But now the problems of the second realm are starting to have the consequences of the first. “The two worlds are colliding,” he says. The impact of an implanted medical device being compromised can be disastrous, so the security needs to be closer to the model used for buildings and planes.
The challenge is how to get vendors to make their products more secure. “Computer security was left to the market. We’ve been OK with imperfect solutions because the effects of failure just aren’t that great.” And customers routinely turn in these devices and buy new ones that are more secure.
The ecosystem that designs security into phones and computers doesn’t exist for thermostats and DVRs, and they are traded-in infrequently. “I expect to replace my thermostat approximately never,” he says. In the case of DVRs hijacked to be part of the Mirai botnet, neither the manufacturers nor the customers cared because they weren’t affected. The DVRs still worked for the customers so the vendors received no complaints.
“The market tends not to protect things without government intervention,” he says. And all of that protection doesn’t have to come from the U.S. government.
Consumers here can benefit from government interventions elsewhere. European Union regulations will require vendors to meet certain standards, and it makes sense that if they do so, they would sell those compliant products elsewhere. So if good regulations are required there, chances are these more secure products will also be sold here.
Regulations aren’t popular, but they are becoming necessary, Schneier says. “Governments are going to get involved, regardless. The stakes are too high.”
Sign up for CIO Asia eNewsletters.