Perhaps the most meaningless term in information security is though leader. I know what it is supposed to mean, but many people who consider themselves information security thought leaders are anything but that. Nonetheless, if there is anyone who is a thought leader in the true sense of the term, it’s Bruce Schneier. Schneier has written on near every aspect of information security. From cryptography, data collection, privacy, spying, and much more.
In his latest work: Click Here to Kill Everybody: Security and Survival in a Hyper-connected World (W. W. Norton 978-0393608885), Schneier takes on the Internet of Things and smart devices. The premise of the book is that with so many smart devices now in use and more coming on the market, devices that can literally kill people, more needs to be done to ensure the security of these devices. He makes that point that everything is a computer now. A smartphone is not a telephone; rather it is a computer that makes telephone calls, and a lot more. With the IoT, everything from thermostats, cars, to pacemakers and more will be computers.
As to the term IoT, Schneier writes that it is really more than just the Internet of Things. It is really Internet + Things. Or more accurately, Internet + Things + Us. He ends up using the term Internet+ throughout the book. It is the us element which is different here. As these devices in the past which were more peripheral, now have the power, if misused, to one day kill us.
The first part of the book deals with the issues of security in an interconnected world. For those who are regular readers of Schneier’s blog or his previous books, a lot of part 1 will be a review.
But an important point he makes in part 1, which set the tone of the overall tone, is that many of the world’s most valuable companies, you’ll find a number of them that engage in surveillance capitalism. From Google, Facebook, Amazon, to Microsoft, eBay and more. Apple is the exception, as it makes money only via hardware and software. And that is why its prices are higher than the competition.
Part 2 starts off on a rather disheartening note that the security of Internet+ looks pretty bleak, and that it won’t get better anytime soon. Schneier though provides ten high-level design principles to improve the privacy and security of Internet+, in addition to 7 principles to secure data. None of the suggestions are new or radical, which emphasizes that many older security fundamentals are not being implemented in Internet+ devices. That alone should be a significant cause for concern.
Schneier does make some radical suggestions, including the need to start disconnecting systems. This might be heresy in today’s hyper-connected world, but a connected device is a device that can be attacked. If you can’t secure a complex system (and Internet+ is inherently complex), then you may not want to design a system where everything is connected. That is likely easier said than done, but does indicate the level of insecurity within Internet+.
Schenier wrote the book on encryption (literally), and emphasizes the importance of trying to encrypt as much as possible. Given he knows so much about encryption, he also is pragmatic enough to know that encryption is not a panacea. While the data might be encrypted, there are still attacks against authentication systems, which can render that encrypted data into plaintext rather quickly. And encryption still doesn’t stop government attacks where they may be able to hack the underlying hardware.
Schneier thinks regulation can go a long way in security Internet+, but notes there is little meaningful regulation that has come out to date.
Aside from the clickbait title, this book shows Schneier at his pragmatic best. He understands the problems (including the technical, ethical, business and pollical aspects) in depth, and suggests realistic solutions to deal with the security challenges of Internet+. He writes that it is important that the technology community get involved in the politics and policy process of Internet+, as it’s imperative that those making the policy understand the technology. And as the recent Facebook hearings shows: Congress still doesn’t really get technology.
At 225 pages, Schneier makes a strong case for security around Internet+. He notes that security is not enough of an impetus to force manufacturers to change their insecure ways, and that regulation is not always the most effective method. It’s up to consumers to a large part to demand better security.
Products are getting more connected and the underlying security issues more complex. Schneier reiterates that complexity is the worst enemy of security. Internet+ brings on some pretty complex scenarios, and the security controls that Schneier feels are fundamental, are simply not implemented yet. While we are years away from an app where someone can click to kill a person, Click Here to Kill Everybody: Security and Survival in a Hyper-connected World makes the case that unless something is done, rather quickly, that horror scenario will be a script-kiddie exercise in a short while.
A fascinating and timely read, this book is another information security wake-up call from Schneier, to a world that is in a deep sleep about information security, privacy and risk.