Internet plus: Now everything can be hacked!
Schneier is a security guru. And in his new book, subtitled "Security and Survival in a Hyper-Connected World," he explains the real risks in a world where everything is becoming a computer, and networked in a way that he calls "internet plus."
Nora Young: People often use this term "Internet of Things." But you're saying that this doesn't really capture what you're getting at here, right?
Bruce Schneier: The Internet of toasters and refrigerators and thermostats and cars, that's a big part of what I'm talking about, but it's not just that. It's also the Internet of Facebook and power plants and national security and elections and everything else. So I wanted one word to encompass everything. And oddly enough there isn't one. And that might be part of the problem because we're not conceptualizing this as one big complex system.
I mean things like data breaches and other cybersecurity headaches obviously are nothing new. What is it about this idea of the "internet plus" world that makes it even more concerning?
And are these theoretical risks or are they risks that increasingly have been demonstrated?
These are all real. These are things we have seen. We've seen Russia take out power plants in the Ukraine on two different occasions as part of their military offensive against the country. We have seen attacks against cars demonstrated by researchers as a great YouTube video. Pretty terrifying. We've seen attacks against thermostats done in a research setting. This is a ransomware attack where the thermostat says: "You know, I've shut off. You have to pay some bitcoin before I'll turn on again." We've seen that against phones and computers but now we should expect them against appliances. Expect them against cars. Let's hope it doesn't happen at speed. These attacks are all real.
The surprising thing in the book though is that you're partly arguing that solving the problem of security in this world isn't strictly a technical problem. Why not?
Because we don't pay for security. And when you go shopping for a refrigerator you don't know how to shop for security. You shop for features and price and energy efficiency and the stuff you can measure when you go buy a router for your home. You're going to buy the cheapest when you buy a toy. When you buy anything security tends not to be a feature that customers can discriminate based on and therefore not a feature that manufacturers provide.
If you think about it no security or safety has improved by the market. It's taken government forcing it. So think of cars, airplanes, pharmaceuticals, medical devices, food safety, restaurants, consumer goods, workplace, and most recently financial products. Insecure unsafe products and services are sold because that's what the manufacturers do — that's where the most profit is, until the government steps in and says: "Look, you can't do that anymore."
So how do we make companies feel the need to be responsible for security?
That's easy. We know how to do that. You put them in jail if they don't. How do you make companies feel like they're responsible for anything other than profit? You make it a law. Whether it's safety, or child labour or workplace responsibility, you demand it. We as a society put constraints on companies. That's the way our government works. And those constraints are there to make sure they adhere to things that aren't necessary aligned with a profit motive.