Click Here to Kill Everybody, published in 2018, addresses the security implications of the internet of things — the proliferation of networked devices in physical infrastructure, consumer products, medical equipment, and industrial systems. The title is deliberately alarming: Schneier's argument is that as the internet becomes embedded in physical systems, the consequences of insecurity shift from data loss and privacy violation to physical harm, infrastructure failure, and potentially mass casualties.
The Argument
The book's central claim is that the internet of things represents a qualitative shift in the stakes of security failures. Previous internet insecurity was costly but primarily informational — stolen data, disabled websites, compromised accounts. When networked software controls physical systems — cars, power grids, medical devices, water treatment plants — security failures can kill people. The consequences of insecurity have become irreversible in ways they were not when software operated only in information space.
This is security-economics applied to a new threat landscape. Schneier argues that the market cannot solve this problem on its own: the manufacturers of insecure devices externalize the costs of their insecurity onto users and society, while capturing the benefits of fast time-to-market and low unit costs. The people who buy a cheap internet-connected thermostat are not the people harmed when that thermostat is conscripted into a botnet and used to attack critical infrastructure. This externality problem requires regulatory intervention.
The Regulatory Turn
Click Here to Kill Everybody is Schneier's most explicitly regulatory book. He argues for government intervention in the security of networked devices — mandatory security standards, liability rules that hold manufacturers responsible for insecurity, regulatory agencies with technical competence and enforcement power. This is a significant rhetorical move for someone who came up in the cypherpunk tradition, which was deeply skeptical of government involvement in technology. His testimony-connected-devices-cyber-attacks before Congress directly advanced this regulatory argument, presenting the case for IoT security standards to legislators who had the power to act on it.
Schneier is not abandoning his earlier positions but extending his analysis. He has always argued that security requires accountability and incentive alignment; his new argument is that market mechanisms have failed to produce those conditions for IoT security, and that government has a necessary role. This connects to his later work with the harvard-kennedy-school, where he engaged seriously with technology policy and regulatory design.
The Internet-as-Nervous-System Metaphor
The book develops an extended metaphor: the internet is becoming the nervous system of civilization, connecting sensors and actuators to information processing in a way that makes the boundary between the digital and physical world increasingly thin. Security of this nervous system is not a technical niche but a foundational infrastructure challenge comparable to the security of water, power, and transportation systems.
This framing connects to the broader arc toward a-hackers-mind. If the internet is infrastructure, then who controls the internet — who sets the security standards, who owns the data, who can disrupt the systems — is a question of power. The IoT security problem is not just a safety problem but a sovereignty problem.
Relationship to the Arc
Click Here to Kill Everybody sits between data-and-goliath and a-hackers-mind in Schneier's arc. Data and Goliath is about surveillance and information power; A Hacker's Mind is about systems subversion and power generally. This book is the bridge: it takes the security analysis of the physical internet and draws out its implications for who holds power over critical systems. The transition from "security is about data" to "security is about physical systems and therefore about life and death" is what makes the regulatory argument in this book feel urgent rather than merely technical.