TECHNOLOGYOct 8, 2016Rob Loggia
Cryptography legend and cybersecurity analyst Bruce Schneier recently published an article in Motherboard lamenting the current state of the Internet of Things (IoT) and issuing a call to action to raise awareness and work towards a solution. While it is not surprising to see someone with Mr. Schneier's credentials tuned in to this most urgent security crisis that is facing the cyberworld, he makes some rather curious and highly questionable statements in defense of his position.
Mr. Schneier first discusses the recent DDoS attack on cybersecurity researcher, reporter and operative Brian Krebs. In that attack, a large portion of the attacking botnet was composed of IoT type devices with embedded software and dangerous vulnerabilities. He concludes, correctly, that the portion of the web occupied by IoT devices represents a dangerous and vulnerable corner of the web that threatens to menace the entire network. After a very light discussion of this theme, Schneier hits us with his thesis: the market has failed and we need government to save us.
- crickets -
Before we consider the wisdom of his conclusion, we should examine some of the arguments he presents in his narrative. Again, they are surprising considering the source. This strange remark, for example, is not supported by the facts:
"Our computers and smartphones are as secure as they are because there are teams of security engineers working on the problem."
From the perspective of data leakage as well as from a classical cybersecurity perspective, our smartphones are probably the most dangerous objects that people keep on their person on a regular basis. They all leak tons of information and expose massive privacy vulnerabilities by design. Every mobile operating system also has classic vulnerabilities discovered regularly.
If the "unpatchability" of many IoT devices bothers Mr. Schneier, as it appears to, than the fact that updates on these phones stop relatively quickly after release should also bother him. He may replace his phone every two years, along with millions of other people that lust after the new shiny. But millions of other people either don't have that option or like their phones enough to keep them. Their insecure phones are connected to our insecure networks, along with the insecure IoT devices he writes about. How can Mr. Schneier consider this situation to be secure?
The same can be said of the PC world, with many people running old versions of operating systems, blocking automatic updates and practicing very unsafe computing habits. The latest version of the most widely used desktop operating system, Microsoft Windows 10, leaks data by design.
How Schneier can consider this problem to be solved is a mystery, but perhaps he perceives an illusion made manifest by the migration of data into The Cloud. The security of home computers has, in a sense, become less important because more of our vulnerable data is being stored on other people's computers, subject to other threats. We must not mistake the emergence of greener pastures with the solving of a problem. Nothing was fixed - the situation is worse than ever.
Limiting the discussion of the threat surface to IoT devices is not only factually unsupported, it is extremely misguided and irresponsible. For rather than raise awareness of the larger problem, such remarks are bound to create a false sense of security for users of smartphones and personal computers. Schneier admits that "we need to build an internet that is resilient against attacks like this" but that will never happen if our experts tell us there is no problem.
Schneier goes on to argue that "insecurity is what economists call an externality: it's an effect of the purchasing decision that affects other people." This leads him to conclude that the marketplace has failed and will continue to fail, and that IoT "will remain insecure unless government steps in to fix the problem."
So what, in this case, would Schneier like the government to do to solve the cybersecurity problem of IoT? Bear in mind that the government seems completely unable to protect itself in cyberspace, and that certain three-letter agencies are hell-bent on destroying any semblance of privacy, as well as security, that now exists.
Predictably, the answer offered is government regulations. Schneier argues that this "would raise the cost of insecurity and give companies incentives to spend money making their devices secure." Presumably by hiring "teams of security engineers" to work on the problem. What Schneier fails to discuss is that this raises the cost of security, not just insecurity. In other words, what he is proposing is to raise the costs required to produce IoT devices across the board, hoping that somehow this will solve the problem.
Under this suggestion, it would necessarily cost more to manufacture IoT goods destined for sale in the US. Schneier admits that this would not even solve the problem, only mitigate against it, since the rest of the world would be free to continue to use insecure devices. And assuming there was anyone left able to operate under these artificially increased costs, Schneier implies that they should be subject to even more regulation, keeping the device secure by developing, testing and deploying a fix.
Either that, or further regulations and even laws would have to require the rest of us to stop using devices that are no longer supported. We could call the legislation bundle the "Stop Hacking Insecure Things" (SHIT) initiative and mandate by force that only secure devices are connected to public networks. Perhaps this legislation will also help ease the pain of the remaining manufacturers after all they will be the beneficiaries of legislation requiring us to buy new stuff regularly or go to dark, cut off from the cyberworld.
All of this European-style hoop jumping is necessary, Schneier says, because the market has failed. This assumption ignores the obvious alternative, which is that the market has not had time to react properly yet. The real fix is secure networks, and Schneier admits this in his last paragraph. The only device that would be vulnerable on a secure network is the insecure device itself, and even this should be afforded a level of protection. This is what we need, and some people are already working on it.
All additional legislation and regulation would accomplish would be an industry-wide slowdown, and the destruction of many of the small-to-medium-size businesses currently involved with IoT. It would kill start-ups and discourage the big players and we would still face many of the problems we face today. The alternative is to continue to work to raise awareness of the problem and to allow the market to adapt. Already, visionary leaders like John McAfee and Eijah Anderson have expressed an awareness of the larger problem and are working to fix it properly. Before we allow people like Bruce Schneier to convince us to feed his addiction to big government keeping him safe, we should give the industry time to overcome these obstacles in a natural, organic way.