Categories: Security

InfoSec 2016: Two Worlds Are Colliding, And I Don’t Have The Answer, Says Bruce Schneier

Two drastically different paradigms are colliding together when it comes to the Internet of Things, and it doesn’t bode well for our security, claims security specialist Bruce Schneier.

Schneier explained how IoT-connected devices such as medical devices, which are almost impossible to keep up to date with the latest security defenses, will go at odds against attackers who are continually improving their attack methods, with “catastrophic” consequences.

“As we move to the Internet of Things, where things are less patchable and less high-end, we’re going to have problem,” said Schneier, addressing a keynote audience at InfoSec 2016 in London.

Problem

“Right now, how you patch your home router is to throw it away and buy a new one. That is the patch path. And a lot of our systems, like a phone, are patched all the time, but a lot of the security comes from the fact we get a new one every 18 months. We get a new laptop every two years. That allows us to get better. But you buy a new refrigerator every 15 years. You buy a new thermostat, what, approximately never? That’s going to be a big problem,” he explained.

Schneier described how the security lifecycle for things like home appliances, implantable medical devices and cars just isn’t the same as the security lifecycle for consumer electronics.

“We’re not going to be able to live in a world where to update your defibrillator you’ll have to open up your body and get a new one – and that’s going to be bad,” he said.

Moreover, as the Internet of Things scales up to include power plants, communities, cities, and governments, the risk will increase.

“There’s much more of a worry for catastrophic risk. Our systems are getting so big that we can’t afford a single failure. And that’s going to happen soon,” said Schneier, illustrating how we’re reaching a security tipping point.

“There are two basic paradigms of security. There is paradigm A, which is secure it properly the first time. This comes from the world of dangerous physical things. Automobiles, planes, medical devices, buildings. This is security of design. This is certifications. This is testing. This is licensing. This is get it right the first time the first time because getting it wrong would be a disaster.

“Then there’s paradigm B, which is making sure your security is agile. This comes from the fast moving and heretofore largely benign world of software. Rapid prototyping, rapid updates, recoverability, mitigation, adaptability. Putting it out there and fixing it on the fly. These two worlds are colliding and it is unclear how we can do both. We’re starting to see the collision.”

Schneier explained how IoT-connected components like medical devices reside in paradigm A, which means people are walking around with life-critical devices that cannot be updated.

“The process doesn’t allow for updating. The process was get it right the first time. I don’t have an answer,” he said.

Government intervention

Because of all of this, Schneier confidently predicted that we will see increased government intervention within the Internet of Things and cybersecurity space.

“We’re going to see greater fear rhetoric, because this stuff is actually scary. We’re going to see more rhetoric of fear,” he said.

“I think that more government involvement in cybersecurity is inevitable simply because the systems are more real. We’re going to see more cyberwar rhetoric, more cyberterrorism rhetoric, more calls for surveillance, more calls for use control, more “trust me I’m the Government”.

Take our cloud quiz here!

Ben Sullivan

Ben covers web and technology giants such as Google, Amazon, and Microsoft and their impact on the cloud computing industry, whilst also writing about data centre players and their increasing importance in Europe. He also covers future technologies such as drones, aerospace, science, and the effect of technology on the environment.

View Comments

  • Not quite. If there's a way for a hacker to access a device, there's a way to update the device. After that it's down to can you update it without interrupting service. But that's just a technical design exercise and cost/benefit calculation. Also, why do I want my pacemaker's workings to be remotely accessable? If they are, jail the company execs that thought it'd be cool. Read only monitoring feed, sure. Local NFC updates, maybe. Internet access to my pacemaker - are you insane?

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago