We will soon live in a world where your car will drive itself using a combination of cameras, software, radar, and the internet. While driverless cars could reduce automobile accidents by removing the possibility for driver error, Bruce Schneier, a world-renowned technology security expert and fellow at the Berkman Klein Center for Internet and Society at Harvard University, argues that they could one day be used as a deadly weapon. Indeed, in Schneier’s September 2018 book, Click Here to Kill Everybody, he argues that driverless cars are just one of many new technologies that present a serious and imminent security threat in the realm of IoT.
IoT, short for the “Internet of Things,” presents many challenges to security researchers. As Bruce Schneier points out, the internet was not designed with security in mind. (22). In chapter one, Schneier details how the internet was created by and for research institutions, not for supporting critical infrastructure. He further argues that our increasing reliance on physical things that connect via that insecure network exacerbates the security threat.
At the conclusion of chapter one, Schneier discusses how attacks on this insecure network will get better, easier, and faster. In Schneier’s words, “Attackers also learn and adapt. This is what makes security different from safety. Tornadoes are a safety issue . . . But whatever we choose to do or not do, we know tornadoes will never adapt to our defenses and change their behavior. Human adversaries are different.” (33) He argues that security measures that work today will be easily surpassed by hackers tomorrow; therefore, these measures must proactively and consistently improve.
In chapter two, Bruce Schneier explains two paradigms of security (35). The first paradigm is technologies such as the airplane, pharmaceuticals, and automobiles -- highly-regulated technologies that engineers and private companies must get right the first time or face liability if they fail (34). Rigorous safety testing of such technologies is slow and expensive but effective. Because the cost of getting it wrong is so great, companies must get it right the first time (34).
Schneier contrasts this model with the security paradigm of software development. Companies produce software as quickly and cheaply as possible, or in Facebook's lingo, they move fast and break things (34). While software companies bear the total cost of research and development, there is no high cost or litigation if the software fails the customer. Thus, software companies have little incentive to get it right the first time. Instead, if a company finds a security flaw in its software, it simply releases a patch (35).
In chapter three, Schneier considers the trade-offs between authentication and useability. Schneier points out most people tend to favor ease of use over security and this poses a challenge to cyber security. Schneier also details how attackers exploit this preference for convenience to guess passwords and answers to security questions. To overcome this problem, Schneier envisions an authentication system that is both easy to use and highly secure (49).
Instituting such an authentication system requires more than simply securing your email account. For IoT systems to properly function, they need to be able to securely communicate within their cyber ecosystem. Driverless cars, for example, would need to communicate with street signs, as well as with other vehicles on the road, to safely function. For IoT devices to safely communicate, they need to be capable of authenticating the identity of who, or what, they are communicating with. On this point, Schneier issues a stark warning, “If I can impersonate you to your devices, I can take advantage of you.” (50) In other words, if an attacker can impersonate you and feed your devices harmful information, he can use them to harm you and others, all in your name.
Chapter four offers an interesting discussion of how private companies and governments all favor insecurity (56). Private companies like Google, Facebook, and Amazon generate the bulk of their profits from a system of surveillance capitalism by tracking users' internet activity. That data is sold to third parties to form a profile of each person (57). According to Schneier, governments also favor internet insecurity. This insecurity allows various governments to use spyware products like FinFisher to surveil their own citizens. (65) These spyware products allow governments to hack into citizens’ personal devices and spy on them. The conference for these products is even nicknamed the “Wiretappers Ball.” (65).
According to Schneier in chapter five, the risks resulting from such security flaws are becoming catastrophic. Indeed, as the IoT connects more physical devices and elements of critical infrastructure, the risk to human life increases. Schneier deliberates on what he calls "movie plot threats," security threats that are "so outlandish that, while they make great movie plots, are so unlikely we shouldn't waste time worrying about them." (96) With that said, Schneier believes that while many of the scenarios in the book might seem outlandish, we must proactively create a secure IoT network to prevent such attacks from even being possible.
Chapters six through twelve make up the section of the book titled "Solutions." They range from increasing regulations on software development to bringing them up to par with technologies like airplanes and pharmaceuticals—i.e., those in his first security paradigm. He also proposes establishing an new US agency, like an FDA for the internet, to enforce these regulations. Another solution is separating the NSA's defensive unit from the NSA's offensive team. Combining the two, Schneier argues, privileges offensive over defensive cybersecurity.
This brings me to my only criticism of Click Here to Kill Everybody: some of Schneier’s ideas and conclusions seem less well-thought-out and more akin to a brainstorming session. For example, as mentioned above, in chapter three Schneier proposes an authentication system that is both highly secure and convenient to use; yet he does not explain exactly what such a system would look like. Rather, he admits that “Those are contradictory requirements, and we’re going to need some clever thinking to make progress here.” (49) Additionally, Schneier often does not seem to know if he, and by extension, the reader, should be pessimistic or optimistic about the future of IoT. This ambivalent tone permeates throughout the book and muddies his broader message.
Nonetheless, overall Bruce Schneier's Click Here to Kill Everybody is an insightful book that makes essential points about the security challenges and solutions posed by the IoT. Though some may consider the book too pessimistic or alarmist in tone, it makes complex information accessible to a broad consumer audience—which may be exactly what we need.
About the Author:
Ryan Tyrrell graduated from American University’s School of International Service in 2021 with a Master of Arts in International Affairs: Global Governance, Politics, and Security. He is currently an analyst at a Washington DC-based business advisory and risk intelligence firm.
*THE VIEWS EXPRESSED HERE ARE STRICTLY THOSE OF THE AUTHOR AND DO NOT NECESSARILY REPRESENT THOSE OF THE CENTER OR ANY OTHER PERSON OR ENTITY AT AMERICAN UNIVERSITY.