Governments are poised to intervene over the security of IoT devices, as the industry has so far failed to self-regulate, infosec guru Bruce Schneier has said.
In his keynote speech at Infosecurity Europe 2017, Schneier told delegates that the correct way to think about IoT is as if we are building a world-sized distributed robot with no centralised control.
"It's not a robot in the classic sense. We get our conceptualisation of robots from movies such as Star Wars, where it has a metal shell with smarts on the inside.
"But the internet senses, thinks and acts. And what is interesting to me about that is that's the classic definition of a robot."
Everything is a computer now, which means computer security has become "everything security", he says. "Regulation is coming and is coming in a big way. There is a lot of worry that regulation will stifle innovation, but if you look at history that is not the case.
"The real physical threat from the Internet of Things will force governments to act because we are talking about fear, and nothing [makes] a government do something like fear."
To ensure we get "smart government regulation", not "stupid" regulation, the infosec community will have to get involved. So far the sector has failed to self-regulate, he said, pointing to the number of different standards documents as a case in point.
"There are about 20 different IoT standards documentations ... security testing, patching ... support for responsible practices, a failsafe mode, an offline mode. These are all good lists – the hard part is getting them adopted.
Good, fast, cheap. Pick two
"Until now we've largely left computer security to the market. And that has worked mostly OK, but not great."
Almost all software is poorly written and insecure, he says. "We know the market does not pay for quality software. The adage is good, fast and cheap: pick any two. The market has picked fast and cheap at the expense of good. Pretty much everywhere, software doesn't work very well."
Software is full of bugs, and some of those bugs lead to vulnerabilities, which can then be exploited.
Apple and Google have teams of engineers on hand to release patches for when a vulnerability has been discovered. But that will not be true for something like a cheap internet-connected digital video recorder.
"In a lot of the cases the market can't fix this, because neither the buyer nor the seller care if your DVR might be part of the Mirai botnet. Because it's cheap and it's working ... The problem is that someone else is the victim of a DDoS attack because of your insecure DVR.
"I really stress that we are going to get government intervention here, because the market will not fix these problems by itself and that is actually normal."
Gartner reckons there will be 8.38 billion IoT gadgets installed in 2017, while other, more wild estimates put the total number between 30 and 50 billion by 2020.
But Schneier says the total number is not the right metric for security professionals to consider. "The problem is that it's going to be lots of different types of devices – that is what is going to cause the problem.
"And a lot of this will be cheap, and low-hanging fruit for attackers – gaining entry points into more powerful systems, and [creating] larger and more powerful bot-nets in these sub-few-pound devices," he says.
"The market rarely fixes these things ... Companies do not do this by themselves, they need the government to fix it." ®