Click Here to Kill Everybody: Security and Survival in a Hyper-Connected World
by Bruce Schneier
W. W. Norton & Company, 2018.
Hardcover, 288 pages, $28.
Reviewed by Michael J. Ard
What happens when everything is a computer, connected to everything else? How then can we keep the internet, the greatest benefit of the global communications revolution, from spying on us, or even from harming us? In Click Here to Kill Everybody, Bruce Schneier, a prominent writer on computer security issues, explores how to improve our internet security while maintaining the benefits of an increasingly interconnected world.
In his brisk and urgent book, Schneier points out that in the “Internet of Things” (IoT)—the growing trend to connect everything to a computer network—vulnerabilities are increasing and becoming more serious. IoT now approaches 20 billion devices. Everything is a computer, including our cars, our dishwashers, our toasters. We now even have internet-connected clothing. Schneier calls this trend “Internet+.” It is wonderful and convenient, but also potentially scary. As Schneier memorably puts it, a technology that can give you anything you want, can take away everything you have.
Schneier sees two aspects to the problem. The first is that our personal data is out our control and subject to surveillance or misuse by corporations, the government, or criminals. The public is slowly coming to realize this issue, but legislation to address it in the US lags way behind.
The second problem is perhaps more worrisome: all our devices are too easy to compromise. For example, if everything is a computer or connected to one, then everything can be hacked. And if everything can be hacked, then everything can, in theory, be turned into a weapon against us. Each computer can be repurposed into something potentially harmful, which we now see with “botnets”—computers taken over by hackers to penetrate or crash networks.
Schneier argues the market lacks incentives to produce computers and devices that are more secure. Products are released before any consideration is given to their security. At best, defense against attack is difficult. Part of the problem is that attacks are cheap, and defense is expensive. Hacking tools are often freely distributed, and there is a community of hackers who like the challenge of breaking into secure networks. Primitive hacking techniques such as phishing still work. Many IoT devices cannot be patched or upgraded; they are at the hackers’ mercy. Identifying hackers remains a challenge, although Schneier believes this will eventually be solved.
As Schneier note, hackers have demonstrated devices can be taken over to inflict physical harm, and this raises the urgency of the security problem. “Class breaks” against the software in cars can allow hackers to control numerous vehicles at once. And with increasing interconnectivity, risks are becoming potentially catastrophic. In 2016 Russians hackers allegedly shut off a Ukrainian substation, causing major blackouts. In 2017 the NotPetya malware caused Maersk Shipping to shut down dozens of terminals and costing the company nearly $1 billion in losses, even though Maersk wasn’t the intended target.
We are trading security for having everything free and convenient. We leave “digital exhaust” everywhere and trust data companies to protect it. Some deserve our trust; others do not. Hacking events like the Equifax attack in 2017 compromised millions of consumers. Equifax, a credit rating firm, had a history of security failures.
Contributing to the security risks is the lack of appropriate authority. The cyber world is like medieval Europe: a collection of weak, decentralized authorities with no coordination. Many entities like Facebook decide what our security will be, and what we are permitted to look at. Without an overarching regulatory body, we will never have, in Schneier’s view, adequate cyber security.
Despite the growing risk, we aren’t turning back from the convenience of “Internet+.” But every year the exposure for our devices grows greater, and malicious hackers become more capable. Schneier calls internet insecurity a “wicked problem” that is hard to define, but more complicated to solve. Yet Schneier is admirably bold about offering solutions. Nearly half the book is dedicated to practical reforms that would improve our security. He throws a lot of ideas out for consideration.
His most ambitious reform would be forming a coordinating body called the National Cybersecurity Office, akin to what the Office of the Director of National Intelligence has been for the fragmented intelligence community. This might be useful in getting the federal government to coordinate on cyber security because right now too many agencies are involved without enough authority and resources.
Schneier believes we need more examples of the government acting against companies that fail to protect data. In 2015, for example, the Federal Trade Commission successfully sued Wyndham Hotels, arguing its poor data security allowed hackers to steal customer data and that the hotel chain had an obligation to provide enough protection. More incentives like this will force companies to ensure “duty of care” for private data.
Government needs to promote practical security standards that don’t suppress creativity and innovation, perhaps by promoting a rating system for products like Underwriters’ Laboratory has provided for electric devices. Congress also needs to revise some standing laws. The little-known Digital Millennium Copyright Act covers all software but prevents reverse engineering that would allow ethical hackers to reveal vulnerabilities.
Yet for Schneier, government bears much of the responsibility on why we are so insecure. The federal government’s insistence on built-in “back doors” to devices makes software vulnerable. The NSA wants IP protocols to be less secure. The FBI wants to be able to break into smart phones. By insisting on back doors to use spying software to catch criminals, the government enables hackers to thrive. This was exposed in 2016 when Apple resisted the FBI’s request to break into the cell phone of Syed Rizwan Farook, the San Bernardino terrorist. In the end, the feds found a way to break in anyway. But Schneier reasons that the greater good is having more secure devices for all of us, even if it makes catching criminals more difficult.
Security fundamentally depends on trust. Having more government control over data probably will undermine trust. Therefore, citizens need more control of “their data.” Government can go far in building this trust be insisting on security over surveillance. Schneier supports the EU’s General Data Protection Regulation, which is quickly becoming a world standard, as helping individuals gain more control over how their data is used and their right to privacy.
Vigorous diplomacy by the U.S and the UE should pressure countries that don’t comply with international standards. The internet problem is inherently international; we must crack down on hacker safe havens, settle on international norms, and gain international cooperation. The Budapest Convention, which aimed at setting international standards, has not been signed by China and Russia, two hacker safe havens. Schneier believes Washington should redouble its effort to obtain more international compliance.
Schneier presents his case effectively. But he should have further developed his argument on the market forces impacting security. After all, not only companies, but also criminals are incentivized by the market. Most malicious hackers are trying to make money. It makes little sense for them to target devices that offer no monetary reward. What is the opportunity cost for developing a virus that targets appliances? What is the potential payoff? Other events, such as espionage and sabotage, are damaging, but most industries have demonstrated an ability to restore operations quickly. Hidden market forces might be the reason we aren’t having an epidemic of hacked motor vehicles.
For now, we are choosing more convenience over security, and the market reflects that. If we perceived a greater security threat, the market probably would respond with more security options on computers and devices. The public evidently feels that, for now at least, it can live with the manageable risks of greater connectivity.
In the end, the “Internet+” security problem rests with us. Will we change before a catastrophic event, an internet 9/11, forces us to do so?
Michael J. Ard served on the National Intelligence Council and earned his PhD from the University of Virginia. He teaches international relations in the Master of Global Affairs program at Rice University.