Bruce Schneier recently published an article (or more accurately, at nearly 6,000 words, a manifesto) entitled Security and the Internet of Things. It’s an incredibly insightful and well-thought-out case for why government needs to get involved to regulate the security aspects of the Internet. This article summarizes some of his key points, but if you have the time, Schneier’s full article is worth a read.
Schneier’s assertion is that our global society is building an Internet that senses, thinks, and acts. “This is the classic definition of a robot,” writes Schneier. “We’re building a world-size robot, and we don’t even realize it.” He believes that an overarching government agency needs to regulate the security aspects of that “robot” before really bad things start to happen, like hackers causing nuclear power plants to explode or cars to speed up and crash.
Lest you think that Bruce Schneier is just some paranoid nutcase, let me tell you that he is an internationally renowned security technologist, called a “security guru” by The Economist. He is the author of 13 books – including Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World – as well as hundreds of articles, essays and academic papers. Schneier is a fellow at the Berkman Klein Center for Internet & Society at Harvard University, a Lecturer in Public Policy at the Harvard Kennedy School, a board member of the Electronic Frontier Foundation, an Advisory Board Member of the Electronic Privacy Information Center, and the Chief Technology Officer at IBM Resilient.
Why the Call for Regulation?
Schneier begins his thesis with a recounting of the massive distributed denial of service (DDoS) attack in October 2016 that caused major Internet platforms and services to be unavailable to large swathes of users in Europe and North America. The attack was traced back to the takeover of hundreds of thousands of various connected devices, including DVRs and webcams, that were then directed to send an overwhelming amount of traffic to a critical service that’s part of the Internet’s infrastructure.
While the attack itself was bad enough, many security experts believe it was just a test of much more powerful attacks yet to come. It’s inevitable, experts believe, given that millions upon millions of components and devices that comprise the Internet of Things (IoT) go unsecured, unpatched, and unregulated.
Schneier points out, “We no longer have things with computers embedded in them. We have computers with things attached to them.” Take cars, for example. “It’s no longer a mechanical device with some computers inside; it’s a computer with four wheels and an engine,” he writes. Virtually every aspect of modern cars are controlled by dozens of electronic control units (ECUs) that run everything from in-car WiFi capabilities and navigation systems that use GPS, to collision warning and avoidance systems, and much more. Imagine what could happen if these systems were hacked. In fact, it has already been proven that on-board automotive systems can be vulnerable to attack—and that can be disastrous for the future of driver-assist and autonomous driving systems.
Looking at the big picture, Schneier writes, “The Internet is no longer a web that we connect to. Instead, it’s a computerized, networked, and interconnected world that we live in. This is the future, and what we’re calling the Internet of Things.” He says the IoT has three parts. One, the sensors that collect data about us and our environment, are like the eyes and ears of the Internet. Two, the machine learning and data analytics part (“the smarts”) that figures out what all the data means and what to do about it – this is like the brain. And three, the actuators that affect our environment are like the hands and feet. Bring them all together and you have the Internet that senses, thinks, and acts: Schneier’s definition of a world-size robot.
This Robot Can Punch and Kick
In its earliest incarnation decades ago, the Internet had no security because it just wasn’t necessary back then. The Internet was intended to allow people, mainly researchers, to share information openly. As the Internet grew into the general-purpose behemoth it is today, security became an add-on necessity. Today we have cyber threats like no one could have conceived two or three decades ago. Who could ever foresee that consumers’ misbehaving DVRs could knock Twitter offline, or that ransomware could cost companies millions of dollars to restore their data, or that malware could shut down power-generating plants? The fact is, everything is hackable, the threats are greater than ever, and the damage can be as severe as attackers want it to be.
“Traditionally, computer security is divided into three categories: confidentiality, integrity, and availability,” writes Schneier. “Today, the integrity and availability threats are much worse than the confidentiality threats. Once computers start affecting the world in a direct and physical manner, there are real risks to life and property. There is a fundamental difference between crashing your computer and losing your spreadsheet data, and crashing your pacemaker and losing your life. This isn’t hyperbole; recently researchers found serious security vulnerabilities in St. Jude Medical’s implantable heart devices. Give the Internet hands and feet, and it will have the ability to punch and kick.”
We can’t let the “worldwide robot” punch and kick us until we can’t get up. Thus, Schneier is calling for regulation of computer security, because leaving it to the markets to address the need for security in all of these connected devices isn’t working. He says there are precedents for this extensive level of regulation; for example, the automotive industry has set global safety standards, as has the medical device industry. If cars and pacemakers can be regulated to ensure safety, can we not do the same for everything with a computer chip?
A Regulatory Agency with a Wide Reach
Schneier asserts that, at least in the U.S., this Internet regulation should be done by a new agency that has powers that span a variety of interests. The Internet is a freewheeling system of integrated objects and networks. If you consider a smartphone, it can communicate via cellular networks as well as Wi-Fi networks, which today are regulated by the Federal Communications Commission (FCC). A smartphone might have a medical app that contains the owner’s personal health records, whose confidentiality are regulated by the Health and Human Services Department. The phone might also contain an investment banking app which uses data regulated by the Securities and Exchange Commission. Depending on how the smartphone is used, there are differing agencies involved in current regulation. That’s why we would need an overarching agency that can unify such disparate regulations and create new ones that specifically address the broad range of threats to confidentiality, integrity and availability—not just on smartphones, but on every platform on the IoT.
Schneier holds no illusion that this is a simple task. Here are just a few issues the new agency would have to tackle, according to Schneier. “We need government to ensure companies follow good security practices: testing, patching, secure default—and we need to be able to hold companies liable when they fail to do these things. We need government to mandate strong personal data protections, and limitations on data collection and use. We need to ensure that responsible security research is legal and well-funded. We need to enforce transparency in design, some sort of code escrow in case a company goes out of business, and interoperability between devices of different manufacturers, to counterbalance the monopolistic effects of interconnected technologies. Individuals need the right to take their data with them. And Internet-enabled devices should retain some minimal functionality if disconnected from the Internet.”
Regulations Force Wallets to Open
Schneier isn’t alone in his belief that regulation is needed in order to strengthen IoT security. Richard Clarke, the former US National Coordinator for Security, Infrastructure Protection and Counterterrorism and White House official under three administrations, has proposed a Y2K-style initiative to tighten security in industrial control system (ICS) networks that would require sites to meet certain security levels by a specific date. Clarke says this effort will require regulation from Washington. Regulation, he says, would get Boards of Directors to allocate the budget and resources necessary to protect industrial control systems from damaging cyberattacks.
But he acknowledges the difficulty in adding regulations — which he calls “the R word” — given the current climate in Washington.
Richard Clarke, former US National Coordinator for Security, Infrastructure Protection and Counterterrorism
Regulation – if it ever comes to fruition at all – is years in the future. The cost to develop, implement and enforce the regulations could be astronomical, but what are the consequences of never attempting any regulation at all?
Perhaps we can start with interim steps such as providing tax incentives for “Homeland Cyber Protection” to industrial organizations that meet certain security milestones, such as implementing security monitoring, auditing and patching programs for their OT environments. After all, it has taken decades to impose numerous safety regulations on the automotive industry, and new laws continue to emerge to make vehicles even safer.
In the meantime, it’s important to recognize that there most likely are security vulnerabilities in your ICS network today. Remediating them is a difficult process that could take years, so it’s important to implement mitigating controls to reduce your risk. Best practices call for the following controls:
- Ensure ICS systems and devices are never directly exposed to the public Internet.
- Isolate ICS systems and devices from corporate IT networks using firewalls. Keep the firewalls patched and check regularly for vulnerable firewall rules.
- Create subnets to isolate vulnerable ICS devices from other systems and devices on OT networks, in order to minimize the impact of a potential compromise.
- Implement continuous, real-time network monitoring and behavioral anomaly detection to quickly identify suspicious or unauthorized activities on your OT network.
Share Your Thoughts on Regulation
What are your thoughts on the matter? Is regulation the (or an) answer to enforce a more secure Internet of Things? If so, how should we bring it about?