The time has come for the U.S. government and other governments around the world to start regulating internet of things (IoT) security, according to Bruce Schneier, CTO of IBM’s Resilient Systems.
Schneier delivered his message during a keynote address at the SecTor security conference here Nov. 15. Today everything is basically a computer, whether it’s a car, a watch, a phone or a television, he said. IoT has several parts, including sensors that collect data, computing power to figure out what to do with the collected data and actuators that affect the real world.
“Sensors are the eyes and ears of the internet, actuators are the hands and feet of the internet, and the stuff in the middle is the brain,” Schneier said. “We’re creating an internet that senses, thinks and acts—that’s the classical definition of a robot.
“We’re building a robot the size of the world, and most people don’t even realize it,” he said.
What that means is that internet security is now becoming “everything” security, according to Schneier. As such, he noted that computer security expertise is now needed in the auto industry because cars are now computers and all the lessons of the cyber-world are applicable everywhere.
“Availability and integrity threats are important as real risks to life and property now,” he said. “So now vulnerabilities have very different consequences. There is a difference between when a hacker crashes a computer and you lose your data and when a hacker hacks your car and then you lose your life.”
In Schneier’s view, many of the existing security paradigms fail in the new world of IoT. Whereas traditional software firms and big mobile vendors like Apple and Google have dedicated security teams, the same is not always true for IoT vendors. As such, Schneier said that IoT devices are often not patched quickly, if at all.
“A home DVR could have been part of the Mirai botnet, and likely most people just don’t care so long as the device works,” Schneier said. “Defending against Mirai is hard because it’s not just dropping a patch on Windows and making it go away.”
Time for Regulation
The challenge of cyber-security cannot be effectively solved by industry alone, according to Schneier. Instead, he advocated for government involvement to help regulate technology security. As internet connected devices move into regulated industries, Schneier expects that computer software that has largely been regulation-free will need to change. There are also historical precedents for new technology usage leading to new government agencies and regulations. For example, the emergence of cars, airplanes, radio and television have all led to government agencies and regulation.
“In the 20th century, new technology led to the formation of new agencies all the time,” he said.
There are a lot of problems that markets cannot solve on their own, since markets are typically short-term profit motivated and can’t solve collective action problems, he said. Additionally, Schneier said there is a need to have a counter-balancing force for corporate power.
“Government is how we solve problems like this,” he said.
Schneier expects that there will be a lot of issues that will need to debated and resolved about connected technology regulations, but in his view there really isn’t a better alternative to ensuring cyber-security safety than government regulations. That said, the reason why he was speaking at SecTor was to help raise awareness and get cyber-security professionals engaged in government policy conversations, he said.
“As technologists, we need to get involved in policy, since IoT brings enormous potential and enormous risks,” Schneier said. “As internet security becomes everything security, all security has strong technological components.
“We’ll never get policy right if policy makers get technology wrong,” he said.