We Must Slow Innovation in Internet-Connected Things, Says Bruce Schneier

Bruce Schneier argues that governments must step in now to force companies developing connected gadgets to make security a priority rather than an afterthought. Schneier made these arguments in his new book titled, Click Here to Kill Everybody which is on sale now. Here's an excerpt from his interview with MIT Technology Review: Technology Review: So what do we need to do to make the Internet+ era safer?
Schneier: There's no industry that's improved safety or security without governments forcing it to do so. Again and again, companies skimp on security until they are forced to take it seriously. We need government to step up here with a combination of things targeted at firms developing internet-connected devices. They include flexible standards, rigid rules, and tough liability laws whose penalties are big enough to seriously hurt a company's earnings.

Technology Review: But won't things like strict liability laws have a chilling effect on innovation?
Schneier: Yes, they will chill innovation -- but that's what's needed right now! The point is that innovation in the Internet+ world can kill you. We chill innovation in things like drug development, aircraft design, and nuclear power plants because the cost of getting it wrong is too great. We're past the point where we need to discuss regulation versus no-regulation for connected things; we have to discuss smart regulation versus stupid regulation.

Technology Review: There's a fundamental tension here, though, isn't there? Governments also like to exploit vulnerabilities for spying, law enforcement, and other activities.
Schneier: Governments are certainly poachers as well as gamekeepers. I think we'll resolve this long-standing tension between offense and defense eventually, but it's going to be a long, hard slog to get there.

Click Here to Kill Everybody

[110010001000]

I give the book five stars based solely on the title.

Recalls....

[Luthair]

In the car world if manufacturers make a mistake they can be forced to recall the vehicles. In the device world you can release something and wash your hands of it.

Re:Recalls....

For some reason negligence is acceptable behavior in IT and CS.

It's because CS doesn't want to be treated as "real" engineering.

In real engineering, you - personally - sign off on things. Engineers are held responsible if they design a structure that fails even when given the proper maintenance. They are held accountable for what they do. Ditto if you are an EE and you design a circuit deployed in consumer electronics that fails by the millions and burns down houses.

The software world wants NO accountability. It wants to belch out mountains of shit and then wash their hands of it, because doing it right is "too hard".

This can ONLY be fixed by legislation which holds software "engineers" accountable for failure. Right now there is zero accountability, which is a recipe for negligence and failure.

Re:Recalls....

If you don't mind computers and software (each) cost about as much as a car, go ahead.

This actually makes much more sense than allowing everyone to attach multiple $20 devices to the global Internet.

I support your solution completely.

Innovation is not the problem

[drinkypoo]

The problem isn't innovation, doing new things is good. The problem is not learning from the old things. The mistakes the IoT vendors are making are all mistakes that have been made before. Looking to the future is positive, so long as you don't ignore the past.

We don't need to slow down innovation. We need to put more emphasis on history. Ironically this could actually speed up innovation since less time would be spent fighting fires.

Re:Innovation is not the problem

>The mistakes the IoT vendors are making are all mistakes that have been made before
Guy above you said the same thing.

I hope you guys realize that line is evidence of a systematic problem, not a problem with the behavior of individuals. System problems aren't corrected by "discipline" to behavior, it takes ridiculous resources and effort to get marginal changes to the base human condition. As a basic example, you don't treat Greed you build around it (ie assume it, even refer to it as "standard market forces") as we have with millions of laws for centuries.

Assume self-interested companies will continue to act like self-interested companies. Indefinitely. It can't be stopped.

Now change your recommendations to reflect that.

Re:They make the same mistakes _again_

[Opportunist]

No, logical.

The people developing IoT devices are not software engineers. They are engineers designing fridges, TVs, stoves and washing machines. And they're even good at that. But they now get the task to add "internet connectivity" to it. Why? Because we have a new checkbox on the cute cards in the stores. You know those cards. The ones that list all the awesome features your appliance has. The ones the customer does not understand but counts how many of those boxes are checked. And if your appliance does not have a check that the other one has, the customer won't buy yours. Because he needs that feature? Hell no. He most likely doesn't even know what the feature is. But the other one has it, so it's "better".

With this in mind it is easy to understand why every toaster now needs WiFi access. And also why that WiFi access is treated like a gimmick rather than a real feature by its maker. Actually, I'm surprised it works, I wouldn't even dream about asking whether it's secure.

Because heart attack sufferers

[jd]

Are in a position to shop between implants, and there's obviously millions of vendors.

And, of course, stores carry an entire department of wireless routers, not just three boxes between two near-identical vendors who offer no information and have secrecy clauses on everything.

Find any good OpenBSD-based thermostats on Amazon? Thought not.