The internet of things needs to be regulated and soon before it becomes even more of a tool to facilitate cyberattacks, and that means coming up with civic-minded technologists to help formulate government policies, security expert Bruce Schneier told an RSA Conference 2017 audience.
The problem is governments lack the technological expertise to understand the mindset of the makers of IoT devices and the markets in which they are sold.
Society needs to address the moral, political and ethical issues about how the IoT should be secured, and that means people who understand it need to get involved in making policy. “Getting it right means having our expertise,” he says.
Just as law schools churn out public-interest attorneys, computer science schools need to train public-interest technologists. “We need to get into the debate,” he says.
The scope of measures that could be taken include regulations, fines, ratings, certifications, assigning legal liability and performing forensic investigations, Schneier says.
With the addition of an estimated 2 billion devices being connected to the internet per year, the scale of what malicious actors can do with the IoT is enormous and ballooning, he says.
security expert Bruce Schneier
The Mirai botnet that enslaved thousands of DVRs and surveillance cameras last fall to aggregate a 1Tps DDoS attack is one example of what could become routine if something isn’t done. The concern is that one individual was able to take down a chunk of Web sites by attacking DNS provider Dyn. The problem becomes catastrophic when one individual can shut down power plants or self-driving cars, he says.
In general software is badly written and so it is buggy, which means it can be compromised, he says. That includes software for IoT devices. This can result in unknown and unguessable attacks. Software can be upgraded, so if it is compromised, a malicious upgrade could enable unimagined malicious activity. “Computers can be programmed to do anything,” Schneier says. “We can’t anticipate every use and every condition.”
A solution might include removing these devices from the internet unless they absolutely require connectivity because once connected they pose a potential danger. “Networking allows things to scale, including attacks…Fewer attacks can do more damage because they can scale,” he says.
Schneier says there are two types of security. One requires getting security right the first time because the consequences of failure are so great. That’s the case, for example, with building buildings and designing planes.
The other type of security is accepting that vendors sell products that aren’t perfect, but the consequences of failure aren’t that great and the serious flaws can be rapidly fixed. In this case manufacturers balance the cost of failure against the cost fixing the problems.
But now the problems of the second realm are starting to have the consequences of the first. “The two worlds are colliding,” he says. The impact of an implanted medical device being compromised can be disastrous, so the security needs to be closer to the model used for buildings and planes.
The challenge is how to get vendors to make their products more secure. “Computer security was left to the market. We’ve been OK with imperfect solutions because the effects of failure just aren’t that great.” And customers routinely turn in these devices and buy new ones that are more secure.
The ecosystem that designs security into phones and computers doesn’t exist for thermostats and DVRs, and they are traded-in infrequently. “I expect to replace my thermostat approximately never,” he says. In the case of DVRs hijacked to be part of the Mirai botnet, neither the manufacturers nor the customers cared because they weren’t affected. The DVRs still worked for the customers so the vendors received no complaints.
“The market tends not to protect things without government intervention,” he says. And all of that protection doesn’t have to come from the U.S. government.
Consumers here can benefit from government interventions elsewhere. European Union regulations will require vendors to meet certain standards, and it makes sense that if they do so, they would sell those compliant products elsewhere. So if good regulations are required there, chances are these more secure products will also be sold here.
Regulations aren’t popular, but they are becoming necessary, Schneier says. “Governments are going to get involved, regardless. The stakes are too high.”