For everything Bruce Schneier has contributed to freedom through security and cryptography, you’d think he’d have a little less faith in government intervention. But as we’ve seen before, calling for the government to protect us has become quite natural for him – particularly when it comes to the internet of things (IoT).
A recent op-ed of his in The New York Times entitled What Happens When Your Car Gets Hacked? continues to sound the alarm, concluding, “As politically untenable as it is, we need government to step in to create the market forces that will get us out of this mess.”
Once again, the folks at the Mercatus Center have a sound rebuttal:
First, it's important to note that the traditional software industry has been able to provide security without such government intervention, as Schneier himself stated. This did not happen overnight. With time, and trial and error, technology firms were able to build out the knowledge and labor pool needed to quickly patch software vulnerabilities. After all, providing good security is an important way that businesses compete. Companies that lag behind on security will take a reputational hit and eventually be left in the dust by companies that prioritize security. It is not perfect, but it represents a superior approach to imposing a "Department of Internet Security" for devices.
The problem with creating such a federal bureaucracy is that we could expect the rate of new innovation to slow considerably. Subjecting businesses to expensive pre-market approval introduces compliance costs and uncertainty that many small firms simply can't bear. This has been the case with Food and Drug Administration regulation, where most new pharmaceuticals are introduced by a handful of huge companies that can withstand the years-long, multi-million dollar regulatory process.
They continue with a counterpoint that strongly rebukes any call for the government to regulate or protect something they so obviously violate themselves (i.e., protecting our privacy, which they blatantly invade through mass surveillance):
Furthermore, we would need to trust such an agency to have the wherewithal to promulgate appropriate security guidelines in the first place. As Mercatus Center research has pointed out, federal agencies have consistently failed to meet their own security guidelines and suffer record numbers of information security breaches each year. It is hard to imagine that the federal government can improve the security of our nation's devices when it cannot even get its own house in order.
Finally, is Schneier truly unaware of non-government solutions to IoT security like Cloudflare’s Orbit? Or is he ignoring them because they don’t fit his narrative?