Book Review: “Click Here To Kill Everybody”

If I were still doing radio shows, I would happily welcome Bruce Schneier back as a guest. He's a security expert who I first spoke with when he revealed the uselessness of the TSA's screening procedures at airports, which he labelled "security theater." Since then, he's made multiple appearances with me.

Bruce has just published a new book, Click Here To Kill Everybody: Security and Survival in a Hyper-connected World, and asked me to review it.

As in his previous works, Bruce sees the holes that exist in the digital world and explains the risks of having so many more things connected as part of the Internet of Things, from thermostats to refrigerators to manufacturing equipment to your kid's dolls. In an age where everything is a computer, my favorite example he cites is the casino network that was penetrated by hackers in 2017 through an internet-connected fish tank.

That sounds funny, but there are real lives in danger when hackers can control our cars and airplanes and medical devices. As Bruce points out, much of this access is because of carelessness, as in the breach of credit card info of tens of millions of Target customers by criminals who got into the system by stealing log-in credentials from one of the company's HVAC vendors.

Bruce discusses why security patches are problematic (older devices can't update, people don't install them when they should), why it's so hard to know who you're really dealing with online (and the ensuing problems when someone steals an identity), and the continuing problem of ransomware attacks, in which your computer is locked up and unusable unless you fork over thousands of dollars in cyber-currency (e.g. Bitcoin). And that's before he gets into the manipulation of data by Russia to impact the US political system (and, no doubt, vice versa).

Then, before offering some solutions, Bruce lays much of the blame on big companies who won't spend the time and money to take proper security precautions and the legislators who don't regulate what they don't understand:

Internet+ security looks pretty bleak. The threats are increasing, the attackers are more brazen, and the defenses are increasingly inadequate.

All the blame shouldn't fall on the technology. Engineers already know how to secure some of the problems I've mentioned. Hundreds of companies, and even more academic researchers, are working on new and better security technologies against the emerging threats. The challenges are hard, but they're "send a man to the moon" hard and not "travel faster than the speed of light" hard. And while nothing is a panacea, there really isn't any limit to engineers' creativity in coming up with novel solutions to hard problems.

Still, I don't think it will get better anytime soon. My pessimism stems primarily from the policy challenges. The current state of internet security is a direct result of business decisions made by corporations and military/espionage decisions made by governments?. What we've learned from the past few decades is that computer security is more a human problem than a technical problem. What's important is the law and economics, and the psychology and sociology—and what's critical is the politics and governance.

Bruce then goes on to lay the groundwork for how the digital world can be made more secure, from our critical infrastructure to our personal data, by creating actual standards that don't currently exist—and then enforcing them not only in the US, but worldwide. Some of it is so basic, in the same way you lock your car doors instead of leaving your expensive personal items and cash on the front seat with the windows open. Some of it is much harder, but starts with standardizing the safety protocols that any business using an IOT device must follow. To accomplish all of that (and more), Bruce also says we need to drastically increase the number of cybersecurity professionals at every level.

But most of all, Bruce argues, it is government which enables security. Therefore, it would behoove every legislative assistant in every lawmaker's office on Capitol Hill and in every state legislature to read this book. I'm assigning it to them because the politicians they work for will never do it, but if someone could summarize it in a few bullet-pointed pages (or a nice crayon drawing for the current president), perhaps they'd understand the scope of the problem and begin to consider some of Bruce's recommendations. Then, they'd have to overcome the enormous hurdle of objections from the most powerful computer and internet corporations.

That's very unlikely, but Click Here To Kill Everybody is still a primer in how interconnected yet vulnerable our online lives are—with more to come.

Categories: Book Reviews, Click Here to Kill Everybody, Text

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.