RSA 2016 Security guru Bruce Schneier has issued a stark warning to the RSA 2016 conference – get smart or face a whole world of trouble.
The level of interconnectedness of the world's technology is increasing daily, he said, and is becoming a world-sized web – which he acknowledged was a horrible term – made up of sensors, distributed computers, cloud systems, mobile, and autonomous data processing units. And no one is quite sure where it is all heading.
"The world-sized web will change everything," he said. "It will cause more real-world consequences, has fewer off switches, and gives more power to the powerful. It's less being designed than created and it's coming with no forethought or planning. And most people are unaware that it's coming."
People are fairly good at predicting where technology is going, but have a very poor record at predicting the knock-on social effects, he opined. Some of the stuff written about the information superhighway in the 1990s by himself and others was embarrassingly wrong, he said, but this isn't a new phenomenon.
For example, everyone understood that the invention of the car allowed humans to travel farther and faster than before, but no one predicted the rise of suburban living and the consequent issues that caused. The same is going to be true with the world-sized web.
The problem is in the design. Traditionally we build complex systems like buildings and aircraft with a safety first principle. Time is spent in the design phase making sure that breakages are unlikely, and if things do go wrong then the effects are somewhat mitigated.
But software isn't like that. Instead you code fast and hard and then fix things when problems crop up. The merging of these two design styles poses almost insurmountable security problems for all of us.
Governments are going to have a hard time dealing with this, since they tend to focus on specific silos of influence, like defense, agriculture or energy. Markets won't deal with it because they are profit focused and motivated for short-term gain.
Schneier cited the current explosion of internet-of-things devices as an example of the latter issue. Almost none of these devices take security seriously because there's no money in addressing security issues for the makers, and the same is true for the world-sized web.
The issue is that, for such a global system, attackers have a distinct advantage. Defenders have to protect an entire system, where as an attacker only has to find one flaw to achieve their objective.
As the world-sized web grows, the consequences of a major failure become much more severe. But even worse than the failure of such a global computing system is going to be the public's reaction to it, Schneier said.
"Historically we are bad at defending against threats and very good at panicking about them," he said. "Panic is more dangerous to liberty than the threats themselves."
There are no easy answers to this, he said, but for a start we should concentrate on disconnecting key systems from each other and moving to more distributed, localized systems, and putting time limits on data storage.
Looking further ahead, governments need to think about regulating technology much more carefully, and on a broader scale than is done at the moment. There are already moves in this area by the Korean and Japanese governments, but Schneier said the US was going to lag behind on this one.
"We need to bring together policy makers and the technology industry to work this out," he concluded. "I do not believe regulators alone are up to the task – we all need to get involved." ®