URL :

Print Icon  Printable Page
Print Icon  Web Page

November 2002

Spaf's Crystal Ball

The security soothsayer's at it again.

BY Eugene Spafford

One of the hazards of soothsaying--at least if one has some success--is that people keep coming back for more. Predicting the obvious is one way to respond to such requests, but the throngs are usually more interested in the offbeat and unexpected, which tends to be more memorable.

It's against that backdrop that I've been asked to provide a few closing comments and predictions for this issue of Information Security. I suppose this is a result of having made some accurate predictions over the last decade.

  1. Security problems with general-purpose systems will get worse over the next few years. This is a no-brainer for a few very simple reasons: The vendors need to keep adding questionable features to generate sales; the majority of the people designing and coding those features won't have the training or tools to create them properly; and the consumers won't pay the extra costs to have it done right. In fact, it will likely be several years before most consumers are able to distinguish safe code from the typical dreck they're used to buying...and patching.

  2. The market for add-on security (firewalls, intrusion detection, antivirus, monitoring, probing, etc.) will continue to grow, although we'll see considerable consolidation in the marketplace as the similarity of many tools becomes apparent. Sales of these items will be strong for years to come, despite the fact that the only real solutions require rearchitecting the underlying systems. Expect to see several established products fail or be withdrawn because they are too invasive, have unfriendly interfaces, or are found to be considerably less effective than claimed.

  3. Because add-ons can't really provide complete remediation of fundamental flaws and user misbehavior, consumers will embrace appliance-based computing as it becomes available. Fewer options and services to support suggest that appliances should be simpler to secure. Dedicated appliances are also likely to be more popular with consumers, who aren't interested in--or capable of--mastering the complexity of general-purpose computing.

  4. Spam will grow as a problem. In the U.S., debate over commercial rights and free speech will complicate the issue, delaying any meaningful legislation on unsolicited e-mail. When laws are passed, there will be no real enforcement, and it won't be effective beyond U.S. borders. Significant numbers of people may stop using e-mail as we know it. Radical changes in network architecture could result.

  5. Spurred by issues involving intellectual property theft, spam and cross-border hacking, there will be a greater emphasis on international cooperation and communication. Trademark violations, credit card fraud and various other forms of online transgression will also increase and be the focus of international treaties.

  6. Insurance companies and liability lawyers will get more involved. It has taken them far longer to get started than many of us anticipated, but the outcome is no less certain. Once the first few liability cases are decided against vendors and operators, watch for insurance and "certification" to sweep the industry as everyone attempts to cover their, uh, assets.

  7. Consumers will still focus on the wrong things. Insiders will defraud companies because all the defenses will point outwards. Bad software will continue to be purchased and deployed because "it's what everyone else uses." Little funding will be provided for education and long-term research because it has no obvious impact on the quarterly report. Instead, untold billions of dollars will be spent on short-term patches and fixes that need to be replaced every few months. Military systems will be purchased because they are COTS, not because they are safe or well-tested. Many disasters will make the news in coming years as a result.

  8. Consumers and technologists will continue to be enamored with fads and flash rather than quality and safety. Wireless will continue to be deployed in sensitive locations despite the terrible vulnerabilities and risks. Furthermore, we'll see policymakers and technicians continue to place faith in technology to solve our problems instead of investing in sound management and trained personnel. Other technologies about which we should exercise caution include VOIP, Bluetooth, open source, automated patching, RFIDs and biometrics.

Will the future really be as bleak as these predictions suggest? Perhaps. One of the ground rules of prediction is that we have choices to make that can change the future.

Also, it's possible my crystal ball isn't working quite right. It keeps generating a blue haze. It must need rebooting!

EUGENE SPAFFORD is a professor of computer science at Purdue University and director of the Center for Education and Research in Information Assurance and Security (CERIAS).




November 2002 Table of Contents

Copyright 2002 TechTarget