Government regulation will clip coders' wings, says Bruce Schneier
Systems 'too critical to allow programmers to do as they want'
Infosec 2016 Government regulation of the Internet of Things will become inevitable as connected kit in arenas as varied as healthcare and power distribution becomes more commonplace, according to security guru Bruce Schneier.
“Governments are going to get involved regardless because the risks are too great. When people start dying and property starts getting destroyed, governments are going to have to do something,” Schneier said during a keynote speech at the Infosecurity Europe trade show in London.
The choice is between smart (well-informed) or stupid government regulations with the possibility of non-interference getting taken off the table.
“I think that more government involvement in cybersecurity is inevitable, simply because the systems are more real,” Schneier explained.
Security by design – applied to cars, planes, automobiles – which is characterised by testing and certification, is going to run into the agile model applied in software security of “muddling through putting it out there and fixing it on the fly”.
The latter model won’t survive as the computing devices control physical systems, according to Schneier.
“We’ve allowed programmers to have this special place in society to code the world as they see fit,” Schneier said. "I don't think we can do that anymore. I think this is becoming too critical to allow programmers to do what they want."
Schneier categorised the IoT as a world-sized robot that society is building and made up of connected devices that can sense, think and act autonomously.
“More government involvement in cyber security is inevitable simply because the systems are more real,” Schneier said. “We’re getting into the world of catastrophic risks as our computers become more physical.”
The trouble is we don’t yet have a good regulatory structure that might be applied to the IoT. Policy makers don’t understand technology and technologists don’t understand policy.
“We are going to see more cyber war rhetoric, more cyber terrorism rhetoric, more calls for surveillance, more calls for use control, more trusting of the government,” Schneier said, adding there are lots of decisions markets won’t resolve.
Schneier described the Internet of Things (IoT) as the next big security challenge because it will see technology collide with the real world. Smart things that make up the IoT act on the world in a direct and physical manner.
“It’s one big inter-connected system of systems with threats, attackers, effects; the IoT is a system of systems… everything we’ve seen now, just turned up to 11 and in a way we can’t turn it off.”
“Integrity and availability are worse than confidentiality threats, especially for connected cars. Ransomware in the CPUs of cars is gonna happen in two to three years,” he warned.
Schneier said technologists and developers ought to design IoT components so they worked even when they were offline and failed in a safe mode. ®