This is the second Bruce Schneier book I have read. It is every bit as good as the first. This book is a commentary on the current state of cybersecurity (and the future) for what Bruce calls the Internet+. The Internet+ includes everything connected to the internet; not just servers, desktops, laptops, and phones but a whole variety of infrastructure, industrial machines, IoT devices, vehicles, medical devices, etc. He argues that since computers connected to the internet now have the ability to interact with the real world in potentially deadly ways, that Internet+ security is really everything security.
This is a book that I think every LabVIEW Developer should read. We are at the edge of the Internet+. We are writing software to control devices in the real world. We are dealing with high voltages, high pressures, powerful motors, and other dangerous equipment. Typically we are aware of the risks of our software malfunctioning due to bugs. We go to great lengths to verify and test the logic in our programs. We need to be more aware of the risk of malicious actors. This book is a good overview of all the risks out there and how we as a society can start to combat them.
In previous decades, the consequences of internet security failures were not typically deadly. Information got stolen or service was denied. Perhaps your identity got stolen, your bank account got raided, your competitors got a hold of some proprietary information, or maybe your favorite e-commerce site or streaming service went down for a while. These could have serious consequences but typically no one died. That has changed.
Throughout the book Bruce refers back to 3 hypothetical (or not so hypothetical) scenarios, which illustrate the dangers of a serious cyber attack.
Imagine a hacker shutting down the power grid for an entire city. Sound farfetched? There were reports in recent years of Russian hackers gaining access to US powerplants. In 2016 Russian hackers did shut down a powerplant in Ukraine. Imagine the potential consequences: Hospitals with lifesaving equipment that is left unpowered (hopefully their backups are working). Gridlock due to traffic lights being out. Most commerce would grind to a halt due to no credit card processing. No phones to call for help as most landlines are gone and those that remain are VOIP and cell towers would have no power. What if it happened in the middle of an election? Consider attacks on other infrastructure such as hydroelectric dams.
Remote Hijacking of a car or plane
What about a hacker taking control of a car as it drives down the highway? It’s been done. It’s also been done with an airplane. Boeing’s recent troubles over its software development practices give little hope of improvement any time soon. In both of these incidents, the actors were security researchers. You don’t have to use much imagination to imagine what trouble a malicious actor could cause.
Attacking Medical Devices
Pacemakers and other medical devices such as insulin pumps are increasingly cloud connected. Since in both cases, the patient’s life relies on the device functioning properly, it is easy to see how it could be abused by a hacker. In a more far fetched scenario, researchers are using 3-d printers to create viruses. Recently many traditional printers were attacked over the internet. Biomedical 3-d printers may be equally vulnerable.
The first half of the book takes stock of where we currently are and how we got there. The basic premise is 1) anything connected to the internet can be hacked 2) everything is being connected to the internet 3) therefore everything can be hacked. Bruce then dives into the incentives that encourage companies to connect everything to the internet. He also talks about how corporations and governments have incentives to keep things insecure. He also talks about the increasing risks and examines why current security efforts really aren’t working.
Not all hope is lost. Bruce outlines some steps that companies and governments can take to secure the Internet+. There are technical solutions. However, given the current incentive structure companies are unlikely to implement them without government intervention. While the governments are not motivated to enact regulations to force companies to take security more seriously, that will change. As the risks become greater and greater, at some point a major catastrophe will occur at which point governments will be forced to act.