Click Here to Kill Everybody, Book Review: Meeting the IoT Security Challenge
Sometimes the human race just isn’t that smart. The Internet of Things is a case in point: today’s internet is a mess of security vulnerabilities and coding errors. As the size of data breaches and cost of cyber attacks escalates week by week, now we want to exponentially increase the complexity, attack surface and dangers by wirelessing up billions of ultra-cheap devices, any one of which might bring the whole thing down. In the words of the great Jewish prophets: Oy.
Surveying the shape of this monster takes up the first third of Bruce Schneier’s latest book, Click Here to Kill Everybody: Security and Survival in a Hyper-Connected World. Anyone who follows security can probably skip most of it, as it’s largely familiar material. Schneier outlines three primary use cases: a cyber attack against a power grid; murder by remote hacking of a connected car; and the “click here to kill everybody” of the title, in which a hacked bioprinter goes into overdrive replicating a lethal virus. That background over, Schneier tries to come up with solutions to this unwelcome security nightmare that’s rushing towards us.
Most of Schneier’s recommendations are about policy and regulation rather than technology. To create ‘Internet+’ (that is, internet plus security), he suggests developing standards (both principles and rules), promoting public education, correcting information asymmetries, closing the skills gap, and funding research, maintenance and upkeep.
More difficult is his recommendation to correct misaligned incentives, which means introducing product liability into the software industry. In this suggestion Schneier is not alone; Cambridge University professor Ross Anderson and Gresham College professor Martyn Thomas, among many others, have advocated liability for years. The industry’s fierce resistance may have been acceptable when the stakes were purely financial, but when we’re talking cars, power grids and medical equipment, human lives are at stake. Schneier also suggests granting customers the right to sue IT vendors when things go badly wrong.
Regulation and co-operation
Schneier also suggests a new regulatory agency for cyber security, given that the effectiveness of agencies such as the current Federal Communications Commission waxes and wanes as their governments’ administrations change policy. This is hard to assess, but Schneier is certainly right to say that governments have a crucial regulatory role to play in forcing industry to adopt better security practices. His argument that governments should “demilitarize” the internet by shifting from focusing on offense to promoting defense and strengthening the resilience of every part of the infrastructure is also sound. He also argues for international cooperation, since no single country can hope to change a global, cooperative infrastructure. In return, he says, we will have to trade away some ability to innovate. The passenger getting into a self-driving car will almost certainly feel it’s a good trade.
By now you’re probably thinking: yeah, right, you and whose army is going to make this happen? Schneier is right there with you. Admitting that many of his recommendations have been in the public sphere for more than a decade with little progress, he concludes by assessing the state of the art of the possible. The US is unlikely to do anything helpful for the moment, but: “When the internet starts killing people it will be regulated.” The EU’s GDPR is a genuine help. We—consumers and organizations—can play our own part by making more careful purchasing choices. Ultimately, however, we are left to make the most difficult decision on our own: who can we trust?