RSA 2017: Special conference coverage
Reporting and analysis from IT events
SAN FRANCISCO -- Security expert Bruce Schneier called for the creation of a new government agency that focuses on internet-of-things regulation, arguing that "the risks are too great, and the stakes are too high" to do nothing.
During a wide-ranging talk on internet-of-things regulation and security at RSA Conference 2017, Schneier, CTO of IBM Resilient, made the case that government intervention is needed to address threats such as the Mirai botnet. He described IoT security as a unique problem, because manufacturers have produced many devices that are inherently insecure and cannot be effectively patched, and IoT malware has little effect on the actual devices. Because compromised devices are used to attack third parties, Schneier said, there is little incentive on the part of the users and device manufacturers to act.
"The market is not going to fix this because neither the buyer nor the seller cares," he said. "The market tends not to fix safety or security problems without government intervention."
That leaves only one real option, Schneier said. "My proposal in the U.S. is, I think we need a new regulatory agency," he said.
Schneier argued there is precedence for creating such an agency to address new technologies, from trains and automobiles to radio and nuclear. And he said those agencies tend to be created for two reasons.
"New technologies need new expertise," Schneier said. "And new technologies need new controls. And this is something markets can't solve. Markets are, by definition, short-term profit-motivated. That's what they're supposed to do. They don't solve collective action problems."
Government, he said, is "the entity that is used to solve problems like this." But Schneier also admitted that a regulatory approach to IoT threats brings a lot of problems, from a general lack of technical expertise in the government to historical problems with regulatory capture.
"So, the devil's in the details here, and I don't have them," Schneier said. "But I submit this is the worst possible idea -- except for all of the others. And I'm not sure the alternative [of doing nothing] is viable any longer."
Governments are going to get involved in addressing IoT threats, regardless of what the private sector does, Schneier said. He predicted the courts would be the first branch of government to set precedents through tort, followed by sustained regulations of government agencies and then, ultimately, proposed legislation from Congress, which he said will "play catch-up" to the issue. But Schneier warned that Congress will act if the problem gets worst.
"Nothing motivates the U.S. government like fear," he said. "All of the strong bias we have toward leaving the market alone is going to disappear when people start dying."
Bruce SchneierCTO of IBM Resilient
Schneier said that possibility may sound extreme, but he argued the world is littered with IoT devices, from cars to industrial control systems, that can be used by threat actors to cause physical harm. And he said if the technology industry doesn't take action and get involved with whatever internet-of-things regulatory body is created, then we'll get an agency like the Department of Homeland Security, which he said was "ill-conceived, ham-handed and doesn't work very well."
"Our choice here is no government involvement or no-government involvement," Schneier said. "Our choice is smarter government involvement or stupider government involvement. And we have to start thinking about this now -- otherwise, it will be imposed on us."
To that end, Schneier encouraged the audience to think about IoT security and threats, and ask if a device truly needs to be connected to the internet. "We also need to start thinking about disconnecting systems," he said. "If we cannot secure complex systems, then we must not build a world where everything is connected and everything is computerized."
Schneier ended the talk by urging the audience to take an active role in government policy before decisions are made without input from technology professionals and experts.
"We technologists need to get involved in policy," Schneier said. "Like it or not, government involvement is coming. When computers start killing people, there are going to be consequences."
Learn more about the risks of IoT in the enterprise
Read about the new security challenges from IoT
Find out how tougher cybersecurity regulations affect compliance