We’re moving to a world where everything is going to be a computer, and we aren’t ready for the security consequences. That was an overarching theme of security guru Bruce Schneier’s keynote address at this year’s SpiceWorld event in Austin, Texas. It’s the computerization of everything, from the clothes we wear to the facilities that provide power to our community. This means, he said, that what we once knew as internet security becomes everything security, and all the rules we have applied to internet security become applicable to everything.
Think about that: Everything in our homes, everything we touch is eventually going to be a computer system and create an entirely new, and a much more personal, threat landscape.
Truisms about Internet Security
With that in mind, Schneier provided six truisms about internet security that we are going to have to re-evaluate to create the cybersecurity systems necessary for this computerization of everything. They are:
- Most software is poorly written and insecure. “The joke for restaurants is good, fast, cheap—pick any two,” said Schneier. “That works for software as well. And we, again and again, pick fast and cheap over good.” This means our computers don’t work as well as they should and we have to depend on patches to fix the problems. This, of course, is especially true for security concerns.
- The internet was never designed for security. When I first got online, I was employed at a major research university and had access to an archaic email system and Usenet. The people I met on Usenet were almost all writing from universities or research institutions. Schneier pointed out that this was universally the case in the early days of the internet, and because the connections were so restricted and because no one used the internet to share anything of value, security wasn’t designed into it. “We’re still living the impact of that decision,” he said.
- Extensibility of a computerized system means everything can be used against us. Devices and appliances once had a single use and that use couldn’t be changed. Now, we can’t constrain the functionality of those devices because they run on software. If malware is dropped into a device, now your device has new functions that you may not know are there and can’t control.
- Complex systems have larger attack surfaces. With larger attacks surfaces, hackers have more room to work, and it makes security, which already is difficult, even more difficult to deploy.
- As we connect things to each other, vulnerabilities in one device will affect other devices. The Mirai botnet was dropped into one device, but it was other devices that felt the brunt of the attack. Interconnected devices are going to be more difficult to separate. The Target payment system hack, for example, was caused through attacks on an HVAC company.
- Attacks continue to get easier, faster and better. No matter how well you improve the safety against threats on your end, hackers are also getting smarter. It’s an arms race, and hackers are quick to adapt. “Expertise also flows downhill,” Schneier added. “What’s today is a top NSA program is tomorrow a PhD thesis and the next day, it’s a hacker tool. And we see that again and again.”
The Paradigm Shift
These truisms affect security as we know it today, but if we don’t do something to address the problems in those issues soon, the computerization of everything is going to be one hellish nightmare. We’re already seeing how difficult it is to address IoT security. The problem, said Schneier, is that so many of our systems are decades old and we don’t know how to secure 40-year-old software. But we need to figure that out. That means the paradigms we’ve used in the past to address security must change.
Patching, for instance. While patches do work for complex software, such as operating systems, it isn’t effective for low-cost embedded systems such as DVRs or routers. Many of these devices don’t even have the ability to be patched; rather, you toss it out and replace it when it becomes vulnerability. However, it’s one thing to get a new router every four or five years, but are you really going to replace a sophisticated security system? We need to rethink how we address vulnerabilities across the board, but especially in embedded systems.
Authentication also has to be re-evaluated. We’re going to start seeing a lot more thing-to-thing authentication, where devices are going to rely on each other to get us through the routine of our day. This means if you have 100 IoT devices you rely on, you’re going to have 10,000 authentications.
Supply chain security is another issue to consider. Again, as everything becomes interconnected, who can we trust? We don’t know. It’s not just that a product is made in one country, but that it has chips and software and hardware that are coming from a variety of vendors from a variety of locations.
We’ve reached a point, Schneier said, where we can’t trust anyone but we have to trust everyone. And that makes security difficult.