InfoSec 2016: Two Worlds Are Colliding, and I Don’t Have the Answer, Says Bruce Schneier
Schneier also sees more government meddling in IoT security as ‘inevitable’
Schneier explained how IoT-connected devices such as medical devices, which are almost impossible to keep up to date with the latest security defenses, will go at odds against attackers who are continually improving their attack methods, with “catastrophic” consequences.
“As we move to the Internet of Things, where things are less patchable and less high-end, we’re going to have problems,” said Schneier, addressing a keynote audience at InfoSec 2016 in London.
“Right now, how you patch your home router is to throw it away and buy a new one. That is the patch path. And a lot of our systems, like a phone, are patched all the time, but a lot of the security comes from the fact we get a new one every 18 months. We get a new laptop every two years. That allows us to get better. But you buy a new refrigerator every 15 years. You buy a new thermostat, what, approximately never? That’s going to be a big problem,” he explained.
Schneier described how the security lifecycle for things like home appliances, implantable medical devices and cars just isn’t the same as the security lifecycle for consumer electronics.
“We’re not going to be able to live in a world where to update your defibrillator you’ll have to open up your body and get a new one—and that’s going to be bad,” he said.
Moreover, as the Internet of Things scales up to include power plants, communities, cities, and governments, the risk will increase.
“There’s much more of a worry for catastrophic risk. Our systems are getting so big that we can’t afford a single failure. And that’s going to happen soon,” said Schneier, illustrating how we’re reaching a security tipping point.
“There are two basic paradigms of security. There is paradigm A, which is secure it properly the first time. This comes from the world of dangerous physical things. Automobiles, planes, medical devices, buildings. This is security of design. This is certifications. This is testing. This is licensing. This is get it right the first time the first time because getting it wrong would be a disaster.
“Then there’s paradigm B, which is making sure your security is agile. This comes from the fast moving and heretofore largely benign world of software. Rapid prototyping, rapid updates, recoverability, mitigation, adaptability. Putting it out there and fixing it on the fly. These two worlds are colliding and it is unclear how we can do both. We’re starting to see the collision.”
Schneier explained how IoT-connected components like medical devices reside in paradigm A, which means people are walking around with life-critical devices that cannot be updated.
“The process doesn’t allow for updating. The process was get it right the first time. I don’t have an answer,” he said.
Because of all of this, Schneier confidently predicted that we will see increased government intervention within the Internet of Things and cybersecurity space.
“We’re going to see greater fear rhetoric, because this stuff is actually scary. We’re going to see more rhetoric of fear,” he said.
“I think that more government involvement in cybersecurity is inevitable simply because the systems are more real. We’re going to see more cyberwar rhetoric, more cyberterrorism rhetoric, more calls for surveillance, more calls for use control, more “trust me I’m the Government”.