IoT Security: Lack of Expertise Will Hurt, Says Bruce Schneier

The lack of relevant technical expertise by governments is going to hurt when it comes to securing the internet of things (IoT), according to security technologist Bruce Schneier.

Governments have a crucial role to play in tackling what he sees as the next big security challenge, he told Infosecurity Europe 2016 in London.

One of the biggest challenges, according to Schneier, is that there is no good regulatory structure for IoT which connects finance, health, energy and transport information.

"We don't know how to do this, so we are going to need government solutions that are holistic that will deal with IoT devices no matter what they are doing," he said.

There is a requirement, added Schneier, for a new type of national and international structure to handle the new types of systems that are connecting data in new ways.

He said that these new structures should be repositories for new technical expertise that is lacking in current government policy debates.

There is stark lack of expertise, said Schneier, in things like large personal databases, algorithmic decision-making, IoT, cloud storage and computing, robotics, autonomous agents.

"These are all things that the government is going to run headlong into and need to make decisions about because there are a lot of decisions that markets aren't going to solve," he added.

Some pundits have suggested that market forces will address many of the potential risks of IoT, but Schneier doubts they will and claimed that markets are short-term, profit-motivated and work at the expense of society.

"There also needs to be some counterbalancing force to the enormous corporate power we are generating through the innate network effects of the internet," he said.

Schneier believes there is a need for governments to take action because any alternative would naturally be ad hoc and piecemeal.

To move forward, however, he said governments will have to acquire the relevant expertise, they will have to be willing to do the hard work, and they will have to tackle associated international issues.

"Governments are going to get involved regardless because the risks are too great [not to]. When people start dying and property starts being destroyed, governments are going to have to do something," said Schneier.

"Our choice is not between government involvement and no government involvement, but between smart government involvement and stupid government involvement, and my fear is that if we wait, and something happens, we will get stuck with stupid government involvement without much creative problem solving."

Engaging with government

Schneier urged the information security industry to engage with government to ensure that the innovation with the industry is pushed into the cyber-physical environment enabled by IoT.

"Then we have to start thinking about how government gets involved—both the pros and the cons—before it happens to us," he said.

Schneier proposed disconnecting systems: "If we cannot secure complex systems, we can't build a world where everything is computerised, connected, interconnected, and intermingled."

These systems need not be inevitable, he added. "Right now we are being pushed in that direction; the technical elites are pushing us all in the direction of increasing interconnectedness."

However, Schneier said there is no good reason for the "connect it all" model, and there are other models of localised connection, limits on collection and storage, and disconnected systems.

"We need to move to more distributed systems, more self-empowerment, and less centralised control simply for our own security," he said.

Categories: Articles, Text

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.