Computer security is tricky. Just ask America’s Office of Personnel Management: on July 9th it admitted that hackers had purloined the sensitive personal information of 22m government employees. Or Anthem, a big insurance firm which reported in January that 80m customer records had been stolen. Or the National Security Agency, which in 2013 suffered the biggest leak in its history when Edward Snowden, a contractor, walked out with a vast trove of secret documents.
Unfortunately, computer security is about to get trickier. Computers have already spread from people’s desktops into their pockets. Now they are embedding themselves in all sorts of gadgets, from cars and televisions to children’s toys, refrigerators and industrial kit. Cisco, a maker of networking equipment, reckons that there are 15 billion connected devices out there today. By 2020, it thinks, that number could climb to 50 billion. Boosters promise that a world of networked computers and sensors will be a place of unparalleled convenience and efficiency. They call it the “internet of things”.
Computer-security people call it a disaster in the making. They worry that, in their rush to bring cyber-widgets to market, the companies that produce them have not learned the lessons of the early years of the internet. The big computing firms of the 1980s and 1990s treated security as an afterthought. Only once the threats—in the forms of viruses, hacking attacks and so on—became apparent, did Microsoft, Apple and the rest start trying to fix things. But bolting on security after the fact is much harder than building it in from the start.
The same mistake is being repeated with the internet of things. Examples are already emerging of the risks posed by turning everyday objects into computers .
In one case a hacker found he could remotely control the pump that dispensed his drugs. Others have disabled the brakes and power-steering on new cars. Cyber-criminals are a creative lot. In the future a computerised washing machine or fridge might be subverted to send out spam e-mails, for instance, or to host child pornography; or a computerised front door might refuse to let you in until you hand over a bitcoin ransom.
Three things would help make the internet of things less vulnerable. The first is some basic regulatory standards. Widget-makers should be compelled to ensure that their products are capable of being patched to fix any security holes that might be uncovered after they have been sold. If a device can be administered remotely, users should be forced to change the default username and password, to prevent hackers from using them to gain access. Security-breach laws, already in place in most American states, should oblige companies to own up to problems instead of trying to hide them.
The second defence is a proper liability regime. For decades software-makers have written licensing agreements disclaiming responsibility for any bad consequences of using their products. As computers become integrated into everything from cars to medical devices, that stance will become untenable. Software developers may have to agree to a presumption of how things should work, for instance, which would open them to legal action if it were breached. It is never too early for insurers, manufacturers and developers to begin to thrash out such issues.
Third, companies in all industries must heed the lessons that computing firms learned long ago. Writing completely secure code is almost impossible. As a consequence, a culture of openness is the best defence, because it helps spread fixes. When academic researchers contacted a chipmaker working for Volkswagen to tell it that they had found a vulnerability in a remote-car-key system, Volkswagen’s response included a court injunction. Shooting the messenger does not work. Indeed, firms such as Google now offer monetary rewards, or “bug bounties”, to hackers who contact them with details of flaws they have unearthed.