Book review: Click here to kill everybody

Click here to kill everybody

For those who don’t know of Bruce Schneier, he’s one of the world’s most famous and prominent cybersecurity experts. If there’s one person you’d like to guide you and hold your hand while in need, Schneier is the one. This book is about basics of cybersecurity, not the technical aspects, but rather about security on the Internet and the Internet+, the interconnected world of the Internet of things.

Driverless cars, thermostats, drones, locks on doors, baby dolls and monitors, and pacemakers are interconnected – without any concern for security. Virtually all companies except for Apple and Microsoft sell inadequate and incomplete consumer products without testing, whereas in the the airplane industry a line of code can cost millions of dollars and pass through very rigorous testing before being applied in reality.

“Click here to kill everybody” is a thorough and deep book about how this neglect of cybersecurity has consequences for people, society, companies and governments/authorities. It depends on rushed incentives and meddling from many governments.

I love the metaphor “The Four Horsemen of the Internet Apocalypse – terrorists, drug dealers, pedophiles, and organized crime” that states and companies use to frighten people. If we standardize encryption in texting, telephone calls, files on your phone, the dark sides will become even stronger and the good forces will fail at catching and prosecuting villains (is the usual comments). The paradox is that states use front companies to do some of these works as well, like North Korea and organized crime and drugs. Even China (companies connected to the People’s Liberation Army), Russia (Internet Research Agency, under the now-well-known-name Yevgeny Prigozhin) and the US (the military-industrial complext and NSA-connected entrepreneurs) are all engaging companies to do their bidding, no strings attached.

The situation we’re in: From bad to worse

An entire chapter is named “Everyone favors insecurity”, a telling title. What it basically comes down to, is that companies are unwilling to pay for security, very much like ecofriendly products are more expensive, because taking ecological consideration into account costs more than not caring. Apple and Microsoft are two of the very few companies that actually pay attention to security, making sure that products are released when they’re as secure as possible. Most companies follow the former Facebook motto “Move fast and break things” and release rather delay and miss the launch.

What people, and companies and authorities, then miss is the fact that our overall security is decreased, in peril, simply because it’s considered too expensive or too troublesome.

Security should default, like encryption should be default, not optional or thought of in clear hindsight. When products are ready for sale, they should be as complete as possible. The ideal of move fast and break things should be abolished.

Regulation

Authorities need more transparency, less secrecy, more oversight and accountability, Schneier argues (and he isn’t alone). FBI, NSA and others don’t want encryption and want backdoors. This is completely contradictory security-wise. If the population is being preyed upon, if rogue elements can infect and steal from people, companies and authorities will also be easier targets. The more people who risk being infected and preyed upon, the more who will be in peril. Less security for civil society and people means states are less secure, although authorities want to weaken encryption, install backdoors – everyone gains access to damage, everyone looses.

An argument often lost in the debate on regulation is that losing parties in this debate of regulation are small companies without assets or time on their side, and favour big corporations, who can much easier adapt. Big corporations are also prone to being in the attention span of the regulators and tended too, whereas smaller companies are seldom even seen, mostly overlooked. I think this is one of the most important aspects of the entire book.

Another issue with regulation is its tendency to focus on particular technologies. Schneier’s suggestions is to “focus on human aspects of the law” instead of technologies, apps, or functions. Also, it’s better to aim for a result and let experts work to achieve that result rather than, again, focus on a specific technology.

Summary

Rights of the computers scientists / software developers / programmers are still very strong and they can develop pretty much what they want. We’re too short-sighted and can’t, or refuse to, see possible outcomes and changes from longer perspectives. “We accepted it because what they decided didn’t matter very much. Now it very much matters, and I think this privilege needs to end.” Just because products are digital doesn’t mean they have more right to exist, and living in a society where technology has become some kind of religious belief doesn’t mean technology is impervious to critic or bad things.

Schneier argues that only states should have the capability to confront cyber attacks, not companies or other organizations. Considering they industry of spyware (or mercenary spyware as it’s called) I concur, though companies can help being part of cyber defense.

One of Schneier’s guesses is that the security issues with “Internet+ will creep into their networks” in unexpected ways. Someone brings a device to work, which connects to the Internet and starts to leak data. Suddenly a company or authority realizes it has serious issues with real life implications.

If you need a basic book about cybersecurity, without any technical details or prerequisites, this is a book for you. It’ll teach you what cybersecurity is about.