Slashdot Mirror

← Back to Stories (view on slashdot.org)

We Must Slow Innovation in Internet-Connected Things, Says Bruce Schneier (technologyreview.com)

Posted by msmash on from the warning-served dept.

Bruce Schneier argues that governments must step in now to force companies developing connected gadgets to make security a priority rather than an afterthought. Schneier made these arguments in his new book titled, Click Here to Kill Everybody which is on sale now. Here's an excerpt from his interview with MIT Technology Review: Technology Review: So what do we need to do to make the Internet+ era safer?
Schneier: There's no industry that's improved safety or security without governments forcing it to do so. Again and again, companies skimp on security until they are forced to take it seriously. We need government to step up here with a combination of things targeted at firms developing internet-connected devices. They include flexible standards, rigid rules, and tough liability laws whose penalties are big enough to seriously hurt a company's earnings.

Technology Review: But won't things like strict liability laws have a chilling effect on innovation?
Schneier: Yes, they will chill innovation -- but that's what's needed right now! The point is that innovation in the Internet+ world can kill you. We chill innovation in things like drug development, aircraft design, and nuclear power plants because the cost of getting it wrong is too great. We're past the point where we need to discuss regulation versus no-regulation for connected things; we have to discuss smart regulation versus stupid regulation.

Technology Review: There's a fundamental tension here, though, isn't there? Governments also like to exploit vulnerabilities for spying, law enforcement, and other activities.
Schneier: Governments are certainly poachers as well as gamekeepers. I think we'll resolve this long-standing tension between offense and defense eventually, but it's going to be a long, hard slog to get there.

9 of 140 comments (clear)

  1. Click Here to Kill Everybody by 110010001000 · · Score: 4, Insightful

    I give the book five stars based solely on the title.

  2. Recalls.... by Luthair · · Score: 4, Insightful

    In the car world if manufacturers make a mistake they can be forced to recall the vehicles. In the device world you can release something and wash your hands of it.

    1. Re:Recalls.... by Anonymous Coward · · Score: 4, Insightful

      For some reason negligence is acceptable behavior in IT and CS.

      It's because CS doesn't want to be treated as "real" engineering.

      In real engineering, you - personally - sign off on things. Engineers are held responsible if they design a structure that fails even when given the proper maintenance. They are held accountable for what they do. Ditto if you are an EE and you design a circuit deployed in consumer electronics that fails by the millions and burns down houses.

      The software world wants NO accountability. It wants to belch out mountains of shit and then wash their hands of it, because doing it right is "too hard".

      This can ONLY be fixed by legislation which holds software "engineers" accountable for failure. Right now there is zero accountability, which is a recipe for negligence and failure.

  3. Innovation is not the problem by drinkypoo · · Score: 5, Insightful

    The problem isn't innovation, doing new things is good. The problem is not learning from the old things. The mistakes the IoT vendors are making are all mistakes that have been made before. Looking to the future is positive, so long as you don't ignore the past.

    We don't need to slow down innovation. We need to put more emphasis on history. Ironically this could actually speed up innovation since less time would be spent fighting fires.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    1. Re:Innovation is not the problem by Anonymous Coward · · Score: 4, Insightful

      >The mistakes the IoT vendors are making are all mistakes that have been made before
      Guy above you said the same thing.

      I hope you guys realize that line is evidence of a systematic problem, not a problem with the behavior of individuals. System problems aren't corrected by "discipline" to behavior, it takes ridiculous resources and effort to get marginal changes to the base human condition. As a basic example, you don't treat Greed you build around it (ie assume it, even refer to it as "standard market forces") as we have with millions of laws for centuries.

      Assume self-interested companies will continue to act like self-interested companies. Indefinitely. It can't be stopped.

      Now change your recommendations to reflect that.

  4. Re:They make the same mistakes _again_ by Opportunist · · Score: 3, Insightful

    No, logical.

    The people developing IoT devices are not software engineers. They are engineers designing fridges, TVs, stoves and washing machines. And they're even good at that. But they now get the task to add "internet connectivity" to it. Why? Because we have a new checkbox on the cute cards in the stores. You know those cards. The ones that list all the awesome features your appliance has. The ones the customer does not understand but counts how many of those boxes are checked. And if your appliance does not have a check that the other one has, the customer won't buy yours. Because he needs that feature? Hell no. He most likely doesn't even know what the feature is. But the other one has it, so it's "better".

    With this in mind it is easy to understand why every toaster now needs WiFi access. And also why that WiFi access is treated like a gimmick rather than a real feature by its maker. Actually, I'm surprised it works, I wouldn't even dream about asking whether it's secure.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  5. Yet factually incorrect from the first sentence by raymorris · · Score: 4, Informative

    Yep, it's a catchy title. Bruce is generally a smart guy, so I'm surprised to hear him start the interview with a statement that is flat out wrong on the facts. More than that, anyone who knows a little history KNOWS it's wrong.

    "There's no industry that's improved safety or security without governments forcing it to do so.", he began.

    Has Bruce never heard of Underwriters Laboratories (UL listed, UL registered, etc)? Underwriters means insurance companies. That's not government, that's insurance companies offering guidance and an incentive. How about the National Fire Protection Association, which writes the fire codes? That's another safety organization started by insurance companies, and insurance companies wouldn't insure a building unless it met fire code. Later, local governments ALSO said "me to", but the NFPA and fire codes were created by insurance companies, not government.

    The auto companies were advertising safety innovations for half a century before there was any major legistlate. From Dusenberg advertising hydraulic brakes in the 1920s to Ford marketing safety glasses in all its cars in the 1930s to padded dashboards, safety cages, and disc brakes in the 1940s - it wasn't until the 1960s that the government got involved.

    So it's simply factually incorrect, plain wrong, to say "There's no industry that's improved safety or security without governments forcing it to do so". My side gig is pyrotechnics, fireworks. A LOT of what we talk about and work on in the industry is safety, sometimes talking about how to convince the government official to allow us to do things the safer way rather than insisting on outdated procedures, or things that are a bad (dangerous) fit for the situation.

  6. shared spaces by petes_PoV · · Score: 3, Interesting
    Right now the internet is one big space that every user shares with every other user.

    That is irrespective of whether one user is a grandma trying to email to a relative, an individual buying a product, a city's traffic light network, a government department, a car or a battleship

    This is a ridiculous situation to be in. We segregate road users for their own safety (and that of others) and in order to provide facilities that are appropriate for each type of user. What we don't need is a one-size-fits-all security model. We should be separating out the various forms of network traffic into physically discrete networks. Maybe even to the extent of having multiple networks with little or no cross-over between them.
    This would be especially apt for a break between commercial and non-commercial traffic. Or between government and civilian use. And especially between safety-critical infrastructure and everything else.

    The concept of an "internet" is past its useful life. The whole structure never took security seriously and was designed more around trust than enforcement. It is past time to move a LOT of stuff off the public network and to make it harder for grandma to accidentally email the Pentagon's National Military Command Centre - just like it isn't (I hope) possible for someone to accidentally walk in through its front door.

    --
    politicians are like babies' nappies: they should both be changed regularly and for the same reasons
  7. Because heart attack sufferers by jd · · Score: 3, Insightful

    Are in a position to shop between implants, and there's obviously millions of vendors.

    And, of course, stores carry an entire department of wireless routers, not just three boxes between two near-identical vendors who offer no information and have secrecy clauses on everything.

    Find any good OpenBSD-based thermostats on Amazon? Thought not.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)