Schneier's November 2016 testimony before the House Energy and Commerce Committee addressed the role of Internet of Things (IoT) devices in the Mirai botnet attacks that had disrupted major internet infrastructure that October. The testimony is one of Schneier's most directly consequential congressional appearances, coming immediately after a major incident that demonstrated the security risks he had been writing about for years.
The Policy Context
The Mirai botnet attacks of October 2016 exploited insecure IoT devices — internet-connected cameras, routers, and other embedded systems — to conduct distributed denial-of-service attacks of unprecedented scale. The attacks disrupted Dyn, a major DNS provider, taking down large portions of the internet for millions of users. The incident was a concrete instantiation of the risks Schneier had analyzed in click-here-to-kill-everybody (published two years later) and had been discussing on the schneier-on-security-blog throughout the IoT era.
The committee hearing — "Understanding the Role of Connected Devices in Recent Cyber Attacks" — was called in direct response to the Mirai attacks and sought expert testimony on how such attacks were possible and what policy responses were appropriate.
The Argument
Schneier's testimony made three core claims, each grounded in the analytical frameworks he had developed over the preceding decade:
First, the IoT security problem is a market failure. Device manufacturers have no incentive to build security into their products because the costs of insecurity fall on third parties (like Dyn and the users whose internet was disrupted), not on the manufacturers. This is security-economics applied to the IoT: the market systematically underproduces security because the market price of insecurity is not paid by those making the security decisions.
Second, the problem requires government intervention. Because market incentives are misaligned, voluntary industry standards will not solve the problem. Schneier argued that regulation — minimum security standards, liability rules that shift costs back to manufacturers, and procurement requirements — was the only mechanism that could correct the incentive structure.
Third, the scale and interconnectedness of IoT infrastructure means that these are not merely commercial security problems but risks to critical infrastructure and public safety. This argument would be fully developed in click-here-to-kill-everybody, where Schneier coined the phrase "internet of things that can kill you."
Significance
The testimony is notable for Schneier's explicit advocacy for government regulation — a position he had been moving toward but had not stated as directly in his earlier congressional appearances. The security-commentator-era Schneier was more likely to analyze and inform; the post-Snowden, post-Mirai Schneier was increasingly willing to advocate for specific regulatory interventions. This testimony marks that shift clearly.