Posted by on Sep 6, 2018
Paul Baccas reviews 'Click here to Kill Everybody' by Bruce Schneier
Title: Click Here to Kill Everybody: Security and Survival in a Hyper-connected World
The great and memorable title of Bruce Schneier's latest book, 'Click Here to Kill Everybody', certainly caught the eye of those in my household – my children kept trying to touch the button on the front cover to 'kill everybody’! (Indeed, the book's attention-grabbing title may make me a little wary about reading it openly on the Tube or while going through airport security.)
Of course, the book is not really about how to kill everybody, but rather how, from an ethical standpoint on the part of tech, and a moral standpoint on the part of government, we appear to be sleep-walking into a scenario where something, whether by accident or design, could possibly 'click here' and kill everyone.
My advance reading copy wasn’t quite ready for publishing, but as it stood the book was divided into three approximately equal sections:
The second section describes the things technologists and policy makers should consider in order to bring about the changes needed for the Internet of the future.
Finally, as with Schneier's previous book, the third section contains copious notes.
In the introduction ('Everything is a Computer'), Bruce describes three situations: hacking a car; hacking the power supply; and hacking printers (conventional, 3D and bioprinters). For each of these he expands on the potential issues: death of multiple passengers; wide-scale human and economic damage; etc. The overriding theme is that, as things get 'smarter' or more computerised, 'your "smart" X [increasingly becomes] a computer that also does X!'
For example, your 'smart' oven is a computer that makes things hot, and your 'smart' car is a computer with wheels, etc. These 'smart' devices then suffer from the same security problems as computers, in particular patching and updating. They are networked together into the ubiquitous Internet of Things, or IOT (where an 'S' for security is so silent as to be missing altogether). The convergence of IOT, AI and autonomous algorithms, and cloud computing becomes what Bruce calls the new 'Internet+' (missing, probably intentionally, the geeky pun 'Internet++').
In chapters 1 to 5, the book looks at the current state of the Internet and explores trends. Questions are posed and answered in coherent ways and the chapters cover the themes:
Does patching work?
Anonymity and trust.
Economics of security.
How are the risks growing?
It discusses how, like the Red Queen, defenders must run fast just to stay still, how attackers have the advantage of asymmetry (they can try 1,000s of attacks and only one needs to succeed), how security is an expensive add-on to a system, and how it has no tangible economic benefit. This part of the book also describes events in the recent past that have been caused by malicious and state-sponsored actors, where computers have been instrumental in causing economic damage, if not actual deaths.
As I was reviewing the book, news hit the wires of the compromise of thousands of MikroTik routers in Brazil. A vulnerability discovered, patched, but not updated in a timely manner resulted in a cryptominer being installed and stealing CPU cycles and electricity. This incident highlighted many of the themes in the book: cheap commodity hardware with little incentive to produce security-hardened products (extra expense); consumers having no level by which to gauge trust in the vendor; the failure of the patching and updating paradigm; and how it is now easier to go back to the shop and by a new router than it is to fix the issue. MikroTik is not alone in its routers being compromised: in recent months bigger vendors – who should know better – have also been fixing backdoors in their products.
In the second part of the book, Bruce discusses policy and how policy makers can affect the security of the Internet+. Technologists look for the correct answer, or at least the optimum solution. Meanwhile, politicians tend to be more pragmatic, looking for compromises, and appealing to interest groups. However, until the politicians see an issue, a.k.a. people dying, they lack the motivation to make the Internet+ secure, especially since lobby groups such as industry, law enforcement and intelligence communities will lobby for:
the status quo
The book's conclusions are not hopeful: the gap between 'the two cultures' that separate technologists and politicians is currently a wide abyss. There are those, like Bruce, who are trying to span the gap and create a bridge, but we still regularly hear politicians ask for things that, to a technologist's ears, are impossible. To paraphrase Scotty 'Ya cannae break the law of mathematics, Captain'. The Pandora’s box of technology is well and truly open and will never be closed. The Internet+ is now common, and to prevent a tragedy of the commons, technologists must lobby for government to provide leadership and guidance, and policy makers must seek out technologists. Moreover, technologists need to become policy makers.
This thought-provoking book will mainly have you nodding in agreement and shaking your head in frustration. The future is not yet written, and so prediction, like attribution, is hard. Hopefully, enough people will read the book to change the path of the future. I plan to re-read it, and there can be no greater praise.