Bruce Schneier in the New York Times:
It’s no secret that computers are insecure. Stories like the recent Facebook hack, the Equifax hack and the hacking of government agenciesare remarkable for how unremarkable they really are. They might make headlines for a few days, but they’re just the newsworthy tip of a very large iceberg.
The risks are about to get worse, because computers are being embedded into physical devices and will affect lives, not just our data. Security is not a problem the market will solve. The government needs to step in and regulate this increasingly dangerous space.
The primary reason computers are insecure is that most buyers aren’t willing to pay — in money, features, or time to market — for security to be built into the products and services they want. As a result, we are stuck with hackable internet protocols, computers that are riddled with vulnerabilities and networks that are easily penetrated.
We have accepted this tenuous situation because, for a very long time, computer security has mostly been about data. Banking data stored by financial institutions might be important, but nobody dies when it’s stolen. Facebook account data might be important, but again, nobody dies when it’s stolen. Regardless of how bad these hacks are, it has historically been cheaper to accept the results than to fix the problems. But the nature of how we use computers is changing, and that comes with greater security risks.
More here.