Click Here to Kill Everybody, book review: Meeting the IoT security challenge

In the Internet of Things era, cyberattacks can cause actual death and destruction. Bruce Schneier surveys this security nightmare, and looks for solutions.
Written by Wendy M Grossman, Contributor

Click Here to Kill Everybody: Security and Survival in a Hyper-Connected World • By Bruce Schneier • Norton • 319 pages • ISBN: 978-0-393-60888-5 • £19.99 / $27.95

Sometimes the human race just isn't that smart. The Internet of Things is a case in point: today's internet is a mess of security vulnerabilities and coding errors. As the size of data breaches and cost of cyber attacks escalates week by week, now we want to exponentially increase the complexity, attack surface and dangers by wirelessing up billions of ultra-cheap devices, any one of which might bring the whole thing down. In the words of the great Jewish prophets: Oy.

Surveying the shape of this monster takes up the first third of Bruce Schneier's latest book, Click Here to Kill Everybody: Security and Survival in a Hyper-Connected World. Anyone who follows security can probably skip most of it, as it's largely familiar material. Schneier outlines three primary use cases: a cyber attack against a power grid; murder by remote hacking of a connected car; and the "click here to kill everybody" of the title, in which a hacked bioprinter goes into overdrive replicating a lethal virus. That background over, Schneier tries to come up with solutions to this unwelcome security nightmare that's rushing towards us.

Most of Schneier's recommendations are about policy and regulation rather than technology. To create 'Internet+' (that is, internet plus security), he suggests developing standards (both principles and rules), promoting public education, correcting information asymmetries, closing the skills gap, and funding research, maintenance and upkeep.

SEE: 10 ways to raise your users' cybersecurity IQ (free PDF)

More difficult is his recommendation to correct misaligned incentives, which means introducing product liability into the software industry. In this suggestion Schneier is not alone; Cambridge University professor Ross Anderson and Gresham College professor Martyn Thomas, among many others, have advocated liability for years. The industry's fierce resistance may have been acceptable when the stakes were purely financial, but when we're talking cars, power grids and medical equipment, human lives are at stake. Schneier also suggests granting customers the right to sue IT vendors when things go badly wrong.

Regulation and co-operation

Schneier also suggests a new regulatory agency for cyber security, given that the effectiveness of agencies such as the current Federal Communications Commission waxes and wanes as their governments' administrations change policy. This is hard to assess, but Schneier is certainly right to say that governments have a crucial regulatory role to play in forcing industry to adopt better security practices. His argument that governments should "demilitarise" the internet by shifting from focusing on offence to promoting defence and strengthening the resilience of every part of the infrastructure is also sound. He also argues for international cooperation, since no single country can hope to change a global, cooperative infrastructure. In return, he says, we will have to trade away some ability to innovate. The passenger getting into a self-driving car will almost certainly feel it's a good trade.

By now you're probably thinking: yeah, right, you and whose army is going to make this happen? Schneier is right there with you. Admitting that many of his recommendations have been in the public sphere for more than a decade with little progress, he concludes by assessing the state of the art of the possible. The US is unlikely to do anything helpful for the moment, but: "When the internet starts killing people it will be regulated." The EU's GDPR is a genuine help. We -- consumers and organisations -- can play our own part by making more careful purchasing choices. Ultimately, however, we are left to make the most difficult decision on our own: who can we trust?


Researchers find Stuxnet, Mirai, WannaCry lurking in industrial USB drives
The malware strains have all been found in industrial settings due to removal media.

This is how hackers can take down our critical energy systems through the Internet
Human Interface Systems lacking any kind of security have the potential to cause serious damage to critical services worldwide.

China has been 'hijacking the vital internet backbone of western countries'
Chinese government turned to local ISP for intelligence gathering after it signed the Obama-Xi cyber pact in late 2015, researchers say.

This botnet snares your smart devices to perform DDoS attacks with a little help from Mirai
Chalubo is a new botnet which is being used in attacks against servers and IoT devices.

FireEye links Russian research lab to Triton ICS malware attacks
FireEye: Clues link Russia's Central Scientific Research Institute of Chemistry and Mechanics research lab to Triton-related activity.

Read more book reviews

Editorial standards