We Must Slow Innovation in Internet-Connected Things, Says Bruce Schneier

Bruce Schneier argues that governments must step in now to force companies developing connected gadgets to make security a priority rather than an afterthought. Schneier made these arguments in his new book titled, Click Here to Kill Everybody which is on sale now. Here's an excerpt from his interview with MIT Technology Review: Technology Review: So what do we need to do to make the Internet+ era safer?
Schneier: There's no industry that's improved safety or security without governments forcing it to do so. Again and again, companies skimp on security until they are forced to take it seriously. We need government to step up here with a combination of things targeted at firms developing internet-connected devices. They include flexible standards, rigid rules, and tough liability laws whose penalties are big enough to seriously hurt a company's earnings.

Technology Review: But won't things like strict liability laws have a chilling effect on innovation?
Schneier: Yes, they will chill innovation -- but that's what's needed right now! The point is that innovation in the Internet+ world can kill you. We chill innovation in things like drug development, aircraft design, and nuclear power plants because the cost of getting it wrong is too great. We're past the point where we need to discuss regulation versus no-regulation for connected things; we have to discuss smart regulation versus stupid regulation.

Technology Review: There's a fundamental tension here, though, isn't there? Governments also like to exploit vulnerabilities for spying, law enforcement, and other activities.
Schneier: Governments are certainly poachers as well as gamekeepers. I think we'll resolve this long-standing tension between offense and defense eventually, but it's going to be a long, hard slog to get there.

Click Here to Kill Everybody

[110010001000]

I give the book five stars based solely on the title.

Recalls....

[Luthair]

In the car world if manufacturers make a mistake they can be forced to recall the vehicles. In the device world you can release something and wash your hands of it.

Re:Recalls....

For some reason negligence is acceptable behavior in IT and CS.

It's because CS doesn't want to be treated as "real" engineering.

In real engineering, you - personally - sign off on things. Engineers are held responsible if they design a structure that fails even when given the proper maintenance. They are held accountable for what they do. Ditto if you are an EE and you design a circuit deployed in consumer electronics that fails by the millions and burns down houses.

The software world wants NO accountability. It wants to belch out mountains of shit and then wash their hands of it, because doing it right is "too hard".

This can ONLY be fixed by legislation which holds software "engineers" accountable for failure. Right now there is zero accountability, which is a recipe for negligence and failure.

Innovation is not the problem

[drinkypoo]

The problem isn't innovation, doing new things is good. The problem is not learning from the old things. The mistakes the IoT vendors are making are all mistakes that have been made before. Looking to the future is positive, so long as you don't ignore the past.

We don't need to slow down innovation. We need to put more emphasis on history. Ironically this could actually speed up innovation since less time would be spent fighting fires.

Re:Innovation is not the problem

>The mistakes the IoT vendors are making are all mistakes that have been made before
Guy above you said the same thing.

I hope you guys realize that line is evidence of a systematic problem, not a problem with the behavior of individuals. System problems aren't corrected by "discipline" to behavior, it takes ridiculous resources and effort to get marginal changes to the base human condition. As a basic example, you don't treat Greed you build around it (ie assume it, even refer to it as "standard market forces") as we have with millions of laws for centuries.

Assume self-interested companies will continue to act like self-interested companies. Indefinitely. It can't be stopped.

Now change your recommendations to reflect that.

Yet factually incorrect from the first sentence

[raymorris]

Yep, it's a catchy title. Bruce is generally a smart guy, so I'm surprised to hear him start the interview with a statement that is flat out wrong on the facts. More than that, anyone who knows a little history KNOWS it's wrong.

"There's no industry that's improved safety or security without governments forcing it to do so.", he began.

Has Bruce never heard of Underwriters Laboratories (UL listed, UL registered, etc)? Underwriters means insurance companies. That's not government, that's insurance companies offering guidance and an incentive. How about the National Fire Protection Association, which writes the fire codes? That's another safety organization started by insurance companies, and insurance companies wouldn't insure a building unless it met fire code. Later, local governments ALSO said "me to", but the NFPA and fire codes were created by insurance companies, not government.

The auto companies were advertising safety innovations for half a century before there was any major legistlate. From Dusenberg advertising hydraulic brakes in the 1920s to Ford marketing safety glasses in all its cars in the 1930s to padded dashboards, safety cages, and disc brakes in the 1940s - it wasn't until the 1960s that the government got involved.

So it's simply factually incorrect, plain wrong, to say "There's no industry that's improved safety or security without governments forcing it to do so". My side gig is pyrotechnics, fireworks. A LOT of what we talk about and work on in the industry is safety, sometimes talking about how to convince the government official to allow us to do things the safer way rather than insisting on outdated procedures, or things that are a bad (dangerous) fit for the situation.