Slashdot Mirror
We Must Slow Innovation in Internet-Connected Things, Says Bruce Schneier (technologyreview.com)
Bruce Schneier argues that governments must step in now to force companies developing connected gadgets to make security a priority rather than an afterthought. Schneier made these arguments in his new book titled, Click Here to Kill Everybody which is on sale now. Here's an excerpt from his interview with MIT Technology Review: Technology Review: So what do we need to do to make the Internet+ era safer?
Schneier: There's no industry that's improved safety or security without governments forcing it to do so. Again and again, companies skimp on security until they are forced to take it seriously. We need government to step up here with a combination of things targeted at firms developing internet-connected devices. They include flexible standards, rigid rules, and tough liability laws whose penalties are big enough to seriously hurt a company's earnings.
Technology Review: But won't things like strict liability laws have a chilling effect on innovation?
Schneier: Yes, they will chill innovation -- but that's what's needed right now! The point is that innovation in the Internet+ world can kill you. We chill innovation in things like drug development, aircraft design, and nuclear power plants because the cost of getting it wrong is too great. We're past the point where we need to discuss regulation versus no-regulation for connected things; we have to discuss smart regulation versus stupid regulation.
Technology Review: There's a fundamental tension here, though, isn't there? Governments also like to exploit vulnerabilities for spying, law enforcement, and other activities.
Schneier: Governments are certainly poachers as well as gamekeepers. I think we'll resolve this long-standing tension between offense and defense eventually, but it's going to be a long, hard slog to get there.
Schneier: There's no industry that's improved safety or security without governments forcing it to do so. Again and again, companies skimp on security until they are forced to take it seriously. We need government to step up here with a combination of things targeted at firms developing internet-connected devices. They include flexible standards, rigid rules, and tough liability laws whose penalties are big enough to seriously hurt a company's earnings.
Technology Review: But won't things like strict liability laws have a chilling effect on innovation?
Schneier: Yes, they will chill innovation -- but that's what's needed right now! The point is that innovation in the Internet+ world can kill you. We chill innovation in things like drug development, aircraft design, and nuclear power plants because the cost of getting it wrong is too great. We're past the point where we need to discuss regulation versus no-regulation for connected things; we have to discuss smart regulation versus stupid regulation.
Technology Review: There's a fundamental tension here, though, isn't there? Governments also like to exploit vulnerabilities for spying, law enforcement, and other activities.
Schneier: Governments are certainly poachers as well as gamekeepers. I think we'll resolve this long-standing tension between offense and defense eventually, but it's going to be a long, hard slog to get there.
That is irrespective of whether one user is a grandma trying to email to a relative, an individual buying a product, a city's traffic light network, a government department, a car or a battleship
This is a ridiculous situation to be in. We segregate road users for their own safety (and that of others) and in order to provide facilities that are appropriate for each type of user. What we don't need is a one-size-fits-all security model. We should be separating out the various forms of network traffic into physically discrete networks. Maybe even to the extent of having multiple networks with little or no cross-over between them.
This would be especially apt for a break between commercial and non-commercial traffic. Or between government and civilian use. And especially between safety-critical infrastructure and everything else.
The concept of an "internet" is past its useful life. The whole structure never took security seriously and was designed more around trust than enforcement. It is past time to move a LOT of stuff off the public network and to make it harder for grandma to accidentally email the Pentagon's National Military Command Centre - just like it isn't (I hope) possible for someone to accidentally walk in through its front door.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons