Internet pioneer Bruce Schneier issued a dire proclamation in front of the House of Representatives’ Energy & Commerce Committee Wednesday: “It might be that the internet era of fun and games is over, because the internet is now dangerous.”
The meeting, which focused on the security vulnerabilities created by smart devices, came in the wake of the Oct. 21 cyberattack on Dyn that knocked Amazon, Netflix, Spotify, and other major web services offline.
Schneier’s opening statement provided one of the clearest distillations of the dangers posed by connected devices I’ve seen. It should be required viewing. He starts around the 1:10:30 mark in the livestream below, but we’ve also transcribed most of his remarks.
Here’s how he framed the Internet of Things, or what he later called the “world of dangerous things”:
As the chairman pointed out, there are now computers in everything. But I want to suggest another way of thinking about it in that everything is now a computer: This is not a phone. It’s a computer that makes phone calls. A refrigerator is a computer that keeps things cold. ATM machine is a computer with money inside. Your car is not a mechanical device with a computer. It’s a computer with four wheels and an engine… And this is the Internet of Things, and this is what caused the DDoS attack we’re talking about.
He then outlined four truths he’s learned from the world of computer security, which he said is “now everything security.”
1) ‘Attack is easier than defense’
Complexity is the worst enemy of security. Complex systems are hard to secure for an hours’ worth of reasons, and this is especially true for computers and the internet. The internet is the most complex machine man has ever built by a lot, and it’s hard to secure. Attackers have the advantage.
2) ‘There are new vulnerabilities in the interconnections’
The more we connect things to each other, the more vulnerabilities in one thing affect other things. We’re talking about vulnerabilities in digital video recorders and webcams that allowed hackers to take websites. … There was one story of a vulnerability in an Amazon account [that] allowed hackers to get to an Apple account, which allowed them to get to a Gmail account, which allowed them to get to a Twitter account. Target corporation, remember that attack? That was a vulnerability in their HVAC contractor that allowed the attackers to get into Target. And vulnerabilities like this are hard to fix. No one system might be at fault. There might be two secure systems that come together to create insecurity.
3) ‘The internet empowers attackers’
Attacks scale. The internet is a massive tool for making things more efficient. That’s also true for attacking. The internet allows attacks to scale to a degree that’s impossible otherwise. We’re talking about millions of devices harnessed to attack Dyn, and that code, which somebody smart wrote, has been made public. Now anybody can use it. It’s in a couple dozen botnets right now. Any of you can rent time on one dark web to attack somebody else. (I don’t recommend it, but it can be done.)
And this is more dangerous as our systems get more critical. The Dyn attack was benign. A couple of websites went down. The Internet of Things affects the world in a direct and physical manner: cars, appliances, thermostats, airplanes. There’s real risk to life and property. There’s real catastrophic risk.
4) ‘The economics don’t trickle down’
Our computers are secure for a bunch of reasons. The engineers at Google, Apple, Microsoft spent a lot of time on this. But that doesn’t happen for these cheaper devices. … These devices are a lower price margin, they’re offshore, there’s no teams. And a lot of them cannot be patched. Those DVRs are going to be vulnerable until someone throws them away. And that takes a while. We get security [for phones] because I get a new one every 18 months. Your DVR lasts for five years, your car for 10, your refrigerator for 25. I’m going to replace my thermostat approximately never. So the market really can’t fix this.
Schneier then laid out his argument for why the government should be a part of the solution, and the danger of prioritizing surveillance over security.
It was OK when it was fun and games. But already there’s stuff on this device that monitors my medical condition, controls my thermostat, talks to my car: I just crossed four regulatory agencies, and it’s not even 11 o’clock. This is something that we’re going to need to do something new about. And like many new agencies in the 20th century, many new agencies were created: trains, cars, airplanes, radio, nuclear power. My guess is that [the internet] is going to be one of them. And that’s because this is different. This is all coming. Whether we like that the technology is coming, it’s coming faster than we think. I think government involvement is coming, and I’d like to get ahead of it. I’d like to start thinking about what this would look like.
We’re now at the point where we need to start making more ethical and political decisions about how these things work. When it didn’t matter—when it was Facebook, when it was Twitter, when it was email—it was OK to let programmers, to give them the special right to code the world as they saw fit. We were able to do that. But now that it’s the world of dangerous things—and it’s cars and planes and medical devices and everything else—maybe we can’t do that anymore.
That’s not necessarily what Schneier wants, but he recognizes its necessity.
“I don’t like this,” he concluded. “I like the world where the internet can do whatever it wants, whenever it wants, at all times. It’s fun. This is a fun device. But I’m not sure we can do that anymore.”
You can watch the full committee meeting above or here.