Slashdot Mirror
We Must Slow Innovation in Internet-Connected Things, Says Bruce Schneier (technologyreview.com)
Bruce Schneier argues that governments must step in now to force companies developing connected gadgets to make security a priority rather than an afterthought. Schneier made these arguments in his new book titled, Click Here to Kill Everybody which is on sale now. Here's an excerpt from his interview with MIT Technology Review: Technology Review: So what do we need to do to make the Internet+ era safer?
Schneier: There's no industry that's improved safety or security without governments forcing it to do so. Again and again, companies skimp on security until they are forced to take it seriously. We need government to step up here with a combination of things targeted at firms developing internet-connected devices. They include flexible standards, rigid rules, and tough liability laws whose penalties are big enough to seriously hurt a company's earnings.
Technology Review: But won't things like strict liability laws have a chilling effect on innovation?
Schneier: Yes, they will chill innovation -- but that's what's needed right now! The point is that innovation in the Internet+ world can kill you. We chill innovation in things like drug development, aircraft design, and nuclear power plants because the cost of getting it wrong is too great. We're past the point where we need to discuss regulation versus no-regulation for connected things; we have to discuss smart regulation versus stupid regulation.
Technology Review: There's a fundamental tension here, though, isn't there? Governments also like to exploit vulnerabilities for spying, law enforcement, and other activities.
Schneier: Governments are certainly poachers as well as gamekeepers. I think we'll resolve this long-standing tension between offense and defense eventually, but it's going to be a long, hard slog to get there.
Schneier: There's no industry that's improved safety or security without governments forcing it to do so. Again and again, companies skimp on security until they are forced to take it seriously. We need government to step up here with a combination of things targeted at firms developing internet-connected devices. They include flexible standards, rigid rules, and tough liability laws whose penalties are big enough to seriously hurt a company's earnings.
Technology Review: But won't things like strict liability laws have a chilling effect on innovation?
Schneier: Yes, they will chill innovation -- but that's what's needed right now! The point is that innovation in the Internet+ world can kill you. We chill innovation in things like drug development, aircraft design, and nuclear power plants because the cost of getting it wrong is too great. We're past the point where we need to discuss regulation versus no-regulation for connected things; we have to discuss smart regulation versus stupid regulation.
Technology Review: There's a fundamental tension here, though, isn't there? Governments also like to exploit vulnerabilities for spying, law enforcement, and other activities.
Schneier: Governments are certainly poachers as well as gamekeepers. I think we'll resolve this long-standing tension between offense and defense eventually, but it's going to be a long, hard slog to get there.
I give the book five stars based solely on the title.
In the car world if manufacturers make a mistake they can be forced to recall the vehicles. In the device world you can release something and wash your hands of it.
The problem isn't innovation, doing new things is good. The problem is not learning from the old things. The mistakes the IoT vendors are making are all mistakes that have been made before. Looking to the future is positive, so long as you don't ignore the past.
We don't need to slow down innovation. We need to put more emphasis on history. Ironically this could actually speed up innovation since less time would be spent fighting fires.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
No, logical.
The people developing IoT devices are not software engineers. They are engineers designing fridges, TVs, stoves and washing machines. And they're even good at that. But they now get the task to add "internet connectivity" to it. Why? Because we have a new checkbox on the cute cards in the stores. You know those cards. The ones that list all the awesome features your appliance has. The ones the customer does not understand but counts how many of those boxes are checked. And if your appliance does not have a check that the other one has, the customer won't buy yours. Because he needs that feature? Hell no. He most likely doesn't even know what the feature is. But the other one has it, so it's "better".
With this in mind it is easy to understand why every toaster now needs WiFi access. And also why that WiFi access is treated like a gimmick rather than a real feature by its maker. Actually, I'm surprised it works, I wouldn't even dream about asking whether it's secure.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Because people noticed that they get killed in death trap cars. Unfortunately, insecure IoT bullshit hurts pretty much everyone BUT the idiot that runs it.
I still say the drunk driving comparison is apt, usually the asshole wino survives the crash while the pedestrian he mows down does not.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Yep, it's a catchy title. Bruce is generally a smart guy, so I'm surprised to hear him start the interview with a statement that is flat out wrong on the facts. More than that, anyone who knows a little history KNOWS it's wrong.
"There's no industry that's improved safety or security without governments forcing it to do so.", he began.
Has Bruce never heard of Underwriters Laboratories (UL listed, UL registered, etc)? Underwriters means insurance companies. That's not government, that's insurance companies offering guidance and an incentive. How about the National Fire Protection Association, which writes the fire codes? That's another safety organization started by insurance companies, and insurance companies wouldn't insure a building unless it met fire code. Later, local governments ALSO said "me to", but the NFPA and fire codes were created by insurance companies, not government.
The auto companies were advertising safety innovations for half a century before there was any major legistlate. From Dusenberg advertising hydraulic brakes in the 1920s to Ford marketing safety glasses in all its cars in the 1930s to padded dashboards, safety cages, and disc brakes in the 1940s - it wasn't until the 1960s that the government got involved.
So it's simply factually incorrect, plain wrong, to say "There's no industry that's improved safety or security without governments forcing it to do so". My side gig is pyrotechnics, fireworks. A LOT of what we talk about and work on in the industry is safety, sometimes talking about how to convince the government official to allow us to do things the safer way rather than insisting on outdated procedures, or things that are a bad (dangerous) fit for the situation.
Yes, you can find examples of industries that improve safety reactively as a marketing ploy in response to bad press from an unfortunate incident (for example, tamper-proof packaging after the Tylenol poisoning incident in the 1980s). Getting them to do it proactively (i.e. before something really bad happens) generally requires government intervention, and that is what we need here. Also, once the bad press goes away, the safety measures often do as well unless regulations have been updated to require them.
Support Right To Repair Legislation.
I don't think we have to rely on archaic notions of what is secure. I don't think we need to suffer with medieval concepts of what was reliable.
It's perfectly reasonable to expect IoT technology to strictly exceed the standards taught in the 1980s, simply because those standards are 40-odd years old. We've learned how to build things better since then.
The law can reasonably enforce certain standards. There are standards out there, for coding and security. Some, like MISRA, are regarded as correct only in places. But they are published and are used by real people for real projects.
The obvious solution is to commission the NSF to draw up some core standards, using the existing ones as templates:
One set of rules for all I/O, probably based on CERT's secure programming and FIPS.
One set for low-criticality systems, I'd argue 5N reliability is all you need for that.
One set for high-criticality (medical implants, for example), probably using only vital, universal, elements from MISRA, JSF+ and DO-178C. Emphasis on vital, universal. You don't want rules here that are frivolous or domain-specific.
One set for split role devices. I'd probably use ideas that are still relevant from the Rainbow Series.
Such a group may decide that a given set is the empty set. That's fine. That means regulations don't make any sense at that level and that's worth knowing.
The rules should be minimal, no group should have more than ten rules. I don't think anyone can seriously object to ten rules programmers came up with in the first place.
By using existing, established, rules, most can be checked automatically, making it a cinch to validate and certify.
Is it enough? Probably not, but that's not the point. The point is to create a starting point and enforce minimal standards superior to what is currently used but trivial enough to not impose an excessive overhead.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
That is irrespective of whether one user is a grandma trying to email to a relative, an individual buying a product, a city's traffic light network, a government department, a car or a battleship
This is a ridiculous situation to be in. We segregate road users for their own safety (and that of others) and in order to provide facilities that are appropriate for each type of user. What we don't need is a one-size-fits-all security model. We should be separating out the various forms of network traffic into physically discrete networks. Maybe even to the extent of having multiple networks with little or no cross-over between them.
This would be especially apt for a break between commercial and non-commercial traffic. Or between government and civilian use. And especially between safety-critical infrastructure and everything else.
The concept of an "internet" is past its useful life. The whole structure never took security seriously and was designed more around trust than enforcement. It is past time to move a LOT of stuff off the public network and to make it harder for grandma to accidentally email the Pentagon's National Military Command Centre - just like it isn't (I hope) possible for someone to accidentally walk in through its front door.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
Are in a position to shop between implants, and there's obviously millions of vendors.
And, of course, stores carry an entire department of wireless routers, not just three boxes between two near-identical vendors who offer no information and have secrecy clauses on everything.
Find any good OpenBSD-based thermostats on Amazon? Thought not.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
OP is really an economic anarchist, not a libertarian. Libertarians accept that the government has an important, if small, role in maintaining a stable market: policing, contract enforcement, fraud enforcement, standardizing weights and measures, that sort of thing. Basic product safety falls under that umbrella - it's fraud enforcement for the things everyone assumes about products even if their not printed on the label.
Socialism: a lie told by totalitarians and believed by fools.
>There's no industry that's improved safety or security without governments forcing it to do so.
How about PCI (Payment Card Security Standards)? This is one of many examples where industry has self imposed security standards without being forced by government.
I personally advocate a happy medium on regulation, but that statement seems to demand the creation of a police state and I have to speak out against that horrible idea.
Greed is the root of all evil.
... largely in denial.
Regulation is not going to stop anything in a nation that worships corporations. It's in too many big companies interest to spy on everyone and remove their ability to own their own software. Mere regulation isn't going to help jack squat. The best security is not to have software and hardware unnecessarily connected to the internet for instance.
If we were really interested in security drm would not be a thing and all game would be be able to be playable offline. The best security is not to put it on the net in the first place. Too many big companies have too much power and mere regulation is not going to do jack shit in government that is bought and owned by corporations. Like the man wasn't paying attention to the bail outs of the big banks in 2008 or the last 40 years of repeals of various acts that were designed to protect the public.
And his car has an alarm because he wanted a fucking car. Presumably, buying new was a requirement for one reason or another, which limited his options to:
A) Alarm.
or
B) No car.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.