Consider these three incidents, and their implications.
Scenario one: In 2015, two security researchers took over the controls of a Jeep Cherokee. They did it from ten miles away through the vehicle’s Internet-connected entertainment system. A video shows the driver’s terrified expression as he’s driving on a highway, powerless while the hackers turn on the air-conditioning, change the radio station, turn on the wipers, and eventually kill the engine. Since this was a demonstration and not a murder attempt, the researchers did not take control of the brakes or the steering, but they could have.
This isn’t a one-off trick. Hackers have demonstrated vulnerabilities in several automobile models. They hacked in through the diagnostics port. They hacked in through the DVD player. They hacked in through the OnStar navigation system and the computers embedded in the tires.
Airplanes are vulnerable, too. There’s been nothing as vivid as the Jeep demonstration, but security researchers have been making claims that the avionics of commercial airplanes are vulnerable via the entertainment system and through air-to-ground communications systems. For years, airplane manufacturers denied that hacking an airplane was possible. Finally, in 2017, the US Department of Homeland Security demonstrated a remote hack of a Boeing 757. No details were provided.
Scenario two: In 2016, hackers—presumably Russian—remotely detonated a cyberweapon named CrashOverride at the Pivnichna high-voltage power substation near Kiev in Ukraine, shutting it down.
The CrashOverride attack was different from the cyberattack that targeted the Prykarpattyaoblenergo control center in Western Ukraine the previous year. That attack also caused a blackout, but it was a more manual attack. There, the attackers—again, presumably Russian—gained access to the system via a malware backdoor, then remotely took control of the center’s computers and turned the power off. (One of the station operators recorded a video of it happening.) CrashOverride, on the other hand, did it all automatically.
In the end, the people who received their power from the Pivnichna substation got lucky. Technicians there took the plant offline and manually restored power an hour or so later. It’s unclear whether similar US plants have the same manual overrides, let alone staff with the skill to use them.
CrashOverride was a military weapon. It was modularly designed, and could easily be reconfigured for a variety of targets: gas pipelines, water treatment plants, and so on. It had a variety of other “payloads” that weren’t even fired off in the Ukraine attack. It could have repeatedly cycled the substation power on and off, physically damaging the equipment and shutting down power for days or weeks. In the middle of a Ukrainian winter, this would be fatal for many people. And while this weapon was fired as part of a government operation, it was also a test of capability. In recent years, Russian hackers penetrated more than 20 US power stations, often accessing critical systems but without causing damage; these were also tests of capability.
Scenario three: Over a weekend in 2017, someone hacked 150,000 printers around the world. The hacker wrote a program that automatically detected common insecure printers and had them repeatedly print ASCII art and taunting messages. This kind of thing happens regularly, and it’s basically vandalism. Earlier in the same year, printers at several US universities were hacked to print anti-Semitic flyers.
We haven’t yet seen this kind of attack against 3D printers, but there’s no reason to believe they are not similarly vulnerable. Hacking one would still only result in expense and annoyance, but the threat level changes dramatically when we consider bio-printers. These are still in their infancy, but the potential is that viruses customized to attack individual patients’ cancers or other illnesses could be synthesized and assembled by automated equipment.
Imagine a future where those bio-printers are common in hospitals, pharmacies, and doctors’ offices. A hacker with remote-access capabilities and the proper printing instructions could force a bio-printer to print a killer virus. He could force the printer to print lots of it, or force many printers to print smaller batches. If the virus could spread widely enough, infect enough people, and be persistent enough, we might have a worldwide pandemic on our hands.
“Click here to kill everybody,” indeed.
Why are these scenarios possible? A 1998 car wasn’t vulnerable to people miles away taking over its controls. Neither was a 1998 power substation. The current models are vulnerable, and the future bio-printer will be vulnerable, because at their core they are computers. Everything is becoming vulnerable in this way because everything is becoming a computer. More specifically, a computer on the Internet.
Your oven is a computer that makes things hot. Your refrigerator is a computer that keeps things cold. Your camera is a computer with a lens and a shutter. An ATM is a computer with money inside. And modern light bulbs are computers that shine brightly when someone—or some other computer—flips a power switch.
Your car used to be a mechanical device with some computers in it. Now, it is a 20-to 40-computer distributed system with four wheels and an engine. When you step on the brake, it might feel as if you’re physically stopping the car, but in reality you’re just sending an electronic signal to the brakes; there’s no longer a mechanical connection between the pedal and the brake pads.
Your phone became a powerful computer in 2007, when the iPhone was introduced.
We carry those smartphones everywhere. And “smart” is the prefix we use for these newly computerized things that are on the Internet, meaning that they can collect, use, and communicate data to operate. A television is smart when it constantly collects data about your usage habits to optimize your experience.
Soon, smart devices will be embedded in our bodies. Modern pacemakers and insulin pumps are smart. Pills are becoming smart. Smart contact lenses will not only display information that is based on what you see, but monitor your glucose levels and diagnose your glaucoma. Fitness trackers are smart and increasingly capable of sensing our bodily states.
Objects are also getting smart. You can buy a smart collar for your dog and a smart toy for your cat. You can buy a smart pen, a smart toothbrush, a smart coffee cup, a smart sex toy, a smart Barbie doll, a smart tape measure, and a smart sensor for your plants. You can even buy a smart motorcycle helmet that will automatically call an ambulance and text your family if you have an accident.
We’re already seeing the beginnings of smart homes. The virtual assistant Alexa and its cousins listen for your commands and respond. There are smart thermostats, smart power outlets, and smart appliances. You can buy a smart bathroom scale and a smart toilet. You can buy smart light bulbs and a smart hub to control them. You can buy a smart door lock that will allow you to give repair technicians and delivery people a onetime code to enter your home, and a smart bed that senses your sleeping patterns and diagnoses your sleep disorders.
In workplaces, many of those same smart devices are networked together with surveillance cameras, sensors that detect customer movements, and everything else. Smart systems in buildings will provide more efficient lighting, elevator operation, climate control, and other services.
Cities are starting to embed smart sensors in roads, streetlights, and sidewalk squares, as well as smart energy grids and smart transportation networks. Soon, cities will be able to control your appliances and other home devices to optimize energy use. Networks of smart driverless cars will automatically route themselves to where they’re needed, minimizing energy use in the process. Sensors and controls in the streets will better regulate traffic, speed up both police and medical response times, and automatically report road flooding. Other sensors will improve the efficiency of public services, from dispatching police to optimizing garbage truck routes to repairing potholes. Smart billboards will recognize you as you walk by and display advertising tailored to you.
A power substation is really just a computer that distributes electricity, and—like everything else—it’s on the Internet. CrashOverride didn’t infect the Pivnichna substation directly; it was hiding in the computers of a control room miles away, which was connected to the station over the Internet.
This technological shift occurred during the last decade or so. It used to be that things had computers in them. Now they are computers with things attached to them. And as computers continue to get smaller and cheaper, they’re being embedded into more things, and more things are turning into computers. You might not notice it, and you certainly don’t shop for cars and refrigerators as computers; you buy them for their transportation and cooling functions. But they’re computers, and that matters when it comes to security.
Our conception of the Internet is also shifting. We no longer go to a specific place in our homes or offices and log on to what appears to be a separate space. We no longer enter a chat room, download our e-mail, or—in many cases—surf the Internet. Those spatial metaphors don’t make sense anymore, and in a few years, saying “I’m going on the Internet” will make about as much sense as plugging in a toaster and saying “I’m going on the power grid.”
The name given to this ubiquitous connectivity is the “Internet of Things” (IoT). It’s mostly a marketing term, but it is also very real. The tech analyst firm Gartner defines it as “the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment.” It’s about connecting all sorts of devices over the Internet, and letting them talk to us, each other, and different computer applications.
The magnitude of this change is staggering. In 2017, there were 8.4 billion things attached to the Internet—primarily computers and phones—an increase by a third over the previous year. By 2020, there are likely to be somewhere between 20 and 75 billion, depending on whose estimates you believe.
This explosive growth comes from vendors who are looking for a competitive edge, or who just want to keep up with the competition and decide that making their products “smart” will do the trick. As computers become smaller—and even cheaper—we will start seeing them in more places.
Your washing machine is already a computer that cleans clothes. When the newest, cheapest, and best embedded computers have Internet connectivity, it will be easier for your washing machine manufacturer to include that feature. And then it will become harder and harder for you to buy a new washing machine without Internet connectivity.
Two years ago, I tried and failed to buy a new car without an Internet connection. There were cars for sale without Internet connectivity, but it was standard in all of the cars I otherwise wanted. As the price of these technologies decreases, this will happen to everything. The Internet will become part of cheaper and less versatile devices, until it’s a standard feature with everything.
Today, it might seem dumb that your washing machine has an Internet connection, and impossible that your T-shirt someday will. But in a few years, it will just be the normal state of things. Computers are still getting more powerful, smaller, and cheaper; all it will take for Internet-enabled clothing to become the norm is for the cost of a microprocessor to be lower than the benefit to the retailer of automatic inventory tracking pre-sale and of automatic use tracking post-sale. In another decade, you might not be able to buy a sensor-free T-shirt, and by then you’ll take it for granted that your washing machine talks with the clothes it’s washing and automatically determines the optimal cycle and detergent to use. Then the washing machine manufacturer will sell the information about what you’re wearing—and no longer wearing—to the clothing manufacturers.
Whenever I talk about this kind of thing, there are people who ask, “Why?” They can understand reducing energy use but can’t fathom why anyone would put their coffeepot or toothbrush on the Internet. “The ‘Smart Everything’ Trend Has Officially Turned Stupid,” read one 2016 headline, about an early attempt at an Internet-connected refrigerator.
The answer is simple: market economics. As the cost of computerizing devices goes down, the marginal benefit—in either features provided or surveillance data collected—necessary to justify the computerization also goes down. This benefit could be to the user in terms of additional features, or to the manufacturer in terms of learning about and marketing to its user base. At the same time, chip suppliers are moving away from making specialty chips and towards making general-purpose, mass-produced, cheaper chips. As these embedded computers become standardized, it will be less expensive for manufacturers to include connectivity than to remove it. It will literally be cheaper to litter the city with sensors than to clean litter off the sidewalks.
There are advantages to computerizing everything—some that we can see today, and some that we’ll realize only once these computers have reached critical mass. The Internet of Things will embed itself into our lives at every level, and I don’t think we can predict the emergent properties of this trend. We’re reaching a fundamental shift that is due to scale and scope; these differences in degree are causing a difference in kind. Everything is becoming one complex hyper-connected system in which, even if things don’t interoperate, they’re on the same network and affect each other.
There is more to this trend than the Internet of Things. Take the Internet of Things. Start with the IoT or, more generally, cyberphysical systems. Add the miniaturization of sensors, controllers, and transmitters. Then add autonomous algorithms, machine learning, and artificial intelligence. Toss in some cloud computing, with corresponding increases in capabilities for storage and processing. Don’t forget to include Internet penetration, pervasive computing, and the widespread availability of high-speed wireless connectivity. And finally, mix in some robotics. What you get is a single global Internet that affects the world in a direct physical manner. It’s an Internet that senses, thinks, and acts.
These are not distinct trends, but ones that converge with, build on, and reinforce each other. Robotics uses autonomous algorithms. Drones combine the IoT, autonomy, and mobile computing. Smart billboards combine personalization with the IoT. A system that automatically regulates water flowing over a dam combines cyberphysical systems, autonomous agents, and probably cloud computing.
And although we’d like to think otherwise, humans are just another component in many of these systems. We provide inputs to these computers and accept their outputs. We are the consumers of their automated functionality. We provide the connections and communications between systems that haven’t quite become smart enough to cut us out of the loop. We move these systems around, at least the ones that aren’t physically autonomous. We affect these systems, and we are affected by these systems. To a very real degree, we will become virtual cyborgs even if these devices remain distinct from our physiology.
We need a name for this new system of systems. It’s more than the Internet, more than the Internet of Things. It’s really the Internet + Things. More accurately, the Internet + Things + us. Or, for short, the Internet+. Honestly, I wish I didn’t have to coin a term, but I can’t find an existing term that describes the apotheosis of all of those trends. So, “Internet+” it is, at least in this book.
Of course, words like “smart” and “thinks” are relative. At this point, they’re more aspirational than anything else. Much of the IoT isn’t very smart, and much of it will be stupid for a very long time. But it will continually grow smarter. And while it’s very unlikely that we’ll see conscious computers anytime soon, computers already behave intelligently on specific tasks. The Internet+ is becoming more powerful through all the interconnections we’re building. It’s also becoming less secure. This book tells the story of why that’s true, and what we can do about it.
It’s a complicated story, and I tell it in two parts. In Part I, I describe the current state of computer security—technically, politically, and economically—as well as the trends that got us here. Computers are becoming smaller and more adept at manipulating the physical world, but they’re still basically the same computers we’ve been working with for decades. The technical security issues remain unchanged. The policy issues are the same ones we’ve been struggling with. And as computers and communications become embedded into everything, one industry after another will start looking like the computer industry. Computer security will become everything security, and the lessons of computer security will become applicable everywhere. And if there’s one thing we know about computers, whether they’re cars, power substations, or biological printers, it’s that they’re vulnerable to attack by hobbyists, activists, criminals, nation-states, and anyone else with technical capacity.
In Chapter 1, I briefly cover all the technical reasons why the Internet is so insecure. In Chapter 2, I discuss the primary way we maintain security in our systems—patching vulnerabilities when they’re discovered—and why that will fail on the Internet+. Chapter 3 talks about how we prove who we are on the Internet, and how we can hide who we are. In Chapter 4, I explain the political and economic forces that favor insecurity: surveillance capitalism, cybercrime, cyberwar—and the more invasive corporate and government practices that feed off insecurity.
Finally, in Chapter 5, I describe why the risks are increasing, and how they will become catastrophic. “Click here to kill everybody” is hyperbole, but we’re already living in a world where computer attacks can crash cars and disable power plants—both actions that can easily result in catastrophic deaths if done at scale. Add to that hacks against airplanes, medical devices, and pretty much all of our global critical infrastructure, and we’ve got some pretty scary scenarios to consider.
If you’re a regular reader of my books, articles, and blog, a lot of Part I will be review. If you’re new to all of this, the chapters are important groundwork for what’s to come.
The thing about Internet+ security is that we’re all used to it. Up to now, we’ve generally left computer and Internet security to the market. This approach has largely worked satisfactorily, because it mostly hasn’t mattered. Security was largely about privacy, and entirely about bits. If your computer got hacked, you lost some important data or had your identity stolen. That sucked, and might have been expensive, but it wasn’t catastrophic. Now that everything is a computer, the threats are about life and property. Hackers can crash your car, your pacemaker, or the city’s power grid. That’s catastrophic.
In Part II of this book, I discuss the policy changes necessary to secure the Internet+. Chapters 6, 7, and 8 deal with the what, the how, and then the who of improving Internet+ security. None of this is novel or complicated, but the devil is in the details. By the time you get through Chapter 8, I hope to have convinced you that the “who” is government. Although there is considerable risk in giving government this role, there isn’t any viable alternative. The current sloppy state of Internet+ security is the result of poorly aligned business incentives, a government that prioritizes offensive uses of the Internet over defense, collective action problems, and market failures that require intervention to fix. One of the things I propose in Chapter 8 is a new government agency to coordinate with and advise other agencies on Internet+ security policy and technology. You might disagree with me. That’s fine, but it’s a debate we need to have.
Chapter 9 is more general. In order to be trusted, government needs to prioritize defense over offense. I describe how to do that.
Practically speaking, it’s unlikely that many of the policy changes I propose in Chapters 6 through 9 will actually happen in the near term. So in Chapter 10, I try to be more realistic and discuss what is likely to happen and what we can do in response, both in the US and in other countries. Chapter 11 talks about some current policy proposals that will actually damage Internet+ security. Chapter 12 is again general and discusses how we can create an Internet+ where trust, resilience, and peace are the norms—and what it might look like.
Fundamentally, I am making an argument for good government doing good. It can be a hard argument to make, especially in the strongly libertarian, small-government, anti-regulation computer industry, but it’s an important one. We’ve all heard about the ways government makes mistakes, does its job badly, or simply gets in the way of technological progress. Less discussed are all the ways that government steers markets, protects individuals, and acts as a counterweight to corporate power. One of the major reasons the Internet+ is so insecure today is the absence of government oversight. As the risks become more catastrophic, we need government to get involved more than ever.
I end this book with a call to action—both to policy makers and to technologists. These policy discussions are inherently technical. We need policy makers who understand technology, and we need to get technologists involved in policy. We need to create and nurture the field of public-interest technologists. This need applies to more fields than Internet+ security. But I call for it in my particular area of technology, because it’s the area I know.
Several additional themes weave throughout the book.
This book covers a lot of ground, which means that the book passes over much of it quickly and cursorily. The extensive endnotes are intended to be both references and invitations for further reading, and they were all verified at the end of April 2018. Those are on the book’s website as well, where they are clickable links: https://www.schneier.com/ch2ke.html. If there are any updates to the book, that’s where you’ll find them. Schneier.com is also where you’ll find my monthly e-mail newsletter and my daily-updated blog on these topics, as well as all my other writings.
I see these issues from a meta level. I’m a technologist at core, not a policy maker or even a policy analyst. I can describe the technological solutions to our security problems. I can even explain the sorts of new policies necessary to identify, generate, and implement those technological solutions. But I don’t write about the politics of making those policy changes. I can’t tell you how to garner support for or enact those policy changes, or even discuss feasibility. This is a gaping hole in the book, and I accept it.
I also write from a US perspective. Most of the examples are from the US, and most of the recommendations apply to the US. For one thing, it’s what I know best. But I also believe that the US serves as a singular example of how things went wrong, and—because of its size and market position—the US is in a singular position to change things for the better. Although this is not a book about international issues and the geopolitics of Internet security, aspects of that are sprinkled around these chapters.
These issues are constantly evolving, and a book like this is necessarily a snapshot in time. I remember when I finished Data and Goliath in March 2014; I thought about its publication date six months in the future and hoped nothing would happen to change the book’s narrative in the meantime. I’m feeling the same way right now, but more confident that a major event that would require a rewrite will not occur. Certainly, fresh stories and examples will arise, but the landscape I describe here is likely to be current for many years.
The future of Internet+ security—or cybersecurity, if you’re of a military bent—is a huge topic, and most of the chapters in this book could easily be books in themselves. My hope is that by offering breadth rather than depth, I can familiarize readers with the lay of the land, provide a sense of the issues, and draft a road map towards improvement. My goals are to attract a larger audience to this important discussion, and to help educate people for a more informed discussion. We will be making significant decisions over the next few years, even if the decision we make is to do nothing.
These risks are not going away. They’re not isolated to countries with less developed infrastructures or more totalitarian governments. They’re not waning as we figure out the mess that is our dysfunctional political system in the US. And they’re not going to magically solve themselves through market forces. To the extent that we solve them, it’s going to be because we have deliberately decided to—and have accepted the political, economic, and social costs of our solutions.
The world is made of computers, and we need to secure them. To do that, we need to think differently. At a 2017 Internet security conference, former FCC chairman Tom Wheeler riffed off former secretary of state Madeleine Albright, quipping that “we’re facing 21st-century issues, discussing them in 20th-century terms, and proposing 19th-century solutions.” He’s right, and we need to do better. Our future depends on it.
—Minneapolis, Minnesota, and Cambridge, Massachusetts, April 2018