The following is an excerpted chapter from the Bruce Schneier's book, Click Here to Kill Everybody: Security and Survival in a Hyper-connected World.There are two basic paradigms of security. The first comes from the real world of dangerous technologies: the world of automobiles, planes, pharmaceuticals, architecture and construction, and medical devices. It’s the traditional way we do design, and can be best summed up as “Get it right the first time.” This is the world of rigorous testing, of security certifications, and licensed engineers. At the extreme, it’s a slow and expensive process: think of all the safety testing Boeing conducts on its new aircraft, or any pharmaceutical company conducts before releasing a new drug in the market. It’s also the world of slow and expensive changes, because each change has to go through the same process.
In a world where we increasingly rely on internet-connected devices, these two paradigms are colliding. They’re colliding in your cars. They’re colliding in home appliances. They’re colliding in computerized medical devices. They’re colliding in home thermostats, computerized voting machines, and traffic control systems— and in our chemical plants, dams, and power plants. They’re colliding again and again, and the stakes are getting higher because failures can affect life and property.
There are undiscovered vulnerabilities in every piece of software.
Even worse, no one has the incentive to patch the software once it’s been shipped. The chip manufacturer is busy shipping the next version of the chip, the device manufacturer is busy upgrading its product to work with this next chip, and the vendor with its name on the box is just a reseller. Maintaining the older chips and products isn’t a priority for anyone.Even when manufacturers have the incentive, there’s a different problem. If there’s a security vulnerability in Microsoft operating systems, the company has to write a patch for each version it supports. Maintaining lots of different operating systems gets expensive, which is why Microsoft and Apple— and everyone else— support only the few most recent versions. If you’re using an older version of Windows or macOS, you won’t get security patches, because the companies aren’t creating them anymore.This won’t work with more durable goods. We might buy a new DVR every 5 or 10 years, and a refrigerator every 25 years. We drive a car we buy today for a decade, sell it to someone else who drives it for another decade, and that person sells it to someone who ships it to a Third World country, where it’s resold yet again and driven for yet another decade or two. Go try to boot up a 1978 Commodore PET computer, or try to run that year’s VisiCalc, and see what happens; we simply don’t know how to maintain 40-year-old software.
We’re already seeing the effects of systems so old that the vendors stopped patching them, or went out of business altogether.
Certification exacerbates the problem. Before everything became a computer, dangerous devices like cars, airplanes, and medical devices had to go through various levels of safety certification before they could be sold. A product, once certified, couldn’t be changed without having to be recertified. For an airplane, it can cost upwards of a million dollars and take a year to change one line of code. This made sense in the analog world, where products didn’t change much. But the whole point of patching is to enable products to change, and change quickly.Disclosing vulnerabilities: Not everyone discloses security vulnerabilities when they find them; some hoard them for offensive purposes. Attackers use them to break into systems, and that’s the first time we learn of them. These are called “zero-day vulnerabilities,” and responsible vendors try to quickly patch them as well. Government agencies like the NSA, US Cyber Command, and their foreign equivalents also keep some vulnerabilities secret for their own present and future use. Every discovered but undisclosed vulnerability— even if it is kept by someone you trust— can be independently discovered and used against you.Even researchers who want to disclose the vulnerabilities they discover sometimes find a chilly reception from the device manufacturers. Those new industries getting into the computer business—the coffeepot manufacturers and their ilk—don’t have experience with security researchers, responsible disclosure, and patching, and it shows. This lack of security expertise is critical. Software companies write software as their core competency. Refrigerator manufacturers, or refrigerator divisions of larger companies, have a different core competency—presumably, keeping food cold—and writing software is always going to be a sideline.
The current system of patching is going to be increasingly inadequate as computers become embedded in more and more things. The problem is that we have nothing better to replace it with.