Bruce Schneier Talks About Securing the World-Sized Web at RSAC APJ 2016

Posted on by Jennifer Lawinski

SingaporeWhat’s going to happen to our world as more of our devices come online as the Internet of Things explodes?

That was the question Bruce Schneier, Chief Technology Officer of Resilient and security technologist, asked with his keynote address at RSA Conference Asia Pacific & Japan 2016 in Singapore.

Schneier began by addressing the importance of the Internet of Things. “It’s a buzzword but I think it’s a really important thing that’s changing and I think we need to understand why,” he told the audience.

From sensors that collect data about our environment to the databases in the cloud that store that information to the analytics that help us make use of it, the Internet of Things is capable of changing our physical world. It’s the connection of smart “things” with the physical world.

“We’re building an Internet that senses, thinks, and acts, and that is the classic definition of a robot and what I want to propose is that we’re building a world-sized robot and we don’t even realize it. And I call that robot the world-sized web,” he said.

This world-sized robot, he said, will cause enormous social, economic and political change in our world, and for the security community, this growing web will create an “interconnected system of threats.”

A modern car, for example, isn’t just a mechanical device humans use to travel around. Now a modern car is a computer with four wheels and an engine. “More accurately… its’ a distributed network with four wheels and an engine,” he said.

Traditional security practice requires thinking about threats to confidentiality. But when it comes to the Internet of Things, security practitioners will need to focus more on availability threats and integrity threats.

“When you start having things that affect the world, the effects of a security breach are much greater. They’re an actual risk to life and property,” Schneier said.

“We’re all dealing with ransomware on our networks. Think about ransomware on our car. That’s an availability attack,” he said. An attack that caused cars to drive into one another are also imaginable. “What used to be attacks against data become attacks against flesh and blood or steel and concrete.”

Schneier compared the dance between attackers and defenders to an arms race, and he identified three trends that he thinks will affect that arms race in the era of the world-sized web.

The first is the shift of power balances created by large-scale systems—between governments and people, between industries or between nation states. 

There’s a sequence often to the way these power balance shifts happen. If you think about communications, in general the unorganized are the first to benefit from these new technologies. The Internet appears… and you have new access to coordination, dissemination, organization and action,” he said. But while in the early years of the Internet the security world thought the Internet would equalize power, as the industry developed it became clear that was only half the story. 

Criminals are nimble and able to adapt quickly to new technologies, but large organizations, who adopt technology more slowly, wind up having even greater power by leveraging those technologies.

audience“That’s the difference. The non-powerful are more efficient at leveraging new technology but the powerful have more raw powerful to leverage. Think of it as a battle between the quick and the strong,” Schneier said. “Right now, the current centralized infrastructure we’re building favors traditional power.”

The second trend is that attackers have an advantage over defenders.

“This is true, but it’s not obvious. Generally in these arms races, the balance shifts between attacker and defender,” he said. Today’s Internet attackers have the power because they have the ability to focus in on targets while defenders have to secure much wider swaths of the Internet.  

“We’re constantly playing catch-up because we can’t defend against what hasn’t happened yet, because we can’t predict it. And it’s going to continue and it’s going to make defense harder.”

The third trend is that attackers are getting more empowered. The quick are getting stronger. And this is really a matter of scale.

“This is very concerning in an age of catastrophic risk. Because really I’m not worried about security against the average threat or against the average attack; I’m worried about security against the best attacker,” he said.

In the meantime, the rhetoric of fear surrounding the Internet of Things is growing, and he thinks that’s going to get more intense as the risk to actual life and property grows along with it.

How do we secure this world-sized web?

Mitigating the risks to computer systems and securing the physical world will require smart policies that will require government to think outside of its traditional, segmented structure.

“There’s a fundamental mismatch between the way government works and the way technology works. Government operates in silos. There are different agencies for different things… that’s not the way computers work,” Schneier said.

But government must get involved.

“The risks are too great and the stakes are too high. When computers start doing physical things, government will take notice,” he said. 

“This is all coming. The technology is coming. Like it or not government involvement is coming, and I think it’s coming faster than most of us think … We need to get ahead of this. We need to start making choices. We need to start building security systems as robust as the threats. We really need to start making moral, ethical and political decisions about how these systems should work.”

Jennifer Lawinski

Director of Social Media & Community, Arculus

Internet of Things

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs