Here’s my summary of a cyber security essay by Bruce Schneier, a premier thought leader on security for public consumption. As a former English major, I’m using a meditation from John Donne as our guide:
“No man is an island, entire of itself; every man is a piece of the continent, a part of the main. If a clod be washed away by the sea, Europe is the less, as well as if a promontory were, as well as if a manor of thy friend’s or of thine own were: any man’s death diminishes me, because I am involved in mankind, and therefore never send to know for whom the bells tolls; it tolls for thee.”
No IOT device is an island, but a part of the Internet main
John Donne wrote in the sixteenth century, the age of “new world” discovery by Europeans. Donne often used the global sea travel and commerce as a metaphor for connectedness with the moral universe. Today, every Internet-of-things (IOT) device is a part of our decided amoral Internet universe. Schneier argues that with IOT, the Internet has morphed into a giant robot, where sensors connect to cloud software brains which in turn control actuators affecting the physical world. This makes the need for simpler and smarter cyber security paramount.
Any IOT device hack diminishes me
On October 21, 2016, DVR’s and other devices which connect to the Internet purely as a convenience were hijacked. Twitter, Reddit, Netflix and many other sites were knocked off the air. There was nothing malicious in the design of these consumer IOT devices. Consumers just wanted the lowest cost appliances without the cost and inconvenience of cyber security features. The manufacturers were just trying to make a buck, as per usual.
The Sad Facts of the Matter
- On the Internet, attack is easier than defense.
- Most software is poorly written and insecure.
- Connecting everything to each other via the Internet will expose new vulnerabilities.
- Everybody has to stop the best attackers in the world.
- Laws inhibit security research.
The IOT hack tolls for thee
As Schneier says, because the use of the Internet is now a matter of life and death, “if we get this wrong, the computer industry will look like the pharmaceutical industry, or the aircraft industry. But if we get this right, we can maintain the innovative environment of the Internet that has given us so much.”
One regulatory paradigm comes from our experience with life-affecting risks: “secure design and secure engineering, security testing and certifications, professional licensing, detailed pre-planning and complex government approvals, and long times-to-market.”
The software alternative would be: “rapid prototyping, on-the-fly updates, and continual improvement… new vulnerabilities are discovered all the time and security disasters regularly happen… stress survivability, recoverability, mitigation, adaptability, and muddling through.”
Is smart regulation even possible today?
The cyber security industry has proven similar to health care in this respect: If left entirely to the market, costs and inefficiencies are enormous. For some financial services companies, internal costs are over $500M per year. Markets, motivated by profit and short-term goals are ill-suited for collective-action problems. And if you make your profit from sickness, sickness prevention is somebody else’s concern.
There is no “miracle of the market” forcing better cyber security. Cyber security is an economic externality for most firms, like air pollution — you may not mind foul air, but you don’t necessarily have a right to ship it downwind. Or, if you prefer, it’s like not vaccinating your children: You increase the risk of at-risk populations.
In the absence of market forces, a not-very technology friendly Republican party will impose solutions. Forced by circumstances to do something when the “bad-dudes” act, the most likely actions will take the form of brutal criminalization domestically, or declarations of war internationally.
And even though they’ve declared “regulation” a dirty word, it’s still possible: Remember how the bloated Department of Homeland Security originated after 9/11? The Patriot Act? That was an anti-regulation Republican President, too.
What would Schneier’s regulation wish list look like?
- Ensure companies follow good security practices: testing, patching, secure defaults and hold them liable.
- Mandate strong personal data protections, limitations on data collection and use.
- Ensure that responsible security research is legal and well-funded.
- Enforce transparency in design, require code escrow and interoperability to counterbalance the monopolistic effects of interconnected technologies.
- Ensure the individual’s right to take their data with them.
- Require Internet-enabled devices retain some minimal functionality even if disconnected from the Internet.
I’d add protecting the open-Internet, targeted by Trump’s FCC for eventual demise.
Obviously, there are many multi-billion dollar empires built around the lack of such regulations.
Is there a public interest technologist in the house?
Energy executives don’t prefer non-practitioners regulating them, and the same no doubt applies to technologists. I just hope that when the time comes, our industry is at the table and not leaving these matters to one political party’s lawyers. Google’s contributions have likely ended with Obama’s exit, while Trump appears to be interested only in the military aspects of cyber security.
I strongly agree with Schneier that “the historical divide between Washington and Silicon Valley — the mistrust of governments by tech companies and the mistrust of tech companies by governments — is dangerous… we need to make moral, ethical, and political decisions on how those systems should work.”
Both IEEE and ACM have relevant interest groups beyond the technical aspects of cyber security if anybody has the time, budget and inclination to participate.