Has Your Toaster Got Cyber-Security? It May Soon Need It
Policy-makers must get to grips with "the internet of things." I'm recommending this book to them
Oh no! Another book with a terrifying, it's-the-end-of-the-world title. They're in vogue at the moment. Sadly, for us mere mortals, Click Here to Kill Everybody is by Bruce Schneier, who is one of the world's top cyber-security experts, and not someone given to exaggeration.
Click Here's central point is that everything is turning into a computer. For reasons I cannot fathom, society is presently engaged in a craze of connecting everything to everything else. Most of us think of the internet as something you access on your phone or PC—but your pacemaker, home heating system, baby monitor, car and fridge are all going online too.
This so-called internet of things is blurring the line between online and off. Soon, explains Schneier, with typical clarity, "I'm going on the internet' will make as much sense as plugging in a toaster and saying I'm going on the power grid'."
Fairly soon, then, computer security will be everything security. That's bad, because computer software isn't designed to be secure. The first half of Click Here elaborates on this theme, with exemplary tech writing that is accessible without being dumbed-down. Anyone who wants to understand why hacking costs companies and consumers billions a year (and makes a lot of people rich, too) will find several insights that extend beyond technical issues of code or software specification.
For example, because code is legally categorised as a service not a product, manufacturers can disclaim liability for weak security in end-user licence agreements (those T&Cs you never read). Cyber attack is easier and cheaper than defence, because an attacker only needs to be right once.
Risk comes from places you wouldn't expect. As Schneier explains, with palpable frustration, some parts of government actually prefer the internet to be insecure, because it makes snooping easier—hence the US National Security Agency's infamous programme to weaken encryption standards.
Schneier is equally thoughtful when discussing solutions. You won't find a book with more practical policy ideas, which is one reason I've been recommending it to politicians. For example, he proposes that companies be made more liable for consumer harms—such as in fraud cases where banks take on the costs. (This simple idea would be transformative.)
He decisively smashes the idea that powerful encryption is bad for society. He wants professional licensed software engineers and believes we should separate state security from state spying (the Government communications centre, GCHQ, does both, which creates mixed incentives). He also—albeit reluctantly—supports more government regulation. This might sound like common sense to you and me, but for people working in the tech sector, that's a small heresy.
Only one small thing troubled me with this excellent work, and I bring it up here mainly because it's something I find a lot in tech circles: a subtle, almost accidental, arrogance that we techies get it and the non-techies do not. Schneier is hardly the worst offender and, to be fair, he's done a good job of describing this world in a way that makes sense to a generalist. But every now and then, there's a hint of an eye-roll at other people's ignorance.
Schneier references himself a few times, which you rarely see in non-tech books. Then there are the lists. He has a lot of them. Don't get me wrong: they are always good lists—clarify legal liabilities, close the skills gap etc—but do we really need four of them in eight pages? They are fascinating for the specialist, but a little draining on the generalist who feels mildly lectured at.
I was delighted therefore to see the concluding chapter was entitled "Bring Technology and Policy Together". I can hardly think of anything more important. Too often, explains Schneier, techies and policy people not only misunderstand each other, they also speak an entirely different language. The solution, he says, consists of two halves. First, policymakers need to understand technology. Amen. Presumably the second half is for technologists to understand policy? Not quite. It is that "technologists need to get involved in policy". This is subtly different: he wants clever techies to go and work in government.
I agree wholeheartedly with his call for more public interest technologists, but this is still essentially putting more smart technologists into government to stop them doing silly things. That gap he rightly identifies would be better bridged if he'd added that technologists should be a little less dismissive of non-techies in government, appreciate the various pressures politicians are under, realise that senior politicians are expected to be experts in multiple fields all at once, and call for technologists to use language that ordinary people can understand.
As Schneier makes abundantly clear, IT is now far too important to be left to the IT guys. It's true that politicians don't understand technology. But technologists don't really understand politics, either. And things won't get better until both sides shape up. Despite the occasionally frustrating tone, this book is an excellent place to start.
Jamie Bartlett is author of The People vs Tech: How the Internet is Killing Democracy (And How We Save It)