Backcasting Our Way to a More Secure IoT
The Patient Prophecies of Bruce Schneier’s “Click Here to Kill Everybody”
Remember when Facebook CEO Mark Zuckerberg testified before Congress last spring? It was a confusing moment for many, particularly those legislators whose questions were somewhat less than clear. But don’t laugh too hard. It’s not just senior governmental citizens, and the aides who penned their queries, who are bewildered by the inner workings of the social media ecosystem. It’s all of us. The internet is a black box… and as it transmogrifies into the vastly more complicated Internet of Things, the opacity will grow greater—and the ability of government officials and ordinary citizens to interrogate it will shrink. Exponentially.
This has enormous security implications.
“Complexity is the worst enemy of security,” writes Bruce Schneier, author of a superb new book, Click Here to Kill Everybody: Security and Survival in a Hyper-connected World. “The more complex a system is, the less secure it is. And our billions of computers, each with their tens of millions of lines of code, connected into the Internet, with its trillions of webpages and unknown zettabytes of data—comprise the most complex machine humankind has ever built.”
Soon, pretty much every physical object will be implanted with a chip. Does this mean that our world is becoming more insecure than ever? (“It used to be that things had computers in them,” Schneier writes. “Now they are computers with things attached to them.”) His answer: Yes. Our healthcare, our economy, our very means of travel and residential spaces will all become increasingly connected, and correspondingly out of our control.
"The more complex a system is, the less secure it is. And our billions of computers, each with their tens of millions of lines of code, connected into the Internet, with its trillions of webpages and unknown zettabytes of data—comprise the most complex machine humankind has ever built.”
Schneier spends much time mulling the nightmares of connectivity—he talks about bad actors hacking into connected bioprinters to print out viruses that will kill many people fast; he imagines the havoc created by hacking into cars, autonomous and otherwise, and airplanes.
What can we do about this, now, in the nascent stages, to ensure that we have a connected future that we want?
This is Schneier’s central question. Conventionally, he is known as a cybersecurity expert. But after reading his latest book, I think of him as a master backcaster. I don’t know that he’s familiar with the term, or at least as we use it at EPAM Continuum, but Click Here is, to my mind, an outstanding extended application of backcasting.
Schneier looks at the system in which people, things, and the internet interact—he prefers the term Internet+ to Internet of Things or IoT—and envisions an ideal future state in which security would be governmentally regulated, corporately observed, and generally speaking, resilient. He has grand dreams of creating a new federal agency, the National Cyber Office, that will oversee IoT, and has thought much about how it will operate. “The initial purpose of the new agency would not be to regulate, but instead to advise other areas of government on issues that touch on the Internet+.”
One of the superb features of Click Here is that it understands its sometime quixotic tone: “In my fantasy world, policy decisions would look like they do in Star Trek: The Next Generation. There, everyone sits around a conference table, and the technologists explain the meaning of data and scientific realities to Captain Picard. Picard listens, considers the facts and his options, then makes a policy decision informed by science and technology.”
Schneier is winning when he openly admits that his utopian ideal will not be fully adopted by the powers that be anytime soon. He notes: “You might have found it easy to accuse me of painting a nightmare and responding with daydreams—that while my recommendations might be a good list of what we should do, they bear no resemblance to what we actually will do." And then explains, in detail, why officials and CEOs are unlikely to take up the cause of security in a serious way.
But he’s extremely realistic in identifying the circumstances that will finally unlock the resistance: “Governments regulate things that kill people, and when the Internet starts killing people it will be regulated. It’s true that fear is a powerful motivator, and can overcome bias towards doing nothing and the political bias towards smaller government.”
Thing is, he knows that waiting until such an awful moment won’t necessarily lead people to make the wisest of decisions—and that’s why he lays out his convincing argument, right here and now, on the pages of Click Here. As he says: “It’s important to talk now about what good Internet+ security policy will look like when we have time to do it slowly and carefully, and before a catastrophe occurs.”
Schneier is pragmatic enough to understand that the key element of backcasting involves finding a mid-step solution and keeping an eye on the ideal future state as we scale forward.
“Governments regulate things that kill people, and when the Internet starts killing people it will be regulated. It’s true that fear is a powerful motivator, and can overcome bias towards doing nothing and the political bias towards smaller government.”
His first solution: Education. He understands that security is an arcane subject and that grasping it requires a systemic understanding of its implications and processes. He works extremely hard to keep his language clear, and in using examples that will resonate with non-technical people. For instance, he suggests that we drop the military metaphors and instead reframe security as a “public hygiene or pollution problem” and this change “will lead us towards different sorts of solutions.” Elsewhere he writes: “We don’t demand that automobile manufacturers produce the safest care possible. We mandate safety standards like seat belts and air bags, require crash tests, and leave the rest to the market. This approach is essential in an environment as dynamic as the Internet+.” His carefully chosen words aim to create a new mindset in readers, and I think it will be effective on the rising generation of policy people and technologists.
The second solution is a call for the development and cultivation of a professional path for cybersecurity folk. Schneier says there is a need for people to succeed him in his own work, and that he needs to help create the conditions for such professional development. He notes that we must bridge the gap between tech and policy. “We need a career path that ensures that even though newcomers to this field won’t earn as much as they would in a high-tech start-up, they will have promising professional futures,” he writes—and then underscores how serious this is: “The security of our computerized and networked society… depends on it.” The policy people need to learn from the technical people, and vice versa. When people with both kinds of expertise can speak clearly to each other, then we will be dealing adequately with IoT security.
What I dig most about this book is that it’s self-conscious enough to understand that it is a volume for tomorrow. A book published long before it will be used. Schneier knows his urgent message will be ignored by the people who most need to pay attention, and he seems resigned to that. He’s not a Cassandra; he’s getting us ready for the people who, one day, will indeed listen. “Despite the imminent threats, I think it will take the younger generation coming into power before any real change in the US takes place,” writes Schneier. When regulation must inevitably be brought to bear, Click Here will be a superb, trustworthy guide. Mark my words. Better yet—mark his.