The US government and Silicon Valley have designed and created an insecure world to maximize political control and corporate profit, but in the cyberphysical world we now live in, where cars, planes, trains and nuclear power plants are connected to the internet, that deliberate insecurity must be reversed — for safety reasons, or people are going to start dying, Bruce Schneier argues in his new book, Click Here to Kill Everybody (W.W. Norton & Company, 2018).
The days of "going online" are over. We now live on the internet. The merger of meatspace and cyberspace is well underway, and today cybersecurity is the security of all the things, including the things that can kill us. This new world demands we rethink the economic and political incentives that have us teetering on the brink of disaster, Schneier believes.
Concise at 225 pages, and well-argued, Click Here to Kill Everybody seeks to bridge the gap between engineers and policymakers, "whose arguments pass through one another like angry ghosts," Schneier writes, quoting British solicitor Nick Bohm. Engineers need to better understand the ethical and policy implications of the code they write, and policymakers need to better understand how technology works, and what is and is not possible.
Security pros and policymakers will both find surprises in Schneier's view of the problem from 30,000 feet. Each chapter feels like it could be a separate 500-page tome, but Schneier is clearly not interested in writing an encyclopedia. Rather, he offers a thought-provoking high-level view of the looming cybersecurity crisis.
If every Congressional staffer kept a copy of this book handy for when their boss asks, "What is this cyber thing anyway?" we would probably get dramatically better legislation. If corporate executives — in all industries — spent an evening or two dwelling on Schneier's reflections on how to prevent a cybersecurity catastrophe, they might make better decisions about the long-term security posture for their respective organizations.
CSO interviewed Schneier about his new book. Here are some of our big takeaways from that conversation.
The status quo is a catastrophe waiting to happen
As a society, we've put up with poor computer security for a long time because the failure modes were minor and mostly acceptable. That's changing fast, and we need to recalibrate our approach to security issues.
"People are lulled into a feeling that computer security is doing ok," Schneier tells CSO. "What's changing is where the computers are. There's a profound difference between your spreadsheet crashing and you lose your data, and your car crashes and you lose your life."
"It's the same CPU, the same application, the same vulnerability, the same attack tool," he adds. "The only thing that's different is where the computer is located."
Fixing these system-wide issues requires a drastic overhaul of short-term economic and political incentives. The government wants everything to be insecure so they can spy on us, Schneier writes, and corporations want everything to be insecure so they can control us. That might have been fine when the failure mode was a crashed spreadsheet, but keeping everything insecure so that governments can spy on us also opens society up to attack by criminals and spies who want to commit sabotage or murder.
The government's job number one is literally to prevent invasion by foreign armies. Defending public safety, therefore, means flipping the tables and prioritizing defense over offense, Schneier argues, otherwise people are going to start dying.
Click Here to Kill Everybody is a wake-up call to government and corporations alike to put aside short-term political and economic gain, or face catastrophic failure modes in the future. Fixing the problem, however, demands government regulation.
The government needs to regulate
Markets are terrible at self-regulating for consumer safety issues. Auto makers refused to sell cars with seatbelts standard until Ralph Nader raised the alarm with Unsafe at Any Speed. Given the current perilous state of computer security across the board, it is therefore entirely reasonable for the government to regulate, Schneier argues.
"There's no industry in the past 150 years that has improved safety or security without being forced to by the government," Schneier says. "Planes, cars, pharmaceuticals, medical devices, food safety, restaurants, workplace safety, consumer goods, most recently financial products."
Software historically has avoided issues of liability. "Move fast and break things" remains an oft-repeated mantra in the valley of silicon. However, that's going to change as things get cyberphysical.
"When software moves into your refrigerator, I don't think appliance liability disappears," Schneier says. "Or the software in your car, there's still auto liability. So as software moves into things that are already regulated, the regulation subsumes the software, not the other way around. For example, the FDA is regulating computerized medical devices. And so on and so on."
But regulation can only work if the government, including the NSA, CIA and FBI, prioritizes defense over offense.
The US must lead by example
After 9/11, we got the PATRIOT Act, a draconian law that undermined Constitutionally protected freedoms and led to Edward Snowden's revelations in 2013.
A massive cybersecurity incident — a "Cyber Hurricane Andrew" — could easily provoke even more draconian laws, Schneier worries. It's time to act now to fix security across the board before that happens, he tells CSO. "We as a society are better at being reactive than being proactive," he says. "The odds we'll do anything before a disaster strikes are slim. I want to have the debate now when there isn't a disaster so we can be reasonable about it."
For decades, Schneier writes, the NSA has deliberately undermined the security of internet protocols in the misguided belief that they could keep those attacks secret, and nobody else could use them — the NOBUS (Nobody But Us) philosophy. Recent years have shown this approach to security to be nonsense, he writes, and it's time for intelligence agencies and law enforcement to prioritize defense over offense.
With few exceptions, we all use the same computers and phones, the same operating systems, and the same applications. We all use the same Internet hardware and software. There is simply no way to secure US networks while at the same time leaving foreign networks open to eavesdropping and attack. There's no way to secure our phones and computers from criminals and terrorists without also securing the phones and computers of those criminals and terrorists. [emphasis CSO's] On the generalized worldwide network that is the Internet, anything we do to secure its hardware and software secures it everywhere in the world. And everything we do to keep it insecure similarly affects the entire world.
--chapter 9, page 161
This means that when the FBI clamor for encryption backdoors, they are abdicating their responsibility to protect society from harm and creating a world in which spies and criminals can create chaos. Either we are all of us free and secure, or we are none of us free and secure. It's time for the United States to lead by example.
That begins with the right people.
The world needs public-interest technologists
Schneier makes reference to C.P. Snow's seminal essay, "The Two Cultures," an extraordinary reflection on the divergence of art and science into separate traditions that no longer talk to each other. The book quotes the former president of Estonia reflecting on this divide:
Today, bereft of understanding of fundamental issues and writings in the development of liberal democracy, computer geeks devise ever better ways to track people....simply because they can and it's cool. Humanists on the other hand do not understand the underlying technology and are convinced, for example, that tracking metadata means the government reads their emails.
This may be our greatest challenge as a society going forward — to ensure that those who build and those who govern understand each other — and bridging that gap may be the long-term solution to our current policy deadlock on security issues. "All of the major problems of the next century are going to be deeply technological," Schneier tells CSO, "and if we have policymakers who don't understand the tech, we're going to get it all wrong."
"What I want to do is be the champion for this idea writ large of public-interest technologists," he adds. "There are many ways to be a public-interest technologist. One of those ways is to work inside the government. Another is to work at an NGO. Or working for the press. But being a person who marries technology and policy."
It's been a rocky relationship so far, but it's a marriage that's meant to be.
Full disclosure: This reporter was a member of the Berkman Klein Assembly 2017, a not-for-profit cybersecurity incubator at the Berkman Klein Center at Harvard University, and worked with Bruce Schneier during that time.