Get Serious About Hardware Cybersecurity

When we hear about a new cyber vulnerability, we often think of software bugs or poorly written code, serious problems to be sure, yet typically solved with an appropriate patch. 

But fixing hardware problems like the recently discovered vulnerabilities in chips made by Intel, ARM, AMD, and Qualcomm is generally far more expensive, time-consuming, and disruptive.

Eliminating the threat posed by the Meltdown and Spectre exploits, for example (and despite the reassurances being issued by major technology companies) will likely take more just a software patch. 

The fix will probably require some sort of hardware replacement in each of the millions of devices and systems that use these ubiquitous chips: laptops, smartphones, cloud servers, critical infrastructure control systems, weapons from missiles to fighter jets, other defense-related systems, and more.

This sort of thing is hardly unexpected. The enormous potential consequences of major hardware vulnerabilities, including the daunting and costly prospect of fixing them, have been the subject of literally dozens of studies. These reports note that exploits may arise from inadvertently poor security design or from “the malicious insertion of defects or malware into microelectronics and embedded software, and from the exploitation of latent vulnerabilities in these systems,” as the Defense Science Board wrote in its 2017 “Cyber Supply Chain” report.

Yet US and other policymakers, who have devoted billions and millions of dollars in recent years to securing critical infrastructure and defense systems, have focused almost entirely on software. 

It is high time to expand such efforts to hardware security, and in particular, to develop a national strategy for acquiring secure hardware for military and critical infrastructure needs. 

Such a strategy would include such steps as:

1. Create a comprehensive hardware cyber initiative. Industry cannot solve these difficult security issues alone; they require government investment and information-sharing on threats to improve chip security, both for consumers and national security systems.

2. Obtain secure and assured access to critical chips. We can’t replace bad chips with good ones if commercial sources are compromised. The government’s partnerships with industry are important, but it needs long-term capabilities to either buy or make every chip they need in a secure environment, from certified and trusted US sources. 
The Defense Department’s Trusted Foundry and Trusted Supplier programs can meet this need, but they are not being fully utilised. The Defense Microelectronics Activity, which runs these programs, has not been fully funded to accomplish this mission. 

3. Prioritise hardware security research. We can’t fix old vulnerabilities without new tools. One such effort is DARPA’s new Electronics Resurgence Initiative; more are needed.

Proposals to fund a dedicated DoD capability to produce secure chips range from $250 million to $500 million, a security investment that is well worth the cost. (Compare it to the roughly $100 billion a year that the Pentagon spends annually on systems that depend on chips, including $3 billion to $5 billion on the chips themselves.)  
The time to debate the risks or likelihood of hardware security threats is over. The US government needs to take swift action.

Defense One

You Might Also Read: 

New IoT Chips See, Think & Act Autonomously:

Attacks On UK Critical Infrastructure Will Double:

Guide to Russian Infrastructure Hacking:

 

 

« Russia Will Create Its Own Internet
India’s Political Parties Fighting A Cyberwar »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

AVR International

AVR International

AVR educate, advise, analyse and provide professional, technical consultancy and support to ensure your business is safe, compliant and protected.

Cyber, Space, & Intelligence Association (CSIA)

Cyber, Space, & Intelligence Association (CSIA)

CSIA focuses on issues critical to Cyber Security, Military Space and Intelligence.

IDnext

IDnext

IDnext is the open and independent platform to support innovative approaches in the world of the Digital identity.

Nexusguard

Nexusguard

Nexusguard is at the forefront of the fight against malicious Internet attacks, protecting organizations worldwide from threats to their websites, services, and reputations.

Modux

Modux

Modux focus on a number of core competencies across cyber security including; cyber intelligence & analytics, penetration testing and training.

Sliced Tech

Sliced Tech

Sliced Tech provides enterprise grade managed Cloud services, including Security-as-a-Services, aimed at meeting the needs of commercial and government clients from within Australia.

infySEC

infySEC

InfySEC is an information security services organization offering Security Technology services, Security Consulting, Security Training, Research & Development.

Advens

Advens

Advens is a company specializing in information security management. We provide Consultancy, Security Audits and Technology Solutions.

Hubraum

Hubraum

Hubraum is Deutsche Telekom’s tech incubator, helping startups to create new business opportunities in areas including data analytics, AI, robot process automation and cyber security.

SecureAge Technology

SecureAge Technology

We’re a rapidly growing cybersecurity company with an 18-year history of ZERO Data breaches. Our security solutions place security and usability on equal footing. Learn more about our technology.

Squad

Squad

Squad provides leading expertise to ensure protection against the most complex cyber threats. Combining the best practices of DevOps and Cybersecurity, we are committed to create a secured cyber space

UST

UST

UST is a global provider of digital technology and transformation, IT services and solutions including managed security services.

KSOC Labs

KSOC Labs

KSOC is an event-driven SaaS platform built to automatically remediate Kubernetes security risks.

SafeBase

SafeBase

Safebase provide the infrastructure for Trust Communication. Our Trust Center enables Security and Sales teams to share and automate access to security, compliance, and privacy information.

HIFENCE

HIFENCE

HIFENCE delivers cybersecurity and networking services that make your company safer and more secure. That’s all we do, so you can concentrate on all the things that you do best.

Judy Security

Judy Security

Judy provides smart, simple, effective, all-in-one cybersecurity for SMBs. Get the 24/7 protection and support you deserve, at a price you can afford.