The internet of things needs to be regulated and soon before it becomes even more of a tool to facilitate cyberattacks, and that means coming up with civic-minded technologists to help formulate government policies, security expert Bruce Schneier told an RSA Conference 2017 audience.
The problem is governments lack the technological expertise to understand the mindset of the makers of IoT devices and the markets in which they are sold.
Society needs to address the moral, political and ethical issues about how the IoT should be secured, and that means people who understand it need to get involved in making policy. “Getting it right means having our expertise,” he says.
Just as law schools churn out public-interest attorneys, computer science schools need to train public-interest technologists. “We need to get into the debate,” he says.
The scope of measures that could be taken include regulations, fines, ratings, certifications, assigning legal liability and performing forensic investigations, Schneier says.
With the addition of an estimated 2 billion devices being connected to the internet per year, the scale of what malicious actors can do with the IoT is enormous and ballooning, he says.
Governments are going to get involved, regardless. The stakes are too high.
The Mirai botnet that enslaved thousands of DVRs and surveillance cameras last fall to aggregate a 1Tps DDoS attack is one example of what could become routine if something isn’t done. The concern is that one individual was able to take down a chunk of Web sites by attacking DNS provider Dyn. The problem becomes catastrophic when one individual can shut down power plants or self-driving cars, he says.
In general software is badly written and so it is buggy, which means it can be compromised, he says. That includes software for IoT devices. This can result in unknown and unguessable attacks. Software can be upgraded, so if it is compromised, a malicious upgrade could enable unimagined malicious activity. “Computers can be programmed to do anything,” Schneier says. “We can’t anticipate every use and every condition.”
A solution might include removing these devices from the internet unless they absolutely require connectivity because once connected they pose a potential danger. “Networking allows things to scale, including attacks...Fewer attacks can do more damage because they can scale,” he says.
Schneier says there are two types of security. One requires getting security right the first time because the consequences of failure are so great. That’s the case, for example, with building buildings and designing planes.
The other type of security is accepting that vendors sell products that aren’t perfect, but the consequences of failure aren’t that great and the serious flaws can be rapidly fixed. In this case manufacturers balance the cost of failure against the cost fixing the problems.
Sign up for CIO Asia eNewsletters.