One of the immutable truths of the technology industry is that vendors are constantly at least one step behind users needs. Its not their fault; its simply a function of the speed at which business requirements and user preferences change these days.
Software companies can work for months to integrate features that users have been begging for into the next releases of their products, but, invariably, by the time the product actually gets into users hands, its already months behind the times at best. At worst, its completely obsolete.
This fact of life causes premature graying and peptic ulcers in the marketing and engineering teams at many vendors.
Even the biggest superstar product manager can find himself polishing his résumé if the release he promised his bosses was the next big thing turns out to be six months behind the curve as soon as it hits the street.
As annoying as that can be for users awaiting a big upgrade of their CRM or storage solutions, it can be downright deadly for IT managers looking for help securing their networks. Being behind the times in security isnt just inconvenient, its potentially fatal.
And if we learned nothing else from 2005s rash of data breaches, credit-card-number thefts and other assorted miseries, we should have come away knowing the attackers are several large steps ahead of our defenses right now.
This has always been the case, but the stakes now are higher than ever, and its time for security vendors and researchers to close the gap.
From its inception, computer security has been mainly a reactive discipline, and it has remained thus all the way through last decades burst of innovation.
Crackers are stealing user accounts to get free time on university networks? Set up tripwires to find them … after theyre in. Viruses running rampant? Install anti-virus software to stop them … after theyve infected the network. Organized online gangs begin targeting banks and consumers with phishing e-mails? Start thinking about two-factor authentication.
You get the idea.
This state of affairs cannot continue. Whats needed, among other things, is a serious commitment to research from both the government and the private sector. This means committing not just people but also the money needed to support them.
There are plenty of amazingly talented security researchers at Carnegie Mellon University, Purdue University, James Madison University and dozens of other colleges, but without the money they need to put together serious testbeds, they may as well be doing their research on TRS-80s.
The shameful bureaucratic foot-dragging and indecisiveness that have characterized the U.S. Department of Homeland Securitys cyber-security research efforts need to end. Now.
If the folks inside the Beltway are having a hard time deciding what kind of research is needed or where to spend their money, all they need to do is pick up the phone and call Gene Spafford at Purdue or any of his colleagues around the country, who Im sure would be more than happy to help the feds out.
A good portion of the industrys more innovative ideas have come out of the university community, including Spaffords Tripwire technology and the RSA algorithm. And Im quite sure that there are plenty more ideas where those came from.
But in order to grow and blossom into full-fledged technologies with the ability to make a difference in securing networks, they need the nourishment of research dollars to augment the care and feeding they get from scientists and researchers.
Whats next? With any luck—and a little gumption from the suits in Washington—maybe well find out in 2006. I sure hope so, because otherwise I may be writing this same column again next year.
News Editor Dennis Fisher can be reached at [email protected].