I EEE Security & Privacy magazine is now 10 years old! It's been an interesting decade for both the magazine and the world. When S&P first launched, the world was just starting to get serious about computer security. Many of today's technologies were commercially available in some form, including antivirus (AV), intrusion prevention, and vulnerability management. Financial companies and governments were adopting network security at the perimeter. But most people in general didn't seem to care very much about computer security and privacy.
Computers grew up in a world where the data on them wasn't that valuable in aggregate, and the risks weren't that high. Consequently, even though great computer security research had been done in the 1960s, in the days before computer networks, not much of a security culture existed, especially outside governments. The most commonly used network protocols were built almost entirely on good faith in other Internet users and provided no confidentiality and little integrity or authentication.
The security industry revolved primarily around identification (mainly, usernames and passwords), AV, and government through the end of the '90s. Almost no thought was given to software security—some products added off-the-shelf encryption, but the world hadn't yet been exposed to SQL injection, integer overflows, cross-site-scripting, and the like.
As we entered the new millennium, more people began using computers for work: email usage became widespread, records were now kept electronically, and laptops, data CDs, and even portable memory became common. Still, most people weren't too bothered about email sent out in the clear or of the myriad ways in which they could lose their data.
But around the time of S&P's launch, the tenor of the conversation in the digital realm moved from the annoyances of hackers and viruses to the doomsday scenarios a nation-state could bring about through hacking. Movies and TV shows highlighted the hacking risks to critical infrastructure that, while implausible to the technophile, seemed wholly possible to those outside the industry.
The September 11, 2001 attacks accelerated the change in mindset. Many in the IT security industry took advantage of the heightened awareness of security issues to educate people about the risks they could face. But the more likely explanation for the change in mindset is that the more important to our society computers became, the more we had to lose as individuals. Today, much of our personal data resides on computers and even online—our work product, financial accounts, pictures, home videos, music collections, even our private thoughts. A decade ago, an infection was inconvenient because we would have had to reinstall everything. Today, it's a disaster, because when we're infected, we need to worry about losing our data, our money, and our identity.
Companies have even more to lose. Not only do they need to be concerned about finances and intellectual property, they also need to be worried about liability if they mishandle people's data. The dramatic rise in IT security budgets over the past decade is due more to regulatory compliance and the liability associated with it than to an altruistic need to improve security.
Yes, in the past decade, our industry has grown up. It invested commercially in many product areas that weren't products a decade ago, such as application security and data loss prevention. At the same time, threats have escalated tremendously; there's far more money to be made being a bad guy on the Internet than there was a decade ago. So, despite many technical leaps, it's unclear whether we're actually safer online today than we were back then.
There are many fundamental challenges in which the bad guys have an edge today, some of which we might never be able to address:
• Much of the Internet still runs on insecure infrastructure. A lot of sensitive emails still go out entirely in plaintext. Our secure Web communications are fundamentally flawed, and it's not because of cryptography.
• The economics of security often don't favor better security. Companies often find it cheaper to fix security problems only as they're reported, instead of designing security in at the start. Similarly, many companies in regulated industries struggle with the cost burden of IT security compliance.
• Most security incidents still involve people shooting themselves in the foot. People are bad judges of risk when it comes to computer security and tend to engage in risky behavior, even when they've been well educated. If those Nigerian scams and phishing attacks didn't work some of the time, the bad guys wouldn't keep doing them.
• Everyone else keeps innovating, and security needs to keep up. Since this magazine launched, social media has taken off, and the computer applications world (and even the security applications world) has been marching to the cloud, despite the possible security risks. More of our critical infrastructure is online.
One thing that's become clear to me over the past decade is that, if change isn't easy, it will probably be extremely expensive, if not impossible. We've not had good luck swapping out entrenched protocols like SMTP or even IPv4, despite significant security problems. We can see many examples in which better security didn't win out, sometimes because of additional user interface complexity, comfort in the status quo, or increased cost.
So, despite IT security and privacy being more important than ever, our society seems to be content to do without, or at least, to make due with a bare minimum. Typically, people would rather have a little bit of security and a lot of functionality than have a lot of security at the expense of extra functionality. Our responsibility in the security industry is not to design the best security and privacy mechanisms possible—if we do, nobody will use them. Instead, we need to improve the economics of security and privacy to make the world a better place—increasing protection as much as possible, while encouraging widespread adoption through ease of use and by keeping costs reasonable.
As a result, we at S&P expect to be around to serve the community for another decade, and probably beyond. Some might see it as a sad state of affairs that these problems are so intractable. We prefer to celebrate all the new and wonderful technologies, value the heightened awareness, and look forward to the challenge of helping to secure it all, cost effectively.
We will march forward with a mission of bringing the best minds working on security and privacy together to learn from each other. Unlike any other security magazines, we have the best and brightest from both academia and industry. Because our articles go through peer review, we are in a great position to elevate the discussion, making sure we only publish papers that are both interesting and relevant. Going forward, we'll attempt to engage more than just the security industry—we'll encourage more interdisciplinary discussion, for instance, with behavioral sciences.
In honor of our anniversary, we've redesigned the magazine. In addition, to celebrate our journey, we'll bring you a special feature each issue that looks back at the past decade—this issue contains dueling position pieces from Gary McGraw and Anup Ghosh. We're also interested in hearing from our readers about the impact that the magazine has had—please feel free to email me directly at firstname.lastname@example.org.
While celebrating the journey, I'd like to thank the many authors who have contributed to the pages of this magazine as well as recognize the team who had the vision to launch it in the first place, particularly the founding editor in chief, George Cybenko, his associate editors in chief Marc Donner, Fred Schneider, and Carl Landwehr (who also served as my predecessor). All have remained on the editorial board this entire decade, selflessly volunteering their free time to serve the greater interests of the security and privacy community.
The past 10 years have been an amazing journey for us all. I can't wait to see what lies ahead, for the world and for the magazine.
Selected CS articles and columns are also available for free at http://ComputingNow.computer.org.