Bruce Schneier, a security expert, is of the view that in order to ensure the safety of the community, the innovation in IoT or Internet of Things had to be slowed down.
Schneier fears that unless the government acted swiftly, a cyber disaster could affect many a life.
The world is filling up with smart gadgets fast.
They are actually starting to become ubiquitous at an unprecedented pace.
It is highly likely that the majority of our readers would have one in their home, workplace and perhaps even on their wrists.
Gartner, a research firm, recently made an estimate that the world now could boast about having 11 billion of these internet-connected devices.
Moreover, this 11 billion number does not even include computers and smartphone devices.
For comparison’s sake, currently, the total number of people on earth is close to 7.5 billion.
The fact that 11 billion internet-connect devices will be in circulation at the end of this year worldwide is even more fascinating when one considers that this 11 billion number is double the number of internet-connected devices that were present on earth a couple of years ago.
There is little doubt about the fact that the world should embrace itself for billions and billions of Internet-connected devices coming online very soon.
But why are they increasing in their number so fast?
Well, the main reason is that these devices are inherently useful.
And why are they useful?
They are useful because they offer users a great number of connectivity options.
However, the problem with so many devices having internet connectivity is cybersecurity.
To put it mildly, security engineers find it an absolute nightmare when they think about all the cybersecurity threats that such devices are surely exposed to.
Then there is the fact that hackers on the internet have shown it time and time again that they have the capacity to compromise each and everything with silicon in it.
Hackers can hack connected cars as well as medical devices.
And everything in between.
Moreover, the cybersecurity warnings just keep on getting louder and louder that manufacturing companies are shortchanging security of their devices in the stampede to quickly develop and bring their products to the consumer market.
Bruce Schneier, in his new book titled Click Here to Kill Everybody, has argued that different governments now have to step in and force all manufacturing companies that are developing internet-connected gadgets and chips to make online security their top priority rather than a mere afterthought.
Bruce Schneier is also the author of the very influential (and popular in niche circles) security newsletter along with a blog.
This, along with being a fellow at the prestigious Berkman Klein Center for Internet and SEcurity at the (prestigious) Harvard University and of course, a lecturer at Harvard Kennedy School in public policy gives Schneier a unique perspective on things.
And that’s not all.
Schneier is involved with the industry in many other roles.
Currently, he is on the board of EFF (Electronic Frontier Foundation) and is also the CTO (Chief Technology Officer) of IBM Resilient.
IBM Resilient is an Incident Response Platform that assists various companies to not only prepare but also deal with different potential cyber threats.
Recently, Schneier spoke with some reporters from MIT about issues such as the risk that the community was currently facing by operating in a world that is more connected than ever.
He also talked about how the world needed new policies to government such inter-connected space as quickly as possible to address cybersecurity threats.
In the beginning of the interview, reporters asked Bruce the question everybody had in their mind when they read the title of Bruce’s book Click Here to Kill Everybody.
They asked him if he chose the title of the book to deliberately seem alarmist in order to make an attempt to sell more books.
To that question, Bruce replied that from the outside it may seem like he used the title as a publishing clickbait technique.
However, he said, he wanted to give it his best shot in making a point that as far as the online world went, it had started to affect the real world in a very much direct and physical manner.
Moreover, that essentially changed a lot of things that society took for granted.
According to Bruce, the problem was no longer about all the major risks to online data.
The biggest risks were to a given individual’s property and life.
Bruce also mentioned that the title of his book really pointed out that there was a real physical danger with internet-connected devices not having sufficient security features.
He also pointed out that the community needed to understand that things were now very different than what they were not more than five years ago.
When reporters asked Bruce how the current shift in technology was changing the society’s notion of cybersecurity, he said that people’s household appliances along with their medical devices and cars were all now essentially computers with different things attached to them.
Bruce made the point that a given refrigerator was now not just a refrigerator.
The refrigerator had become a computer that kept things cold.
Similarly, the microwave had also evolved from being just a microwave to a computer that made things hot.
Moreover, Bruce believes that a car was, now, was nothing more than just a computer with an engine and four wheels.
According to Bruce, people should move away from thinking about computers as just screens that they turned on and then looked at.
And that, Bruce believes, is a huge change.
Computer security was once considered its own and separate realm.
But now, computer security is essentially everything security.
Reporters also asked Bruce about the new term that he came up with “Internet+”
Bruce had previously used the term fo encapsulate the big shift in cyber security and what it meant.
However, reporters asked him that the community already had a term for it in the form of the Internet of Things.
On the question of how his term was different from what the community already had to describe the new internet, he said that he actually hated creating yet another buzzword.
According to Bruce, the community already had a ton of buzzwords.
However, he said, the term Internet of Things was simply too narrow.
The term Internet of Things only referred to internet-connected appliances along with thermostats and some other Internet-connected gadgets.
Bruce said the term Internet of Things only referred to a small part of what he wanted to talk about via his book and other publications.
He mentioned that things had gone beyond just Internet of Things.
Now, the community had the Internet of Things plus all the services plus all the computers plus all the large databases that technology companies were building plus the people plus the internet companies themselves.
So in order to save time, and probably space, Bruce decided to call all of that Internet+.
Reporters also asked Bruce to focus on the “people” part of the new cybersecurity situation.
Bruce, according to one reporter, had mentioned in the book that people had started to become virtual cyborgs.
On the question of what Bruce meant by that, he said that people already had formed intimate ties with their devices such as smartphones and the rest.
People looked at these devices several times on any given day.
Moreover, people also used search engines so much that search engines had become kind of like, their online brains.
Along with that, many transport networks, power systems, and communications systems now had a heavy reliance on the internet.
In the case of the internet going down, the society would get affected to the extent that it would grind to a quick halt.
Because the society had become very much dependent on it at each and every level.
Bruce mentioned that computers hadn’t advanced enough yet to be widely embedded in human bodies.
However, computers were already embedded in people’s lives very deeply.
On the question of if it was possible for the society to simply unplug in order to limit the risks of internet breakdown, Bruce answered that it was becoming harder and harder to do so.
Bruce also mentioned that recently he tried to purchase a car that had no connection to the internet.
But he failed.
He pointed out that he failed not because of the unavailability of cars which had no internet connection, he failed because the ones in the range that he wanted all came pre-installed with an internet connection.
Bruce also made the point that even if turned off the internet connection in such an Internet-enabled car, no one could guarantee that hackers simply wouldn’t turn it back on via remote methods.
Reporters also asked him if hackers could also effectively exploit all the security vulnerabilities in a given kind of device to access and attack other devices with internet connectivity.
To that, Bruce answered, that there were lots of examples where hackers could do such a thing.
He cited the Mirai botnet which exploited security vulnerabilities found in home devices such as webcams and DVRs.
In the Mirai botnet attack, hackers took over these things and then used them to launch a massive attack on a critical domain name server.
That, in turn, knocked out a whole bunch of popular and well-reputed websites completely offline.
Bruce also mentioned those hackers who launched an attack against Target and then managed to have access into the giant retailer’s payment network.
And they did that by exploiting a security vulnerability in the present IT systems of an individual contractor who had started work on some of the retailer’s stores.
Reporters also asked Bruce that even though such incidents were true but these did not really lead to any loss of limb and/or life.
Moreover, the reporters asked, the community had not come across many cases which involved any potential real and/or physical harm.
To that, Bruce answered that he was aware of the fact that the community had not come across such cases.
Bruce said that the majority of the cyber attacks still involved violations of confidentiality, privacy, and data.
However, according to Bruce, the society was entering a new era.
In the new era, people would no longer have to worry about someone stealing their medical records.
They would also have to worry about if some hacker changed their blood type in a given database.
Bruce said that he didn’t really want anyone to hack his car’s Bluetooth or internet connection in order to listen to his conversations.
But more than that, he did not want hackers to disable his car’s steering wheel.
The cyber attacks which hackers launched against the availability and integrity of systems were the ones that Bruce said people really would have no choice but to worry about in the coming future.
And all of that would be because future cyber attacks would directly affect property and life.
Lots of sections of the media also had discussions in the United States of America earlier this year to talk about various cyber threats to some of the most critical infrastructure like dams and power grids.
So it makes sense that reporters asked Bruce about how serious were such issues.
Bruce replied by saying that everybody in the community knew that hackers from Russia had managed to turn off the power supply to bits of the electricity grid in Ukraine as a part of Russia’s broader Ukraine-specific military campaign.
They did that twice.
Not only that, hackers from different countries (which Bruce likes to term has nation-state hackers) also had managed to penetrate systems at various United States power companies in the past.
It is another fact that all such hacking attempts were exploratory in nature and did not cause any damage.
However, Bruce was of the opinion that it was entirely possible that they could cause some harm.
He also said that if some nations harbored military hostilities against the United States of America, then they should expect that nation-state hackers would use such attacks.
Bruce did not shy away from the fact that the United States would also use such attacks against its own adversaries just as the United States had utilized cyberattacks to delay and sabotage the nuclear programs in North Korea and Iran.
On the question of what type of implications did all of these cyber threats had for the country’s current approach to handle computer security, Bruce said that the community had to deal with software flaws via fixes and patches.
He said that patching certainly represented a way of regaining some computer security.
However, Bruce mentioned, the country produced systems which did not have good security and then the community tried to find vulnerabilities in those systems and then patched them.
According to Bruce, such an approach is pretty effective with one’s computer machine and/or smartphone device.
The reason for that is simple as well.
The actual cost of insecurity and any potential harm from it is relatively on the lower end.
However, Bruce questioned if security engineers could take such an approach for cars.
He said that he did not know if it was okay for a company to suddenly make the statement that a given car was insecure and that a hacker could crash it and then say that users had nothing to worry about since it would come out with a patch the very next week.
Bruce also questioned if someone could take that risk with am embedded heart device such as a pacemaker.
All of that was now a problem because computers now affect the entire world and in a physical and direct manner.
Because of that, one simply could not just wait for all the fixes to arrive.
Reporters also queried Bruce that the United States of America already made use of some very strict and stringent security standards for various software applications which were used in some sensitive and cyber-physical domains such as aviation, so why would the community just take those SOPs from there to protect internet-enabled devices?
Bruce pointed out that the aviation sector indeed made use of some great security standards.
But those came at a very high cost.
The security standards in industries such as aviation were present there because of some really strong government regulation.
But the government only regulated industries such as aviation and a few more.
When it came to the question of consumer goods, currently, the market did not have that high a level of security and safety.
Bruce said that had to change.
At the moment, according to Bruce, the market did not really reward secure software applications even in the least bit.
As long as technologies companies won’t have the incentive of additional market share as a result of offering more secure products, they simply would not bother spending time and resources on issues related to safety and security.
What needs to be done in order to make the era of Internet+ secure and safe?
Bruce mentioned that he did not know of a single industry which improved its security and/or safety without the government forcing that particular industry to do so.
Time and time again, technology companies have been proved to skimp on issues such as safety and security until someone forces them to take such issues seriously.
Bruce said that the government needed to step up its involvement in such situations.
And it could use a combination of tools to target those firms which are developing all the internet-connected appliances and devices.
Some of the things that the government can make use of right now included rigid rules, flexible standards along with consequential liability laws which are able to penalize big companies and their earnings in a way that makes them take such issues seriously.