小蓝视频

We will soon live in a world where your car will drive itself using a combination of cameras, software, radar, and the internet. While driverless cars could reduce automobile accidents by removing the possibility for driver error, Bruce Schneier, a world-renowned technology security expert and fellow at the Berkman Klein Center for Internet and Society at Harvard University, argues that they could one day be used as a deadly weapon. Indeed, in Schneier鈥檚 September 2018 book, Click Here to Kill Everybody, he argues that driverless cars are just one of many new technologies that present a serious and imminent security threat in the realm of IoT.

IoT, short for the 鈥淚nternet of Things,鈥� presents many challenges to security researchers. As Bruce Schneier points out, the internet was not designed with security in mind. (22). 听In chapter one, Schneier details how the internet was created by and for research institutions, not for supporting critical infrastructure. 听He further argues that our increasing reliance on physical things that connect via that insecure network exacerbates the security threat.

听At the conclusion of chapter one, Schneier discusses how attacks on this insecure network will get better, easier, and faster. In Schneier鈥檚 words, 鈥淎ttackers also learn and adapt. This is what makes security different from safety. Tornadoes are a safety issue . . . But whatever we choose to do or not do, we know tornadoes will never adapt to our defenses and change their behavior. Human adversaries are different.鈥� (33) He argues that security measures that work today will be easily surpassed by hackers tomorrow; therefore, these measures must proactively and consistently improve.

In chapter two, Bruce Schneier explains two paradigms of security (35). The first paradigm is technologies such as the airplane, pharmaceuticals, and automobiles -- highly-regulated technologies that engineers and private companies must get right the first time or face liability if they fail (34). 听Rigorous safety testing of such technologies is slow and expensive but effective. Because the cost of getting it wrong is so great, companies must get it right the first time (34). 听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听听

Schneier contrasts this model with the security paradigm of software development. 听Companies produce software as quickly and cheaply as possible, or in Facebook's lingo, they move fast and break things (34). 听While software companies bear the total cost of research and development, there is no high cost or litigation if the software fails the customer. 听Thus, software companies have little incentive to get it right the first time. 听Instead, if a company finds a security flaw in its software, it simply releases a patch (35).

In chapter three, Schneier considers the trade-offs between authentication and useability. Schneier points out most people tend to favor ease of use over security and this poses a challenge to cyber security. Schneier also details how attackers exploit this preference for convenience to guess passwords and answers to security questions. To overcome this problem, Schneier envisions an authentication system that is both easy to use and highly secure (49).听

Instituting such an authentication system requires more than simply securing your email account. For IoT systems to properly function, they need to be able to securely communicate within their cyber ecosystem. Driverless cars, for example, would need to communicate with street signs, as well as with other vehicles on the road, to safely function. For IoT devices to safely communicate, they need to be capable of authenticating the identity of who, or what, they are communicating with. On this point, Schneier issues a stark warning, 鈥淚f I can impersonate you to your devices, I can take advantage of you.鈥� (50) 听In other words, if an attacker can impersonate you and feed your devices harmful information, he can use them to harm you and others, all in your name. 听听

Chapter four offers an interesting discussion of how private companies and governments all favor insecurity (56). 听Private companies like Google, Facebook, and Amazon generate the bulk of their profits from a system of surveillance capitalism by tracking users' internet activity. 听That data is sold to third parties to form a profile of each person (57). 听听According to Schneier, governments also favor internet insecurity. This insecurity allows various governments to use spyware products like FinFisher to surveil their own citizens. (65) These spyware products allow governments to hack into citizens鈥� personal devices and spy on them. The conference for these products is even nicknamed the 鈥淲iretappers Ball.鈥� (65).

听According to Schneier in chapter five, the risks resulting from such security flaws are becoming catastrophic. Indeed, as the IoT connects more physical devices and elements of critical infrastructure, the risk to human life increases. 听Schneier deliberates on what he calls "movie plot threats," security threats that are "so outlandish that, while they make great movie plots, are so unlikely we shouldn't waste time worrying about them." (96) 听With that said, Schneier believes that while many of the scenarios in the book might seem outlandish, we must proactively create a secure IoT network to prevent such attacks from even being possible.听

Chapters six through twelve make up the section of the book titled "Solutions." They range from increasing regulations on software development to bringing them up to par with technologies like airplanes and pharmaceuticals鈥攊.e., those in his first security paradigm. 听He also proposes establishing an new US agency, like an FDA for the internet, to enforce these regulations. Another solution is separating the NSA's defensive unit from the NSA's offensive team. 听Combining the two, Schneier argues, privileges offensive over defensive cybersecurity.

This brings me to my only criticism of Click Here to Kill Everybody: some of Schneier鈥檚 ideas and conclusions seem less well-thought-out and more akin to a brainstorming session. For example, as mentioned above, in chapter three Schneier proposes an authentication system that is both highly secure and convenient to use; yet he does not explain exactly what such a system would look like. Rather, he admits that 鈥淭hose are contradictory requirements, and we鈥檙e going to need some clever thinking to make progress here.鈥� (49) Additionally, Schneier often does not seem to know if he, and by extension, the reader, should be pessimistic or optimistic about the future of IoT. 听This ambivalent tone permeates throughout the book and muddies his broader message.

听Nonetheless, overall Bruce Schneier's Click Here to Kill Everybody is an insightful book that makes essential points about the security challenges and solutions posed by the IoT. Though some may consider the book too pessimistic or alarmist in tone, it makes complex information accessible to a broad consumer audience鈥攚hich may be exactly what we need.听

About the Author:听

Ryan Tyrrell graduated from 小蓝视频鈥檚 School of International Service in 2021 with a Master of Arts in International Affairs: Global Governance, Politics, and Security.听听He is currently an analyst at a Washington DC-based business advisory and risk intelligence firm.听听

听

*THE VIEWS EXPRESSED HERE ARE STRICTLY THOSE OF THE 小蓝视频THOR AND DO NOT NECESSARILY REPRESENT THOSE OF THE CENTER OR ANY OTHER PERSON OR ENTITY AT AMERICAN UNIVERSITY.

听