Schneier Brings Campaign for IoT Regulation to RSA
Bruce Schneier on Tuesday called on technologists to get involved with policy, insisting that as the Internet of things continues to unfold, the knowledge security experts have will become more applicable.
Schneier, CTO of IBM Resilient, stressed in a talk here at the RSA Conference that the need has become more pressing in the wake of Mirai; the threats associated with IoT insecurity are more palpable than ever.
"It's one thing for Reddit to be DDoSed, its another thing for your home thermostat to be DDoSed in the winter," Schneier said.
Schneier posted a list of guidelines that have been written for securing the internet of things last week on his blog. Each document more or less says the same thing: avoiding known vulnerabilities and supporting responsible research. The problem? They've mostly sat stagnant.
"We could all write these docs, they're all good lists, but the question is how do we get them adopted?" Schneier asked the crowd.
Schneier said that it's likely things won't really get moving until the government intervenes.
"I'm not sure the alternative is viable anymore," Schneier said, "I think governments are going to get involved regardless, the physicality of the problems will get them involved. First the courts will set precedent then there will be torts. Nothing regulates the U.S. government like fear," Schneier said.
The difficulties associated with securing internet of things have been well-documented. In most instances the affected devices—CCTV cameras, baby monitors, DVRs—are built at a lower profit margin. They're also tricky, if not impossible, to patch.
"There aren't security teams associated with these devices, there's no way to patch," Schneier said, "The way you update your DVR is your throw it away.
"It's science fiction but not stupid science fiction," Schneier said, "One person writes Mirai, publishes his code, and it's in dozens of botnets, that's our world and soon it's going to be everyone's world."
If secure complex systems can't be secured, then we need to stop connecting things, Schneier said. Instead of layering system on system on system, we should rely on local connections, or Linux, as long as the systems don't interact.
Schneier said the high watermark of connectivity is on the horizon. It isn't here yet, he claims—"we're still in the honeymoon phase, still punch-drunk with data,"—but it's coming. It may take a series of disasters, like Three Mile Island did with the general consensus around nuclear safety in the '70s, Schneier said, to change policymakers' minds.
Schneier first floated the idea of a new agency to regulate IoT security in November when he testified before subcomittees of the House Committee on Energy and Commerce.
"I don't like it," Schneier said at the time. "But in a world of dangerous things, you may have to constrain [innovation]. You can't just build a plane and fly it. It might be that the Internet era of fun and games is over because the Internet is dangerous."
Schneier spoke just weeks after tens of thousands of internet-connected cameras and DVRs were ensnarled by the Mirai botnet. The botnet brought down dozens of services, Twitter and Spotify to name a few, and was used to attack DNS provider Dyn, French webhost OVH, and the website of security journalist Brian Krebs.
Schneier believes that by getting technologists involved in policy it could create a viable career path, like public interest attorneys. It would also stop policy writers and security experts from talking past each other, a la last year's Apple vs. FBI saga.
"The worst outcome is non-technological policy makers make policy that affects us," Schneier said, "We need to get involved in the debate."
"When computers start killing people, there are going to be consequences."