LAKE TAHOE, CALIF. — At a time when tech companies are locked in an awkward dance with the government, one security expert says that the open-source community must embrace working with lawmakers or face death by regulation.
”We’ve had this special right to code the world as we see fit,” says security guru Bruce Schneier, speaking at the Linux Foundation’s Open Source leadership summit. “My guess is that we’re going to lose this right because it’s too dangerous to give it to a bunch of techies.”
Up until now, he noted that the industry has left security to the market with decent results, but the tune has changed with the internet of things (IoT). Your connected car, toaster and thermostat and medical devices are turning the world into what amounts to a robot, says Schneier who appeared via Skype from a darkened room while attending the RSA, making his predictions about the future even more ominous. This “world robot,” is not the Terminator-type sci-fi fans expect, but rather one without either a single goal or one creator.
“As everything becomes a computer, computer security becomes everything security,” he says. With iOT, the traditional paradigms of security are out of synch, sometimes with disastrous results. The paradigm where things are done right and properly first time (buildings, cars, medical devices) and the other (software) where the goal is to be agile and developers can always add patches and updates as vulnerabilities arise. “These two worlds are colliding (literally) now in things like automobiles, medical devices and e-voting.”
RT linuxfoundation: Schneier: We’ll never get policy right if policymakers get the technology wrong. #lfosls
— Adil Mishra (@AdilMishra1) February 14, 2017
Your computer and phone are secure because there are teams of engineers at companies like Apple and Google working to make them secure, he said, holding up his own iPhone. With “smart” devices, there are often external teams who build libraries on the fly and then disband. You also replace your phone every two years which ensures updated security, but replace your car every 10 years, your refrigerator 25 years and your thermostat, well, never.
The effect is colossal: there is a fundamental difference between what happens when a spreadsheet crashes and a car or pacemaker crashes. From the standpoint of security professionals “it’s the same thing, for the rest of the world it’s not.”
#lfosls Bruce Schneier – 5.5m new devices connect to the Internet every day, most with poorly written, insecure, non-updatable software
— Rod Cope (@RodCope) February 14, 2017
That’s where he expects the government to come in. He predicts that the first line of intervention will be through the courts — most likely liabilities and tort law — with congress following.
“Nothing motivates the U.S. government like fear,” he says. So the open-source community must connect with lawmakers because there’s “smart government involvement and stupid government involvement. You can imagine a liability regime that would kill open source.”
His talk was in step with the earlier keynote by Jim Zemlin, the Linux Foundation’s executive director, who said that the cyber security should be at the forefront of everyone’s agenda.
Bruce Schneier: “We have prioritized features, speed, and price over security.” Oops! #lfosls
— Yev the dev (@YevTheDev) February 14, 2017
Schneier made a plea for the open-source community to get involved with policy before it’s too late. He pitched the idea of an iOT security regulatory agency in the hopes of getting new expertise and control over the ever-shifting tech landscape.
“We build tech because it’s cool. We don’t design our future, we just see what happens. We need to make moral and ethical decisions about how we want to work.”
“This is a horribly contentious idea but my worry is that the alternatives aren’t viable any longer,” he said.
Cover photo: Chris Isherwood