Takeaways from Bruce Schneier's New Book
FIX THE INTERNET BEFORE IT FIXES US — Technologist Bruce Schneier is out with his latest book and his most alarming title yet: "Click Here to Kill Everybody." In fact, it's one of the most ominous in the entire cybersecurity canon. Even in his introduction, Schneier admits to hyperbole, yet writes the title isn't without merit since "we're already living in a world where computer attacks can crash cars and disable power plants — both actions that can easily result in catastrophic deaths if done at scale."
So, OK, it's scary. In this outing, published last week, Schneier digs into the dangers posed by the rapid spread of internet connectivity into all our things. But since he doesn't think the marketing term "internet of things" is encompassing enough, he coined his own term: Internet+. If you've followed Schneier's career or seen his many talks at cybersecurity conferences, much of what he's writing about won't seem new. And since that's probably many of you, we're going highlight just a few of his policy recommendations (there are many more in the book) and predictions (more of those, too) when it comes to fixing what he calls the "sloppy state of Internet+ security."
Cybersecurity requires its own government agency. Schneier writes that government is "by far the most common way we improve our collective security." So, he's proposing a National Cyber Office that would not have regulatory power (at least not initially) but would offer advice, direct research, convene meetings and set policy priorities. "There is significant historical precedent in the US for this idea," he writes. "New technologies regularly lead to the formulation of new government agencies. Trains did. Cars did. Airplanes did. The invention of radio led to the formation of the Federal Radio Commission, which became the Federal Communications Commission. ? The value of a single agency is considerable. The alternative is to craft Internet+ policy ad hoc and piecemeal, in a way that adds complexity and doesn't counter emerging threats."
Regulation is inevitable. Regulation is problematic. A largely regulation-free tech industry may soon be a thing of the past, Schneier writes. And there are lots of reasons why he sees regulation on the horizon. One reason is that Internet+ security is public safety issue — and that tends to get governments' attention. But he also worries regulation will be problematic and could hamper the speed at which tech companies innovate. "We don't want to—and can't—stop technological progress, but we can make deliberate choices between technological futures, or speed up or delay certain technologies with respect to the others."
Prioritize defense, not offense. Schneier argues that if governments want to take a leading role in improving cybersecurity, "they need to switch their thinking and start prioritizing defense." Currently, he says, the U.S. wants to maintain the internet for offensive purposes, ensuring that agencies such as the NSA can eavesdrop on other nations. "With few exceptions, we all use the same computers and phones, the same operating systems, and the same applications. We all use the same Internet hardware and software. There is simply no way to secure US networks while at the same time leaving foreign networks open to eavesdropping and attack," he writes. But, he says, if the U.S. shifts its priorities to defense, the internet will be more secure for everyone (see below for more on that idea). "We need to recognize that the security benefits of a secure Internet+ greatly outweigh the security benefits of a vulnerable one."