NEW YORK (Reuters Breakingviews) - The world is ever more connected via the internet, from cars and power grids to home appliances and toys. That means ever more things are dangerously hackable, security expert Bruce Schneier writes in “Click Here to Kill Everybody.” The title is hyperbolic, but not by much. In some ways, the attack of the killer fridges has already begun.
Catastrophe doesn’t have to happen on purpose. Nation states can attack each other’s electricity infrastructure, and cyber criminals seize hospital computers and threaten patients’ lives until ransom is paid. But Schneier, who is chief technology officer at IBM Resilient and a fellow of Harvard University’s Berkman Klein Center for Internet & Society, also worries about fumbles and surprises. Small-time hackers lose control of their malware and infect bigger systems. Threats emerge not from individually compromised devices but from the unforeseen ways they interact.
The basic lack of security in much of the world’s internet infrastructure – itself part accident, part design – mattered less when the consequences were limited and devices more discrete (if not discreet). But increasingly a car is a computer with wheels, a phone is a computer that lets you call people, and a medical implant is a computer that controls your heartbeat or drug dosage. All are online, or soon will be. And the skill to exploit them is ever more widespread.
Bad actors abound. In Schneier’s book they persuasively include not only crooks, terrorists and hostile states but - in some regards - Western military and spy outfits or the corporate beneficiaries of what he terms “surveillance capitalism.” Skewed incentives mean spooks and CEOs have little interest in greater security if it cuts off the data flows they thrive on. Schneier doesn’t think your digital video recorder or the global internet it connects to is self-aware and planning to hurt you. But that doesn’t mean it won’t, one way or another.
DVRs around the world were dragooned by hackers in 2016 into a massive botnet called Mirai, along with insecure webcams and routers, to mount a denial-of-service attack that led to dozens of websites, including Reddit, PayPal, the BBC and Etsy going offline. Last year hackers stole data from a casino’s network via an internet-connected fish tank. Humble fridges and thermostats can be abused for greater things.
“We’re already living in a world where computer attacks can crash cars and disable power plants – both actions that can easily result in catastrophic deaths if done at scale,” Schneier writes. “Add to that hacks against airplanes, medical devices, and pretty much all of our global critical infrastructure, and we’ve got some pretty scary scenarios to consider.” Don’t even get him started on biological printers.
One of the virtues of Schneier’s books, which include his 2015 “Data and Goliath” on the dangers of mass surveillance, is that he doesn’t just describe the problem but also suggests solutions. Lots of them, in fact, and all sensible, though some are more long-term and utopian than others. The answer is not a single magic bullet, but an array of mutually reinforcing policies.
One is increasing security liability for companies and their executives. That makes data breaches more painful for the likes of Marriott International or Equifax, to cite two companies that were recently affected. If sloppy data practices or products lead to fines, and affected users can sue, practices will improve. Companies can insure themselves, with premiums providing a self-reinforcing mechanism for better security.
Another is for the U.S. government to approach the internet as it does potentially lethal activities like air travel or atomic energy, creating a suitable oversight body. He suggests a National Cyber Office, modeled on the Office of the Director of National Intelligence, to overcome regulatory silos and pull together fragmented responsibilities.
Schneier argues for product standards that include minimal acceptable security features, such as a ban on easily abused default passwords. He also advocates more open research into, and disclosure of, internet-security flaws; higher spending on upgrading and maintaining basic internet infrastructure; better training in technology for lawmakers and law-enforcement; and the gradual development of international norms of cyber behavior.
He also calls for far more widespread encryption, on the basis that its benefits for society far outstrip the harm caused by criminals using it. He also rejects calls by U.S. authorities, as well as the governments of democratic allies such as the United Kingdom and Australia, for backdoors to unlock encrypted messages. Modern systems are either secure for everyone or for no one.
Skeptics, especially in the United States, will question whether government regulation of the free-wheeling internet world will ever happen. Schneier himself is doubtful it will come soon. But “governments regulate things that kill people, and when the internet starts killing people it will be regulated,” he writes. The only question is whether the regulation is smart or stupid. The European Union’s General Data Protection Regulation, implemented this year, goes in the right direction. But politicians can panic and pass bad laws when a crisis hits. Schneier’s creditable aim is to have prepared good policy options for when that happens.
Reuters Breakingviews is the world's leading source of agenda-setting financial insight. As the Reuters brand for financial commentary, we dissect the big business and economic stories as they break around the world every day. A global team of about 30 correspondents in New York, London, Hong Kong and other major cities provides expert analysis in real time.
Sign up for a free trial of our full service at https://www.breakingviews.com/trial and follow us on Twitter @Breakingviews and at www.breakingviews.com. All opinions expressed are those of the authors.