IoT Security: “The Market has Failed”

According to the IT security expert Bruce Schneier, the consequences of unrestricted connectivity in the Internet of Things could be devastating. In the interview, he calls for greater security for the Internet of Things (IoT).

"The era of fun and games is over," said Bruce Schneier at the Telekom Security Congress in Frankfurt in November 2016. The American expert for IoT security and cryptography is Chief Technology Officer (CTO) of IBM Resilient. In his bestseller "Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World", the security researcher describes how states and Internet firms spy on us. In the interview, the 53-year-old talks about the huge importance of security for and through the Internet of Things, about a failing market and about the need for state regulation.

Mr. Schneier, at the Telekom Security Congress you warned us about limitless connectivity in the Internet of Things. You are an established expert for IoT security. Why are you pessimistic?

We are currently creating a world in which everything is connected. This connectivity in the Internet of Things will reach its peak soon. It is like a robot the size of the entire earth. However, we are not aware of the consequences.

What consequences should we expect?

With the Internet, mankind has created the most complex machine that ever existed. Up until now, only data were at risk from cyber attacks. However, connectivity through the Internet of Things—for example for machine-to-machine communication (M2M)—makes the system highly volatile because IoT security is seriously neglected. Through the integration of sensors and actuators, the consequences are now much more dangerous: cyber attacks no longer pose a risk just to data—they can also put people's lives at risk.

In your opinion, what are the biggest problems in regards to IoT security?

Big companies such as Microsoft, Google or Apple employ experts for IoT security to make smartphones, for example, as secure as possible. However, if you buy a webcam to monitor your baby, a refrigerator or a thermostat, no expert for IoT security will have been involved with it. A further problem is the fact that these devices are replaced less frequently. While many users will buy a new smartphone after just two years, most people will only buy a new refrigerator after five years or more. And many cheap devices do not even provide an update option.

Yet people still buy these insecure products.

That is right, because no customer thinks about IoT security. When making a purchase, customers think about very different factors: what does a device cost and what functions does it offer? Ultimately, the customer is not interested in whether the device is part of a botnet. After all, they are not directly affected. As long as the device works, the customer is happy—and the manufacturer is, too. Neither of them is interested in IoT security. When it comes to IoT security, the market has failed.

How do we solve this dilemma?

If the market fails, others must intervene. In the future, we really need state regulation—not just company policies. Generally speaking, the state intervenes where things pose a threat. However, the Internet has remained virtually untouched by such rules. The fun and games are over: connected devices must undergo a certification process! This is already the case with potentially dangerous products such as cars or medical devices.

Would national IoT security rules be useful? Or do we need international ones?

I believe that national rules can be effective globally. For example, if a law in the USA stipulated security standards for routers bought in the country, manufacturers from other countries would then need to ensure that their products met these security requirements if they were to be sold on the US market.

Is state regulation enough?

No, it is not a panacea. Cyber attacks will always happen in the future—we have to accept that. A system as complex as the Internet of Things cannot be made completely secure. A skilled and motivated attacker with sufficient financing will always find a way in. And we cannot expect that those behind attacks such as the Mirai botnet DDoS attacks will be arrested. But even if we accept that connected devices can never be completely secure, we can at least significantly reduce the problem.

Categories: Text, Written Interviews

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.