SAN FRANCISCO The massive, rapidly expanding network of insecure IoT devices is becoming so large and unwieldy that it will inevitably attract attention from government regulators in the near future. And that’s actually a positive development, security experts say.
“As everything becomes a computer, computer security becomes everything security. The beachhead of all of this is the Internet of Things. We are together creating a world-sized robot and nobody realizes it,” Bruce Schneier, a cryptographer and author, said in a talk at the RSA Conference here Tuesday.
“It’s distributed, it doesn’t have a central brain, it doesn’t have a singular goal, and most importantly, it doesn’t have a central design. This is what’s eating the world.”
The man problem with IoT security is a familiar one: bad software. It’s the same root problem that has plagued PCs for decades and now affects mobile devices, as well. In the IoT world, the problem is especially acute because software updates are infrequent or non-existent for most of these devices. So when a vulnerability emerges, the devices stay exposed for their useful lives. That’s a serious issue for a desktop machine or mobile phone, but for a medical device or a car, it can be a life-and-death one.
“We as a world don’t want to pay for good software. The old option of good, fast, and cheap, pick any two, we always pick fast and cheap,” Schneier said.
“When computers start killing people, there are going to be consequences.”
“The extensibility of computing means everything can be used against us. Computers can be programmed to do anything.”
The last few months have seen a string of high-profile security incidents involving IoT devices, most notably the emergence of theMirai botnet and the DDoS attacks attributed to it. Those attacks have drawn plenty of attention from the government, specifically federallawmakers who are looking into whether regulation of IoT is a good move and how it might be accomplished. Schneier said he believes that regulation not only is coming, but it’s something security professionals should welcome.
“There are collective action problems here that the market can’t solve. We’ve been OK with security failures in the past because the effects weren’t that great,” he said. “I think we need a new regulatory agency. There’s a lot of precedent for this. It’s the worst possible idea, except for all the others. The government is going to get involved regardless. Nothing motivates the government like fear. We need to make sure the regulations that are coming don’t stifle innovation.”
Schneier pointed to the creation of federal agencies such as the FCC, the Department of Energy, Department of Transportation, and others as historical precedentsfor a possible IoT regulatory group. He also called on security professionals and engineers to get involved in the policy making process.
“Until now we have largely given programmers the right to code the world as they saw fit. That was fine because it didn’t matter. When it comes to the IoT, it does matter,” he said. “We as technologists need to get involved. When computers start killing people, there are going to be consequences. I think that’s coming faster than people think.”