IoT security: Lack of expertise will hurt, says Bruce Schneier

The lack of relevant technical expertise by governments is going to hurt when it comes to securing the internet of things (IoT), according to security technologist Bruce Schneier.

Governments have a crucial role to play in tackling what he sees as the next big security challenge, he told Infosecurity Europe 2016 in London.

One of the biggest challenges, according to Schneier, is that there is no good regulatory structure for IoT which connects finance, health, energy and transport information.

“We don’t know how to do this, so we are going to need government solutions that are holistic that will deal with IoT devices no matter what they are doing,” he said.

There is a requirement, added Schneier, for a new type of national and international structure to handle the new types of systems that are connecting data in new ways.

He said that these new structures should be repositories for new technical expertise that is lacking in current government policy debates.

There is stark lack of expertise, said Schneier, in things like large personal databases, algorithmic decision-making, IoT, cloud storage and computing, robotics, autonomous agents.

“These are all things that the government is going to run headlong into and need to make decisions about because there are a lot a decisions that markets aren’t going to solve,” he added.

Some pundits have suggested that market forces will address many of the potential risks of IoT, but Schneier doubts they will and claimed that markets are short-term, profit-motivated and work at the expense of society.

“There also needs to be some counterbalancing force to the enormous corporate power we are generating through the innate network effects of the internet,” he said.

Schneier believes there is a need for governments to take action because any alternative would naturally be ad hoc and piecemeal.

To move forward, however, he said governments will have to acquire the relevant expertise, they will have to be willing to do the hard work, and they will have to tackle associated international issues.

“Governments are going to get involved regardless because the risks are too great [not to]. When people start dying and property starts being destroyed, governments are going to have to do something,” said Schneier.

“Our choice is not between government involvement and no government involvement, but between smart government involvement and stupid government involvement, and my fear is that if we wait, and something happens, we will get stuck with stupid government involvement without much creative problem solving.”