Get Serious About Hardware Cybersecurity

Uploaded on 2018-01-29 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

When we hear about a new cyber vulnerability, we often think of software bugs or poorly written code, serious problems to be sure, yet typically solved with an appropriate patch. 

But fixing hardware problems like the recently discovered vulnerabilities in chips made by Intel, ARM, AMD, and Qualcomm is generally far more expensive, time-consuming, and disruptive.

Eliminating the threat posed by the Meltdown and Spectre exploits, for example (and despite the reassurances being issued by major technology companies) will likely take more just a software patch. 

The fix will probably require some sort of hardware replacement in each of the millions of devices and systems that use these ubiquitous chips: laptops, smartphones, cloud servers, critical infrastructure control systems, weapons from missiles to fighter jets, other defense-related systems, and more.

This sort of thing is hardly unexpected. The enormous potential consequences of major hardware vulnerabilities, including the daunting and costly prospect of fixing them, have been the subject of literally dozens of studies. These reports note that exploits may arise from inadvertently poor security design or from “the malicious insertion of defects or malware into microelectronics and embedded software, and from the exploitation of latent vulnerabilities in these systems,” as the Defense Science Board wrote in its 2017 “Cyber Supply Chain” report.

Yet US and other policymakers, who have devoted billions and millions of dollars in recent years to securing critical infrastructure and defense systems, have focused almost entirely on software. 

It is high time to expand such efforts to hardware security, and in particular, to develop a national strategy for acquiring secure hardware for military and critical infrastructure needs. 

Such a strategy would include such steps as:

1. Create a comprehensive hardware cyber initiative. Industry cannot solve these difficult security issues alone; they require government investment and information-sharing on threats to improve chip security, both for consumers and national security systems.

2. Obtain secure and assured access to critical chips. We can’t replace bad chips with good ones if commercial sources are compromised. The government’s partnerships with industry are important, but it needs long-term capabilities to either buy or make every chip they need in a secure environment, from certified and trusted US sources. 
The Defense Department’s Trusted Foundry and Trusted Supplier programs can meet this need, but they are not being fully utilised. The Defense Microelectronics Activity, which runs these programs, has not been fully funded to accomplish this mission. 

3. Prioritise hardware security research. We can’t fix old vulnerabilities without new tools. One such effort is DARPA’s new Electronics Resurgence Initiative; more are needed.

Proposals to fund a dedicated DoD capability to produce secure chips range from $250 million to $500 million, a security investment that is well worth the cost. (Compare it to the roughly $100 billion a year that the Pentagon spends annually on systems that depend on chips, including $3 billion to $5 billion on the chips themselves.)  
The time to debate the risks or likelihood of hardware security threats is over. The US government needs to take swift action.

Defense One

You Might Also Read: 

New IoT Chips See, Think & Act Autonomously:

Attacks On UK Critical Infrastructure Will Double:

Guide to Russian Infrastructure Hacking:

 

 

« Russia Will Create Its Own Internet
India’s Political Parties Fighting A Cyberwar »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

High Technology Crime Investigation Association (HTCIA)

High Technology Crime Investigation Association (HTCIA)

HTCIA was formed to provide education and collaboration to our global members for the prevention and investigation of high tech crimes.

Tufin

Tufin

Tufin enables organizations to automate their security policy visibility, risk management, provisioning and compliance across their multi-vendor, hybrid environment.

Minerva Labs

Minerva Labs

Minerva’s patent pending solution keeps malware in a constant sleep state before it can infiltrate your network and cause any damage.

AllClear ID

AllClear ID

AllClear ID provides products and services that help protect people and their personal information from threats related to identity theft.

Data61

Data61

Data61 is Australia’s leading digital research network offering the research capabilities, IP and collaboration programs to unleash the country’s digital & data-driven potential.

CyberSecurityTrainingCourses.com

CyberSecurityTrainingCourses.com

Cyber Security Training Courses is a portal to help candidates find the best courses to progress their career within the IT security industry.

AU10TIX

AU10TIX

AU10TIX’s smart forensic-level ID authentication technology links physical and digital identities, meets compliance mandates, and ensures your customers know their trust and safety come first.

Syndis

Syndis

Syndis is a leading information security company helping to defend organizations by providing bespoke services and innovative security solutions in the global market.

L3Harris Technologies

L3Harris Technologies

L3Harris Technologies is a global aerospace and defense technology innovator, delivering solutions to meet mission-critical needs across air, land, sea, space and cyber domains.

Axellio

Axellio

Axellio provides economic, end-to-end cyber security solutions designed for your team, environment, and security objectives, providing packet level visibility across your network.

Zenity

Zenity

Zenity is the first and only security governance platform for low-code/no-code applications.

Endure Secure

Endure Secure

Endure Secure is a managed cyber security & information security consultancy. Our passion for IS and our understanding of the threat landscape is reflected in the services that we provide.

Invisily

Invisily

Invisily makes enterprise and cloud computing resources invisible to attackers with zero trust solutions, making them visible only when needed to only those who need them.

Tamnoon

Tamnoon

Tamnoon is the Managed Cloud Detection and Response platform that helps you turn CNAPP and CSPM alerts into action and fortify your cloud security posture.

GetReal Security

GetReal Security

GetReal Security is the world’s leading authority on malicious digital content and deepfake protection.

Mplify Alliance

Mplify Alliance

Mplify’s mission is to amplify global network and service innovation, interoperability, and resilience through collaboration, standardization, automation, and certification.