Infosec guru Schneier: Govts will intervene to regulate Internet of Sh!t

Crappy software everywhere means we face a world of pain

Governments are poised to intervene over the security of IoT devices, as the industry has so far failed to self-regulate, infosec guru Bruce Schneier has said.

In his keynote speech at Infosecurity Europe 2017, Schneier told delegates that the correct way to think about IoT is as if we are building a world-sized distributed robot with no centralised control.

"It's not a robot in the classic sense. We get our conceptualisation of robots from movies such as Star Wars, where it has a metal shell with smarts on the inside.

"But the internet senses, thinks and acts. And what is interesting to me about that is that's the classic definition of a robot."

Everything is a computer now, which means computer security has become "everything security", he says. "Regulation is coming and is coming in a big way. There is a lot of worry that regulation will stifle innovation, but if you look at history that is not the case.

"The real physical threat from the Internet of Things will force governments to act because we are talking about fear, and nothing [makes] a government do something like fear."

To ensure we get "smart government regulation", not "stupid" regulation, the infosec community will have to get involved. So far the sector has failed to self-regulate, he said, pointing to the number of different standards documents as a case in point.

"There are about 20 different IoT standards documentations ... security testing, patching ... support for responsible practices, a failsafe mode, an offline mode. These are all good lists – the hard part is getting them adopted.

Good, fast, cheap. Pick two

"Until now we've largely left computer security to the market. And that has worked mostly OK, but not great."

Almost all software is poorly written and insecure, he says. "We know the market does not pay for quality software. The adage is good, fast and cheap: pick any two. The market has picked fast and cheap at the expense of good. Pretty much everywhere, software doesn't work very well."

Software is full of bugs, and some of those bugs lead to vulnerabilities, which can then be exploited.

Apple and Google have teams of engineers on hand to release patches for when a vulnerability has been discovered. But that will not be true for something like a cheap internet-connected digital video recorder.

"In a lot of the cases the market can't fix this, because neither the buyer nor the seller care if your DVR might be part of the Mirai botnet. Because it's cheap and it's working ... The problem is that someone else is the victim of a DDoS attack because of your insecure DVR.

"I really stress that we are going to get government intervention here, because the market will not fix these problems by itself and that is actually normal."

Gartner reckons there will be 8.38 billion IoT gadgets installed in 2017, while other, more wild estimates put the total number between 30 and 50 billion by 2020.

But Schneier says the total number is not the right metric for security professionals to consider. "The problem is that it's going to be lots of different types of devices – that is what is going to cause the problem.

"And a lot of this will be cheap, and low-hanging fruit for attackers – gaining entry points into more powerful systems, and [creating] larger and more powerful bot-nets in these sub-few-pound devices," he says.

"The market rarely fixes these things ... Companies do not do this by themselves, they need the government to fix it." ®

Keep Reading

Days after President Trump suggests pausing election over security, US House passes $500m for states to shore up election security

Chances of it getting enacted in time for November – slim to almost nil

Election security fears doused with reality: Top officials say Nov 3 'was the most secure in American history.' The end

'No evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised'

Microsoft suspends donations to politicians who backed attempt to overturn US presidential election

But for less than two years and while putting distance between staff donors and Microsoft itself

In this week’s episode of Texas Attorney General: Google faces lawsuit accusing it of crushing ad-tech rivals

Antitrust legal challenge also claims web giant accessed encrypted WhatsApp messages

Vote machine biz Smartmatic sues Fox News and Trump chums for $2.7bn over bogus claims of rigged 2020 election

Turns out words have consequences

Trump fires cybersecurity boss Chris Krebs for doing his job: Securing the election and telling the truth about it

Terminated by presidential tweet that piled on the baseless election-rigging allegations CISA director sought to counter

Days before the US election, phishers net $2.3m from Wisconsin Republicans

Big money in American politics proves chum in the water for online sharks

File format conversion crisis delayed attempt to challenge US presidential election result

Legal geniuses behind case ask for extra time to convert between Google Docs and MS Word

Biting the hand that feeds IT © 1998–2021