It’s kind of amazing to think about how much change we’ve seen in our daily lives in our lifetimes. I sent my first email sometime in the late 80s or early 90s, a reply to a professor who had to call me on the phone to tell me I had mail. I remember when we retired the card catalog and the day I unpacked the first public-use computer that students could use to search for articles on CD-Roms. I remember when faculty turned to us for help teaching students how to evaluate these newfangled websites. Now we’re all struggling again, trying to figure out how to help students understand a changing and often toxic information environment. All that has happened in a few decades.
Meanwhile my colleagues in IT are fighting a whole different battle – protecting the campus infrastructure that we rely on more and more from a host of threats. In very short order we’ve built out the internet that few of us even knew about thirty years ago to reach billions across the planet. We use it for commerce, for financial transactions, for running critical infrastructure, and for commercial and state surveillance. It’s connected to our baby monitors and our garage door openers, to the tiny computers we carry in our pockets, and to weapons systems. It’s beginning to connect our refrigerators and cars and thermostats and medical implants. And it’s grown so fast it’s full of vulnerabilities.
I’ve always admired Bruce Schneier’s ability to make complex technical issues understandable and for proposing solutions, not just posing problems. His new book, Click Here to Kill Everybody: Security and Survival in a Hyper-Connected World, has persuaded me that it doesn’t really matter if I refuse to have Alexa in my home and resist buying consumer products that are tied to the Internet of Things. This connectivity will happen with or without me, and the security risks we face – the ones our IT folks spend so much of their time addressing – are both pressing and solvable.
The first half of the book explains the problem. Surveillance capitalism currently drives the internet, and soon the things that surround us will be part of it. Gathering volumes of data to buy, sell, trade, store, and process puts it at risk of being stolen, and puts us at risk of being controlled by the companies that gather that data, by governments that use the data, and by anyone who steals the data. This space is where new wars are being fought, with states using the vulnerabilities that put us at risk to attack other states. As more things are connected and dependent on the internet, the risks are growing catastrophic, and some of those risks can come through trivial devices that weren’t designed with security in mind. We’ve moved fast. We have no idea how many things might break.
The second half of the books is about solutions. Schneier is under no illusions this will be quick or easy, but there are things we can do, and he makes a good case that we must do them. He recommends (and describes) steps that will help – and some of them are so obvious it’s scary that we don’t already insist on them:
- Be transparent about how a product or service handles security
- Make software easily patchable.
- Test software thoroughly before it’s released.
- Make software secure out of the box. Don’t ship it with known vulnerabilities. Apparently this happens all too often.
- Design software to do as little harm as possible if it fails. If your refrigerator loses its internet connection, it must still keep your food cold.
- Use shared standards.
- Encrypt and authenticate data.
- Support security research and testing by trustworthy parties.
He also takes down “solutions” people have proposed that would simply make things worse.
Making the internet secure will take government intervention, which at the moment seems impossible, but it isn’t. We know it’s important to inspect food and elevators and demand safety checks on airplanes. We decided to do these things because they made us safer, healthier, and more able to realize our potential. We need to start taking seriously how important the internet is and take steps to make it resilient and safe. I hope some of the ideas Schneier proposes will be implemented before it’s too late.
Meanwhile, if your IT folks ask you do something that seems annoying or inconvenient for the sake of security, take a deep breath, hit pause on your I'm-too-busy life, and do it. The risks are just too high if we don't take care.