Robots and the future of cyber regulation
“We’re creating a world where everything is a computer,” said Bruce Schneier, author of the “Schneier on Security” blog, special advisor to IBM Security and CTO for IBM Resilient, during his keynote speech at the recent SecTor conference in Toronto.
Schneier discussed the security implications and vulnerabilities in an era of Cloud computing, autonomy and the Internet of Things (IoT).
He specifically highlighted IoT, which he broke down into three elements.
The first part is the sensors, such as iPhones, smart lightbulbs and smart thermostats, that collect data about us and our environment. The second part is the processing, memory and networking. The final part is the actuators that affect our environment.
“You can think of the sensors as the eyes and ears of the Internet. You could think of the actuators as the hands and feet of the Internet. It gives the Internet sensing capabilities and the capability to do things. And [the second part] as the brain,” Schneier explained. “So we’re creating an Internet that senses, thinks and acts.”
“That is the classical definition of a robot,” Schneier continued, “and I think the way to think of this Internet today is that we’re building a robot the size of the world and don’t even realize it.”
This smart technology has some profound implications on security, as it can affect the world in a direct, physical manner. This means that “Internet security becomes everything security.”
As everyday objects in our lives become more interconnected, security technologists’ expertise becomes more valuable in different industries.
But this also means that threats are becoming more diverse and difficult to address.
There are three basic types of threats according to the CIA triad — confidentiality, integrity and availability. With this new smart technology, the availability and integrity threats become worse, Schneier explained. For instance, a hacker could hack into a car’s GPS system to learn the car’s location, which is a traditional threat. But as cars become more integrated with computers, hackers could also hack the car and disable the brakes remotely.
According to Schneier, there are two basic paradigms of security: security by design, where devices and software are designed to be secure the first time around via testing and certifications; and agile security, where software is made more secure through prototypes, patching and updates.
“These two paradigms are colliding,” said Schneier. “In our cars, medical devices, traffic control systems, voting machines. And we need to figure out how to make these paradigms work together.”
To do so, Schneier believes regulations are needed and the government will become increasingly involved. “I actually think that’s a good thing and something we need to embrace,” he said.
For Schneier, the choice isn’t between government involvement or not, but between “smart government involvement and stupid government involvement.”
In an interview with Canadian Security, Schneier said, “policy is coming to our industry because of IoT vulnerabilities, because of critical infrastructure, because of all of these threats that are not going away. And that’s going to bring with it regulations.”
Schneier called on technologists to work with policymakers, government agencies and lawyers to help create regulations. “Either we’re involved in making sure those regulations make sense and are technically feasible, or it’s going to be imposed upon us,” he said.