What the industry has to accept is that regulations are inevitable at this point, said Bruce Schneier, CTO of IBM Resilient and adjunct lecturer at Harvard University’s Kennedy School of Government. That’s why he thinks the industry has to take the initiative in working with lawmakers.
“A lot of us have been libertarians forever and our response to regulation is, ‘None of the above, please.’ That will no longer be an acceptable answer when the Internet crashes into the physical world and life and property are lost,” he said.
“It’s our job to have these conversations, to come up with these documents, because otherwise they’ll be written for us.”
Schneier was speaking on a panel this morning discussing what the barriers to regulation are and what the pitfalls might be. The panel was titled “Internet of Insecurity: Can Industry Solve It or Is Regulation Required?” — but it was clear from the start what the answer was.
Vector for Abuse
The issue of IoT security is being pressed forward by incidents that are making headlines even in the mainstream press. The Mirai botnet, which is still around, harnesses unsecured devices such as webcams to generate distributed denial-of-service (DDoS) attacks.
And close to home for the conference, the San Francisco Municipal Transport Agency (SFMTA) was hacked in November. No physical damage was done, but the hacker held SFMTA’s computer systems for ransom and let people ride the transit system for free before SFMTA used backups to restore its systems.
While it might be tempting to let industries self-regulate, that approach won’t result in better security, he said. Schneier has previously explained why on his security blog, in discussing Mirai: No one in the webcam industry has a reason to care if their products get hijacked for distributed denial-of-service (DDoS) purposes. Regulations would give them an incentive to do something about it.
Unregulated industries often complain that regulations would stifle innovation, but that’s not a bad tradeoff, Schneier argued. Pharmaceuticals are regulated because a free-for-all drug industry would be perilous. Given the volume of not-so-secure Internet devices being shipped, it’s not hard to make a similar argument for IoT.
“This is an urgent problem. We’re shipping stuff now that will live in our environment for a very long time,” said Olaf Kolkman, chief Internet technology officer for the Internet Society.
Check out our complete coverage of RSA Conference 2017.
What’s needed is a sense of collective responsibility that involves vendors, government, and even consumers.
“The moment that consumers know their fridge can spoil their own food but might also be attacking the neighbor’s fridge, they might say, I want to be a responsible actor. Most civilians want to be responsible actors,” Kolkman said.
Earlier this month, Schneier proposed on his blog that a new government agency is required because existing agencies are not equipped to cope with the fluid nature of the Internet.
During RSA, Schneier made a Skype appearance at the Linux Foundation’s Open Source Leadership Summit in Lake Tahoe, California, where he repeated that call for a new agency. “My worry is the alternatives are not viable any longer. Government is going to get involved regardless,” he told that audience. “Our choice here isn’t between government involvement and no government involvement. It’s between smart government involvement and stupid government involvement.”
The Open Source Question
For networking and security, regulations bring an additional wrinkle. Laws imply liability, and that could be a sore subject in an industry that relies on so much open source code.
If something goes wrong, then, who is liable? In the United States, it’s not difficult to sue the suppliers behind a product, which in this case could include the coders who contributed code to open source projects.
“Regulations here can easily kill open source if we do this wrong,” Schneier said. “You put a liability in, nobody’s going to send a commit in, because as soon as they do, they’re on the hook. … This could really go bad, really fast.”
Linda Hardesty contributed to this report.