Schneier: It's Time to Regulate IoT to Improve Cyber-Security
In a keynote at the SecTor security conference, Bruce Schneier makes a case for more regulatory oversight for software and the Internet of Things
The time has come for the U.S. government and other governments around the world, to start regulating Internet of Things (IoT) security, according to Bruce Schneier, CTO of IBM's Resilient Systems.
Schneier delivered his message during a keynote address at the SecTor security conference here. He noted that today everything is basically a computer, whether it's a car, a watch, a phone or a television. IoT today has several parts including sensors that collect data, computing power to figure out what to do with the collected data and then actuators that affect the real world.
"Sensors are the eyes and ears of the internet, actuators are the hands and feet of the internet and the stuff in the middle is the brain," Schneier said. "We're creating an internet that senses, thinks and acts, that's the classical definition of a robot."
"We're building a robot the size of the world and most people don't even realize it," Schneier said.
What that means is that internet security is now becoming 'everything' security, according to Schneier. As such, he noted that computer security expertise is now needed in the auto industry because cars are now computers and all the lessons of the cyber world are applicable everywhere.
"Availability and integrity threats are important as real risks to life and property now," Schneier said. "So now vulnerabilities have very different consequences, there is a difference between when a hacker crashes a computer and you lose your data and when a hacker hacks your car and then you lose your life."
In Schneier's view, many of the existing security paradigms fail in the new world of IoT. Whereas traditional software firms and big mobile vendors like Apple and Google have dedicated security teams, the same is not always true for IoT vendors. As such, Schneier said that IoT devices are often not patched quickly, if at all.
"A home DVR (Digital Video Recorder) could have been part of the Mirai botnet and likely most people just don't care so long as the device works," Schneier said. "Defending against Mirai is hard cause it's not just dropping a patch on Windows and making it go away."
Time for Regulation
In Schneier's view, the challenge of cyber-security cannot be effectively solved by industry alone, instead he advocated for government involvement to help regulate technology security. As internet connected devices move into regulated industries, Schneier expects that computer software which has largely been regulation-free, will need to change. There are also historical precedents for new technology usage leading to new government agencies and regulations. For example, the emergence of cars, airplanes, radio and television have all led to government agencies and regulation.
"In the 20th century, new technology led to the formation of new agencies all the time,"Schneier said.
Schneier added that there are a lot of problems that markets can not solve on their own, since markets are typically short-term profit motivated and can't solve collective action problems. Additionally, Schneier said that there is a need to have a counter-balancing force for corporate power.
"Government is how we solve problems like this," Schneier said.
Schneier expects that there will be lots of issues that will need to debated and resolved about connected technology regulations, but in his view there really isn't a better alternative to ensuring cyber-security safety than government regulations. That said, he emphasized that the reason why he was speaking at SecTor, was to help raise awareness and get cyber- security professionals engaged in government policy conversations.
"As technologists, we need to get involved in policy since IoT brings enormous potential and enormous risks," Schneier said. "As internet security becomes everything security, all security has strong technological components."
"We'll never get policy right, if policy makers get technology wrong," he said.