Recently a client wanted to introduce a new type of presentation gateway. These devices provide a means of making audio-video presentations via Wi-Fi. The user logs in to a website provided by the presentation gateway instead of plugging in a video cable. It would solve the problem of having to provide all kinds of different cables to connect laptops and tablets. A quick search on the internet revealed a set of vulnerabilities complete with exploits.
In the latest installments in the long lists of books authored by Bruce Schneier, the author delves into the risks of a world full of IoT devices, a scenario that Schneier calls the 'Internet+'.
Click Here to Kill Everybody
By: Bruce Schneier
With certainty I can say that I'm not the only one in my group of friends who've worried about the implications of connecting everything to the Internet. For better or for worse it looks like in a few years time the availability of not-connected devices will be much lower than it is today, and this will affect everyone to some degree. Therefore everyone is a stakeholder in making sure that the IoT devices we rely on are secure.
Throughout the book Schneier describes how current security paradigm of patching is failing and the implications of that, why everyone from manufacturers to important government agencies favor insecurity, how the ‘Internet+’ can be secured and what’s actually likely to happen.
Schneier describes the ’Internet+’ as a new and needed definition for a grand system of systems where humans are just another component. Humans provide inputs to computer and accept their outputs, and therefore are consumers of the computers’ automated functionality. It’s from this relationship Schneier coins his term ’Internet+’, short for ’Internet + Things + us’.
This book should be seen as another call to action on ensuring that digitalization is done right
Schneier has long been on the barricades advocating the need to secure devices and considers the expected mass-influx of IoT devices as something that makes security both more urgent and even more important. This book should be seen as another call to action on ensuring that digitalization is done as secure as possible, especially now when exploitation of class breaks could severely hurt or kill a large amount of people. Currently IoT devices are very diverse, but as Schneier argues, that won’t last. In the future there’ll likely be only a few IoT processors, a few IoT operating systems, a few controllers and a few communications protocols. What this mean is that class breaks on one of these processors, protocols or systems would jeopardize a large amount of devices with potentially deadly consequences, just imagine if a class break on all Tesla cars would allow simultaneous disabling of all brakes on all Tesla cars, or if all Electrolux ovens would be set to the highest temperature. You don't need to be an expert in cybersecurity to see what's at stake here.
In this book with the self-admitted clickbait title ‘Click Here to Kill Everybody’, Schneier describes the danger of connecting everything from industrial controllers, cars and household appliances, to the ’Internet+’. While it’s a very dramatic title, as a reader you get the sense that there’s a need for such drama. As Schneier explains it, while we are not yet in a scenario where computers and networks are so deeply embedded in our most important technical infrastructure, that someone could potentially destroy civilization through a cyberattack, the stakes are increasing. Schneier is not convinced we'll ever be so vunlerable that civilization could be destroyed by cyberattacks, but he argues that the risks are becoming increasingly catastrophic.
There’s nothing new about the fact that there are risks with complex systems of devices, or as Charles Perrow put it in 1984:
Accidents and, thus potential catastrophes are inevitable in complex, tightly coupled systems with legal possibilities. We should try harder to reduce failures – and that will help a great deal – but for some systems it will not be enough….We must live and die with their risks, shut them down, or radically redesign them.
The difference in dependency on interconnected devices between 1984 and now is staggering in its scale. We must have a debate in society on how to deal with this, increase awareness of potential issues and the fact that security rarely comes cheap, but the consequences for poor security are far more expensive. This need for debate is something that Schneier emphasizes throughout the book, and reading it it’s easy to understand why.
As Schneier put’s it ‘It’s important to talk now about what good Internet+ security policy will look like, when we have time to do it slowly and carefully, and before a catastrophe occurs.’ Schneier clearly favors an approach where the government takes a very important role in creating functional regulation that create incentives for corporations to incorporate a baseline of security into their products, because currently any manufacturer that’s really spending on security is making poor business decisions. Products will sell whether they are secure or not, and the corporations that have to increase prices due to added security will not be able to compete with the corporations that don’t. It’s for this reason Schneier argues that government regulation is crucial for encouraging innovation while also enforcing the incorporation of security.
It’s important to talk now about what good “Internet+” security policy will look like, when we have time to do it slowly and carefully, and before a catastrophe occurs.
This book really falls under the category ‘everyone should read this’, not everyone might find it enjoyable, interesting or even relevant, but it could help in encouraging a much needed debate. I think that if you ask your friends today, a lot of them have no interest in connectivity for their household appliances, car or pacemaker, but it’s likely that when it becomes cheaper for manufacturers to turn everything into an interconnected device rather than not, your friends won’t have much choice but to connect. Before that happens, we need to have a talk.