and it's going to take off in the next 10 years. Where this affects security is that by 2017, people and organizations won't have a lot of control over their security. Everything will be handled at the ISPs and in the backbone.

Ranum says:

So if you're saying the trend is to continue putting all our eggs in one basket and blithely trusting that basket, I agree.

My take: The IT services movement essentially gives hackers one throat to choke. The big emerging worry is the loss of control for customers.

Editorial standards