Bruce Schneier, one of the leading voices in the cyber security field, stunned a major conference of industry experts yesterday by openly calling for the establishment of a new government agency to regulate security on the Internet. But Schneier’s plea for government intervention is already being met with skepticism as technologists grapple with a rising tide of breaches and new software vulnerabilities.
Speaking at the Rsa Conference in San Francisco yesterday, Schneier said that the proliferation of web-connected IoT (Internet of Things) devices has not only created a massive security problem, it also raised the stakes significantly as everything from cars to thermostats to health care systems depend on a secure platform.
“It’s one thing for Reddit to be DDoSed (blocked),” said Schneier at the RSA gathering. “It’s another for your home thermostat to be (shut down) in the winter.”
The cryptographer, who is a special adviser to IBM, expressed a belief that this new, more serious threat to citizens will require law and technology to work together. He drew a comparison with nuclear power, where concerns about the safety and controls over that area led to the establishment of the U.S. Department of Energy.
Government intervention is inevitable
Schneier, who has famously challenged TSA’s airport security by going through checkpoints with a fake boarding pass, admitted yesterday that the government will get involved regardless of how his colleagues in the notoriously regulation-averse tech world feel about it.
“Like it or not, government intervention is coming,” said Schneier. “When computers start killing people, there are going to be consequences.”
He called for the establishment of a new regulatory agency to take control of cyber security for the country, while citing the precedent of creating the Department of Homeland Security in the aftermath of the 9/11 terrorist attacks.
“Nothing motivates the U.S. government more than fear,” said Schneier.
But the creation of a new agency to deal with increased hacking and computer security threats may not be easy. In a separate interview for this story, Dr. Sameer Bhalotra, who served as senior director for cyber security under President Barack Obama, expressed doubt that Congress would create such a department.
“There’s no appetite in Congress to create a new agency,” said Bhalotra. “A lot of Congressional committees would have to agree, and that’s unlikely.”
Microsoft executive calls for global action
The escalation of Internet-based attacks and security vulnerabilities has been a major topic of discussion at RSA this week, as a parade of public officials and company executives echoed Schneier’s concern about the current state of cyber security. In a keynote speech at the conference yesterday morning, Microsoft President Brad Smith called for the world’s governments to do more together as they did in 1949 when the Geneva Conventions were enacted to protect citizens in a time of war. “What we need now is a digital Geneva Conventions,” said Smith.
In remarks later in the day, Congressman Michael McCaul, chairman of the House Homeland Security Committee, told attendees that he wants to see state-sponsored hacking come to an end as soon as possible. “We are in the fight of our digital lives and we are not winning,” said McCaul. “Our adversaries are turning digital breakthroughs into digital bombs.”
To underscore the urgency facing the security world as more IoT devices flood the market, one Intel executive described how his firm recently placed a computer system disguised as a common VCR on the Internet to lure cyber attackers. It became infected with malware in less than one minute, launched from a foreign country thousands of miles away.
“As everything becomes a computer, security becomes everything to us,” said IBM’s Schneier. As evidenced by the intense debate echoing through the convention halls at RSA this week, there are no easy answers for how to protect what the tech industry has built.