The early architects of the internet did not want it to kill anybody. In cyber security expert Bruce Schneier’s new book, David Clark, a professor at the Massachusetts Institute of Technology, recalls their philosophy: “It is not that we didn’t think about security. We knew that there were untrustworthy people out there, and we thought we could exclude them”.
Schneier describes how the internet, developed as a gated community, is now a battleground where these untrustworthy people cause great harm: harnessing computers to kill by crashing cars, disabling power plants and perhaps, soon enough, using bioprinters to cause epidemics.
The clumsily-named internet of things, which Schneier rechristens the barely more elegant Internet+, is growing fast: between 20bn to 75bn devices could be online by 2020, depending on the estimate. This mushrooming hands more power to hackers, while cyber defenders struggle to protect the internet.
Schneier skilfully guides readers through serious attacks that have happened already — and moves on to those he believes are just over the horizon. Unlike many in a cyber security industry that often uses fear to sell, Schneier is not a born fearmonger. Uncomfortable with the provocative title of the book, he calls it “hyperbole” and “clickbait”. But the choice is justified with examples of “increasingly catastrophic” future attacks, perhaps on all cars or all insulin pumps from the same brand.
A fellow at Harvard, and chief technology officer of IBM Resilient, the company’s incident response unit, Schneier is the author of several other accessible cyber security books. He is particularly accomplished at putting the subject in the context of the market, describing how the explosion of “Internet+” devices is due to the falling cost of computerisation.
These cheap-as-chips connected devices, such as a computer in a thermostat or a child’s toy, are usually not secure: they often cannot be patched, any passwords can be easily cracked, and by reusing code, they risk succumbing to joint attacks.
Now that lives, rather than data or dollars, are on the line, Schneier believes cyber security should not be left to the market: elsewhere, government regulates things that kill. The private sector will need to spend much more — and regulation may be required to force their hand.
In the second half of the book, Schneier sets out detailed solutions that should be required reading for politicians across the world. The challenge is hard, he admits, but “sending a man to the moon hard” not “travelling faster than light hard”.
Powerful parallels with how society has dealt with previous technological revolutions are employed to bolster his case — the internet is not as exceptional as many in Silicon Valley would like to think. He cites aeroplane safety regulation transforming air travel into the safest mode of transport, arguing for a new US federal agency to oversee cyber security just as new agencies were created to protect the public from every other major innovation, from cars to radio to atomic energy.
He advocates software production overseen by licensed software engineers, making them responsible for apps withstanding a reasonable level of threat, just as architects pledge that a building will remain standing.
But however sensible his plan, Schneier knows the hurdles it faces. Silicon Valley is always shy of regulation. He knows it will take time to change the data-hungry business model he calls “surveillance capitalism” and that governments have so far failed to be trustworthy cyber defenders, admonishing law enforcement and intelligence agencies for picking holes in security for their own offensive cyber operations.
Schneier also knows regulation depends on policymakers whose ignorance of technology was on full display when Congress quizzed Facebook chief executive Mark Zuckerberg this year. One of his suggestions is a corps of public interest technologists to guide them.
This book is convincing, but not comforting. Schneier is clear on what should happen next but admits he is no political expert. In the end, today’s divided politics may end up being yet another vulnerability for hackers to exploit — and the internet may kill.
The reviewer is the FT’s San Francisco correspondent
Click Here to Kill Everybody: Security and Survival in a Hyper-connected World by Bruce Schneier, Norton, $27.95
Get alerts on Cyber Security when a new story is published