Government safety regulation of the Internet of Things is coming, warns a prominent security expert, so technologists have to start pushing their way into the offices of legislators to have a voice in what happens.
That was the message privacy specialist and author Bruce Schneier gave infosec pros Wednesday at the annual SecTor conference in Toronto.
“We’re creating a world where everything is a computer,” he said, referring to the wide range of IoT devices from smart phones to connected medical devices and refrigerators to smart cities. Many of these devices have an impact on the physical world – sensors in cars that prevent crashes, for example.
Yet these increasingly interconnected devices can harm people if they are hacked – disabled sensors in cars that make the brakes inoperative, for example.
Meanwhile companies make insecure devices that can’t be patched, like connected video cameras, that can be chained into botnets.
“Governments are already involved in [regulating] physical systems [such as the automotive, transportation, health and other industries] and when the Internet actually starts killing people there will be a call for action,” he predicted. “And nothing motivates government like fear.”
However, far from fearing government regulation, Schneier welcomes it.
“A lot of our security paradigms are going to fail in this new world” of connected devices, he pointed out. “It’s a combination of different technologies — mobile computing, cloud computing, IoT, AI …” but it’s “smart things that affect the world in a direct physical manner.”
Meanwhile the makers of many devices don’t build in security, and buyers don’t care.
“I’m not convinced there’s an alternative,” to regulation. “To me, governments are going to get involved regardless because the risks are too great and the stakes are too high.”
“We need some counterbalance to corporate power”… “Government is how we solve problems like this.”
Canada, the European Union, Japan and Korea – countries where governments play a big role – will likely be ahead of the U.S. on this, he said, admitting that when he raises the idea in his country he gets a negative reaction.
He implied the regulator might be one big agency because connected devices cross so many sectors.
“Our choice is no longer between government involvement and no government involvement. It’s between smart government involvement and stupid government involvement. so we need to start thinking about these things. Otherwise it will be done to us.”
“As technologists we need to get involved in policy. IoT is going brings enormous potential but enormous risks. But as Internet security becomes everything security, Internet security technology will be more important to overall security policy.”
And the policy will never be right if legislators don’t understand how technology works, he warned. He notes the current debate on forcing product manufacturers with encryption to install backdoors to help police investigations, which has prompted experts – like Schneier – to point out that such a backdoor could also be used by criminals and nation states.
“It is our job to fix this. Technologists need to get involved in policy discussions. We have to be in the offices of legislators, we need to be in federal agencies, at NGOs (non-government agencies), part of the press. In companies working on policy…. we need to be in their offices .
“Either we get involved, or this is going be done to us — and I think that would be worse.”