A call for action to avert an IoT security meltdown
Cybersecurity author and strategist Bruce Schneier
Photography: Erik Nilsson
Tweet
Share on LinkedIn
Share on Xing
Share

A call for action to avert an IoT security meltdown

Rae Ritchie — January 2020

Forget traditional internet security; we are entering the era of ‘everything security,’ according to renowned security strategist and author Bruce Schneier. And that demands some bold – and immediate — action to forestall potentially catastrophic consequences.

 

“Your refrigerator is a computer that keeps things cool. Your microwave is a computer that heats things up. We are creating a world where everything is a computer.”

That was the recent pronouncement by cryptographer and security guru Bruce Schneier in his recent lecture at University College London (UCL), entitled ‘Securing a World of Physically Capable Computers.’

“Internet security will become ‘everything security,’” he argued. “And that means lessons from computer security will become relevant to everything.”

Schneier is certainly well qualified to share such lessons. He is the author of prescient bestsellers Secrets and Lies: Digital Security in a Networked World, Liars and Outliers: Enabling the Trust that Society Needs to Thrive and Data and Goliath: The Hidden Battles to Collect Your Dataand Control Your World. His latest book is Click Here to Kill Everybody: Security and Survival in a Hyper-connected World. He holds fellowships at Harvard Law School’s Berkman Center for Internet and Society and the New America Foundation’s Open Technology Institute. And he is in high demand as a keynote speaker and adviser to governments and major corporations worldwide.
The intrinsic vulnerability of a connected world

With a focus on the implications of information security for society, Schneier is adamant that the current risk will become increasingly problematic as more and more devices become internet-enabled.

Most software is poorly written and insecure

“With notable exceptions, such as space shuttles, we don’t want to pay for good quality software,” observed Schneier. Instead, organizations invariably opt for cheap and convenient rather than costly and secure, resulting in software that is riven with vulnerabilities and bugs, he said.

This emphasis on cost over security will only continue in the drive to create affordable (and competitive) IoT devices, Schneier argued. It will no longer be feasible — or even possible — to find and fix every problem, meaning the software running everything from cars to medical equipment will remain vulnerable and, therefore, exposed to attack.

The internet was never designed with security in mind

“It seems crazy to say it now but the internet was never used for anything important in the ’70s,” he told the UCL audience.

In the pioneer days of the web, users had to belong to an accredited institution, meaning access was tightly limited to trusted individuals. There was no perceived need for protection or preventive measures. Times may have changed enormously but as Schneier noted: “We are still living with their choice to not embed security.”

The extensibility of computers

“Smartphones can do things that their designers never envisioned,” said Schneier. “We can’t constrain their usability and there’s no limit to their functionality.”

The same applies to other IoT devices, where a download can introduce new functions — desirable or not. As Schneier pointed out: “Malware is a feature upgrade. Not one you want, but still an upgrade.”

This has major implications in terms of security, he continued: “Your refrigerator can now send spam.”

It’s harder to defend than attack

When it comes to cybersecurity, attack is much easier than defense, Schneier observed.

Furthermore, the increased complexity of digital devices and sensors makes the job of protection that much more difficult because there is more functionality that needs to be defended. “The internet is by far the most complex machine man has ever created,” he said, “therefore it’s hard to defend.”

More connections: more vulnerabilities

Just a few years ago, the idea of hackers stealing data via an internet-connected fish tank would have sounded like science fiction. Yet, as Schneier highlighted, that is what happened in 2017, when criminals managed to access the network of an unnamed casino in North America via its aquarium’s smart monitoring system.

As ever more devices join networks, such scenarios will only become more frequent, he said.

 

“The more we network things together, the more vulnerabilities in one system will affect others.”

Not only do more connections mean more vulnerabilities, said Schneier, but a cascade effect develops. Systems can impact other systems in unpredictable and sometimes harmful ways: “The more we network things together, the more vulnerabilities in one system will affect others.”

Attacks always get better, easier and faster

“A password that was good 10 years ago might not be good today,” Schneier explained. “Attacks always get better, easier and faster because we are dealing with an intelligent, efficient and adaptive adversary.”

This is a different model to other areas of security. Schneier made a comparison with weather tracking: “Hurricanes never get smarter; in computer security, computers do. It’s a dynamic process. With spam-versus-spam detectors, for example, the former gets a new technique, the latter figure out how to stop it.”
Time to act

As IoT becomes ubiquitous, norms and behavior need to change, he argued. “Long-standing security assumptions are failing,” said Schneier, and this has enormous implications for how the technology industry operates.

“Software is lousy, so we patch. But products such as routers that are built off-shore for low costs don’t [necessarily] have a security system attached — so there is no option for patching,” he said.

 

“Throw away and buy a new one is a good security strategy but it doesn’t work for an embedded system. 

Problems arise when systems without in-built security are added to items with longer life spans. “This doesn’t work for low-cost embedded systems,” said Schneier. “Throw away and buy a new one is a good security strategy but it doesn’t work for an embedded system. How often do you replace your refrigerator? It is different to a phone. And what about your car?”

At the same time, identity authentication is failing, he argued: “Authentication only just worked — and then not very well. Now that is about to change, with the rise of thing-to-thing authentication.

“The point of 5G is not so you can watch Netflix faster but so devices can talk to other devices without bothering you — without human intervention. Autonomous vehicles will have ad hoc authentication to thousands of other vehicles in real time. But we can’t pair up all devices, and our phone can’t be the control hub for thousands of products. That’s a different kind of authentication; we don’t know how to do that ad hoc at scale.”
Responsibility of policymakers

Schneier believes the way to handle such challenges is to incorporate resilience. “We need to build a lot more of this in,” he said. “To build systems that will work despite being vulnerable. It’s about failing safe, failing secure.

 

Can you build a secure network out of insecure parts? The obvious answer [today] is ‘No’ but there’s real research needed into how to make that answer ‘Yes.’”

“We need more thinking about resilience but this is a problem that is as big as the internet itself. Can you build a secure network out of insecure parts? The obvious answer [today] is ‘No’ but there’s real research needed into how to make that answer ‘Yes.’”

Schneier is clear about where the responsibility does and doesn’t lie. “Markets alone will not solve this. Markets are short-term, profit-motivated and driven by individual good, not social good. The missing entity is government.”

He expanded on the point: “Government is how we solve this problem. The fact that government has been missing has been the source of many of the problems. I can find no example from the last 150 years of safety and security being improved without intervention by government.”

Governments are already involved in areas affected by IoT technology, such as cars. And he believes that: “Done right, government [can] incentivize industry, as it has done with automotive safety standards.”

However, he was quick to add an important caveat to this call for government: technologists need to help shape policy, too. “All security policy issues involve technology: driverless cars, electoral voting machines, machine-learning technology. Legislators don’t [always] understand this.

“We need to fix this and it’s the work of technologists to get involved in policy — else bad policy will happen to us,” he warned.

• Bruce Schneier was speaking at the Centre for Doctoral Training in Cyber Security, University College London

• Read Fujitsu’s White Paper: Best Practices to Build a Customer-First Security Strategy to learn more about how to transform security for a greater focus on customer and business needs, the importance of risk management, and the need for a simplified security.

First published January 2020
Tweet
Share on LinkedIn
Share on Xing
Share

    Your choice regarding cookies on this site

    Our website uses cookies for analytical purposes and to give you the best possible experience.

    Click on Accept to agree or Preferences to view and choose your cookie settings.

    This site uses cookies to store information on your computer.

    Some cookies are necessary in order to deliver the best user experience while others provide analytics or allow retargeting in order to display advertisements that are relevant to you.

    For a full list of our cookies and how we use them, please visit our Cookie Policy


    Essential Cookies

    These cookies enable the website to function to the best of its ability and provide the best user experience for you. They can still be disabled via your browser settings.


    Analytical Cookies

    We use analytical cookies such as those used by Google Analytics to give us information about the way our users interact with i-cio.com - this helps us to make improvements to the site to enhance your experience.

    For a full list of analytical cookies and how we use them, visit our Cookie Policy


    Social Media Cookies

    We use cookies that track visits from social media platforms such as Facebook and LinkedIn - these cookies allow us to re-target users with relevant advertisements from i-cio.com.

    For a full list of social media cookies and how we use them, visit our Cookie Policy