Digital Governance Book Review: Click Here to Kill Everybody (2018)

Schneier, Bruce (2018). Click Here to Kill Everybody. Security and Survival in a Hyper-connected World New York; London: W.W. Norton & Company, 319 pages.

By Melanie Kolbe-Guyot

In “Click here to Kill Everybody”, computer security, privacy, and cryptography specialist Bruce Schneier argues for the pressing need for greater internet security in the wake of the unrelenting expansion of the Internet into our physical world, specifically the Internet of Things (IoT) that, he argues convincingly, is not accompanied by adequate security practices. Schneier warns us that hackers who exploit substantial security flaws could cause tangible harm on a potentially massive scale to national security, the economy and, ultimately, human lives. Despite his occasionally sensationalist takes and the rather clickbait title, Schneier meticulously shows how this situation transpired, discusses the dangers we face, and proposes concrete steps that companies and the government need to take in order to improve the situation. In contrast to many other authors of this genre, however, Schneier takes on a surprisingly regulatory approach to the governance of internet security, arguing for the need for a range of targeted public policies. In this review, I will summarize his main points, discuss his proposed solutions, and provide an overall critique.

The Problems

The book is divided in two major parts. In the first, entitled “Problems”, Bruce Schneier introduces the term ‘internet+’. This term denotes not only the Internet and its infrastructure, including cloud computing services, but also the many IoT devices connected to it. He also designates artificial intelligence (AI) and machine learning (ML), used to gather and process data, as well as robotics and the humans who interact with these systems. Of particular concern to him is the increasing computerization and spread of internet-capable devices, such as thermostats, cameras, door locks, refrigerators, children’s toys, cars, and even medical devices. Although they are convenient, the growing complexity and interconnectedness of our computerized systems means that any of these items can now be hacked by malicious actors and reprogrammed. For the plausibility of this, Schneier provides real-life examples that should make even skeptics feel queasy. The cases of someone using cameras in zombie botnet attacks or manipulating thermostats or door locks might be only mildly infuriating. Whereas, much more terrifying are strangers speaking to children through unsecured baby monitors or through cars and medical devices that can be remotely accessed and shut down.

The root of weak security software and practices, Schneier argues, lies in the skewed economic incentives for companies that encourage them to prioritize cyber-insecurity over cyber-security. On the one hand, IoT software products have weak security standards because the market does not reward strong ones: The pressures to produce rapidly and cheaply in a competitive global environment outweigh the costs, expertise, and time needed to ensure properly secured devices. Also, most producers are not transparent in communicating product security information, and most consumers and users are not ‘cyber-security literate’ or sufficiently aware of the risks to know about making this an aspect to consider when purchasing. Schneier goes on to dispel software patching as a valid practice for overcoming the lack in security designs, as the process is often too slow, non-automatic, or simply not an offered service in some cheaply produced IoTs. On the other hand, he argues, companies have a vested interest in keeping a certain level of cyber-insecurity because it simultaneously enables them to harvest and to sell data on a large scale.

Schneier argues that these strong incentives, to keep insecurity in place, are also valid for governments. The benefits of using insecurity for cyber-warfare – driven by an offense-heavy national-security approach – and the utility of spyware for undertaking military espionage and surveilling residents outweigh the costs of greater securitization, as this would severely weaken, if not remove, these capabilities. In sum, both economic and national security incentives are the reason companies and governments de-prioritize security. This, he argues, can have potentially severe, scalable consequences when critical infrastructure or even nuclear weapons are attacked. Although Schneier indulges in some dystopian extrapolation of where the current state of internet insecurity could lead us, he is pessimistic that the (US) government will ever actively intervene to more rigorously govern internet security, unless mass casualties occur.

The Solutions

In the second part of the book, entitled “Solutions”, Schneier proposes and discusses a number of corporate and governmental solutions. In a brief discussion about the underlying prisoners’ dilemma, laid out in the first part of the book, he reiterates that economic and national-security incentives maintain companies (and governments) locked in a Pareto-suboptimal outcome of weak security. This affects all users – an equilibrium state that he does not believe can be overcome by market forces alone – because being insecure incurs almost no financial costs for companies. He commands an impressive array of “security-by-design-based” recommendations and discusses best practices on how to secure devices, data, networks, and infrastructure. However, he also states that though widely known, these recommendations have little traction as they remain voluntary. He argues that this precarity consequently requires public policy regulations in order for higher security standards to be enforced; similarly to the regulations that were put in place historically for other critical industries, such as for automobiles, aircraft, or pharmaceuticals.

Among the fairly comprehensive set of policy changes, he proposes fostering greater security norms and self-regulation through standard creation, greater accountability and liability through product liability law reform, correcting information asymmetries by improving product marketing transparency, and greater public education on internet security. These policies, he admits, might slow down innovation but, in turn, will help overcome the prevalent market failure in form of the underprovision of cybersecurity.

In Schneier’s view, the government can provide greater internet security, although the government itself is also in need of structural changes. Indeed, captured by corporate lobbyists and influential national-security agencies, the government sometimes works against security. Here too, he argues, the US government requires a paradigm change away from offensive and espionage priorities towards supporting, not preventing, vulnerability disclosures. Furthermore, he outlines the need to build up national non-military cyber-advisory bodies that could provide consolidated experience and help establish centralized coordination for all government agencies, as well as the need to increase information sharing and incidence repositories for companies.

Nonetheless, he remains sober about the political realities he proposes, in particular, in the current political climate of the US, in which no concerted effort can be expected any time soon. He further outlines that not only is effective internet security regulation hampered by the slow moving and narrowly focused nature of the public policy process but that it is outright detrimentally affected by “bad” policy initiatives, such as demanding backdoors, limiting encryption, banning anonymity, mass surveillance, and hacking back or restricting the availability of software. Despite this somewhat gloomy outlook, Schneier ends the book with a “call to action.” He rightly points out that policy-makers often draft policies without sufficient technical understanding, whereas technologists often struggle to communicate about the current technological issues to decision-makers. Therefore, he calls for a greater bridging of these two communities in order to inform good policy-making for internet security.

Critique

Schneier’s discussion of the perils of the insecurity of internet and software products is probably the strongest part of the book, as he provides succinct and accessible information and a thoughtful analysis based on factual evidence. All in all, it makes for a good review and is easy to understand, even for a non-technical audience. Nonetheless, for seasoned cybersecurity professionals, this book holds little new information and seems to lack a more dedicated discussion of IoT security trends. Most of Schneier’s innovative thrust is clearly in the area of the regulatory intervention. Here one must pause for a second and consider that this is quite unusual for authors in the field of technology, as they are usually more in the tradition of the US pro-business/anti-government political culture. Yet, Schneier convincingly argues that government intervention is necessary to overcome the prevalent security-market failure. To alter business decisions in favor of better security practices, he asserts that changing the rules of the game is necessary.

For skeptics, his regulatory proposal might sound like an open request to curtail companies, to sacrifice innovation, or to plainly promote “more government,”. Yet, his suggestions are far more nuanced than this. Many of them stem from common sense: for instance, better product labeling to disclose whether or not devices have certain security features, greater transparency about cyber-attack incidents, and stopping the curious exemption of software from product liability laws, which artificially shields software companies from litigation – unlike every other manufacturing industry. Notably, Schneier decidedly distances himself from brute-force notions of public policy of prohibiting or prescribing specific approaches to security designs. Rather, he opts for a more outcome-based approach. This also leaves room for different kinds of innovation that respond to an altered incentive environment.

The weaker parts of the book are concentrated in his treatment of governmental ability to secure the Internet. Schneier’s relationship with the government is deeply divided: He looks to policy-makers for necessary intervention, whereas he is deeply pessimistic about the government’s ability to do so. In discussing both, the change away from cyber-attacks and espionage and the creation of new regulatory bodies to help create and police new public policies, Schneier is at times too “handwavy” and provides far less details than in the first part of the book. Although it is an easy and popular demand, creating new agencies is hardly a sufficient solution for existing governmental power fragmentation and resource asymmetries. Beyond providing knowledge and centralization aid, the author remains vague about precisely how these agencies could help overcome the issues he outlines. In his defense though, finding solutions to deeply institutional problems might be far beyond the scope of the book.

The book is clearly written for a US audience, with its political and public policy idiosyncrasies. This also informs Schneier’s pessimistic statements that no real progress can be expected any time soon. As he far too briefly mentions, in other major markets and jurisdictions, a greater regulatory appetite exists, such as, the EU that indirectly also affects many US product producers who seek to sell or operate in Europe. In general, the international dimension of cybersecurity is the weakest part of the book, which he readily admits. Although he is right that a greater development of norms and rules, as well as cooperation, is needed at an international level, the call to prioritize cyber-defense rather than cyber-offense, hence the abandoning the hoarding and use of security weaknesses, seems more like wishful thinking in the context of the natural disadvantages of defense over offense. This is likely more so true now, four years after the release of his book in a significantly altered cyberwarfare landscape.

Schneier does get right, however, the need for people with an engineering background to become involved in public policy. This is not only vital for drafting “good” policies, as Schneier suggests, but also important for effectively holding technology companies accountable in case of wrong-doing. Similarly, one should add that cybersecurity professionals are not needed to educate only policy-makers, but also to educate companies’ upper management. All too often, executives speak a very different language from software engineers, and it requires special skill to translate technical details in a way that enables them to properly take cybersecurity needs and risks into account when making business decisions.

All in all, “Click here to Kill Everybody” is a good read for those not yet intimately familiar with cybersecurity, or those with an interest in technology policy. It serves as a good educational vehicle for making readers aware of cybersecurity issues, and provides much needed food for thought.

This edition of the Digital Governance Book Review was authored by: Melanie Kolbe, Project Manager for Science Communication and Policy, C4DT

Image credit: Cover of Click Here to Kill Everybody. Security and Survival in a Hyper-connected World by Bruce Schneier, published by W.W. Norton & Company.