Get Serious About Hardware Cybersecurity

Uploaded on 2018-01-29 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

When we hear about a new cyber vulnerability, we often think of software bugs or poorly written code, serious problems to be sure, yet typically solved with an appropriate patch. 

But fixing hardware problems like the recently discovered vulnerabilities in chips made by Intel, ARM, AMD, and Qualcomm is generally far more expensive, time-consuming, and disruptive.

Eliminating the threat posed by the Meltdown and Spectre exploits, for example (and despite the reassurances being issued by major technology companies) will likely take more just a software patch. 

The fix will probably require some sort of hardware replacement in each of the millions of devices and systems that use these ubiquitous chips: laptops, smartphones, cloud servers, critical infrastructure control systems, weapons from missiles to fighter jets, other defense-related systems, and more.

This sort of thing is hardly unexpected. The enormous potential consequences of major hardware vulnerabilities, including the daunting and costly prospect of fixing them, have been the subject of literally dozens of studies. These reports note that exploits may arise from inadvertently poor security design or from “the malicious insertion of defects or malware into microelectronics and embedded software, and from the exploitation of latent vulnerabilities in these systems,” as the Defense Science Board wrote in its 2017 “Cyber Supply Chain” report.

Yet US and other policymakers, who have devoted billions and millions of dollars in recent years to securing critical infrastructure and defense systems, have focused almost entirely on software. 

It is high time to expand such efforts to hardware security, and in particular, to develop a national strategy for acquiring secure hardware for military and critical infrastructure needs. 

Such a strategy would include such steps as:

1. Create a comprehensive hardware cyber initiative. Industry cannot solve these difficult security issues alone; they require government investment and information-sharing on threats to improve chip security, both for consumers and national security systems.

2. Obtain secure and assured access to critical chips. We can’t replace bad chips with good ones if commercial sources are compromised. The government’s partnerships with industry are important, but it needs long-term capabilities to either buy or make every chip they need in a secure environment, from certified and trusted US sources. 
The Defense Department’s Trusted Foundry and Trusted Supplier programs can meet this need, but they are not being fully utilised. The Defense Microelectronics Activity, which runs these programs, has not been fully funded to accomplish this mission. 

3. Prioritise hardware security research. We can’t fix old vulnerabilities without new tools. One such effort is DARPA’s new Electronics Resurgence Initiative; more are needed.

Proposals to fund a dedicated DoD capability to produce secure chips range from $250 million to $500 million, a security investment that is well worth the cost. (Compare it to the roughly $100 billion a year that the Pentagon spends annually on systems that depend on chips, including $3 billion to $5 billion on the chips themselves.)  
The time to debate the risks or likelihood of hardware security threats is over. The US government needs to take swift action.

Defense One

You Might Also Read: 

New IoT Chips See, Think & Act Autonomously:

Attacks On UK Critical Infrastructure Will Double:

Guide to Russian Infrastructure Hacking:

 

 

« Russia Will Create Its Own Internet
India’s Political Parties Fighting A Cyberwar »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Digital Detective

Digital Detective

Digital Detective offer a range of products and services for digital forensic analysis and advanced data recovery.

Conix

Conix

Conix offerings include Governance and Risk Management, Auditing and Penetration Testing, Digital Forensics, Managed Security Operations Centre (SOC).

Repository of Industrial Security Incidents (RISI)

Repository of Industrial Security Incidents (RISI)

RISI is a database of cyber security incidents that have (or could have) affected process control, industrial automation or SCADA systems.

Sepio Cyber

Sepio Cyber

Sepio is the leading asset risk management platform that operates on asset existence rather than activity.

Blancco Technology Group

Blancco Technology Group

Blancco Technology Group is a leading global provider of mobile device diagnostics and secure data erasure solutions.

Hysolate

Hysolate

Hysolate has transformed the endpoint, making it the secure and productive environment it was meant to be.

Trusona

Trusona

Trusona is a pioneer and leader in passwordless two-factor authentication (2FA).

SignalSEC

SignalSEC

SignalSEC provides vulnerability intelligence, malware analysis, penetration testing and associated training services.

EYE Security

EYE Security

EYE provides enterprise-grade cyber security services and cyber insurance to SMEs in Europe, Cyber Incident Response and strategic advice in board rooms.

ADGS

ADGS

ADGS is a deeptech company focused in the fields of Agent-Based simulations (Emergent Behavior), Cybersecurity and Biometrics, Social Dynamics, Natural Language Processing and Artificial Intelligence.

OSI Security

OSI Security

OSI Security's primary services include penetration testing, security auditing, web application security testing and risk management.

KSOC Labs

KSOC Labs

KSOC is an event-driven SaaS platform built to automatically remediate Kubernetes security risks.

RMRF Tech

RMRF Tech

RMRF is a team of cybersecurity engineers and penetration testers which specializes in the development of solutions for early cyber threat detection and prevention.

BlastWave

BlastWave

BlastWave’s BlastShield integrates three innovative products into a single solution to help prevent inadvertent and intentional attacks.

Unified National Networks (UNN)

Unified National Networks (UNN)

UNN’s mission is to unify the national networks and create a modern and cost efficient digital platform connecting the entire country.

CoGuard

CoGuard

CoGuard is a patented solution that uses AI driven automation to provide fast, cost effective white-box penetration testing, infrastructure audits and infrastructure design services.