Get Serious About Hardware Cybersecurity

Uploaded on 2018-01-29 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

When we hear about a new cyber vulnerability, we often think of software bugs or poorly written code, serious problems to be sure, yet typically solved with an appropriate patch. 

But fixing hardware problems like the recently discovered vulnerabilities in chips made by Intel, ARM, AMD, and Qualcomm is generally far more expensive, time-consuming, and disruptive.

Eliminating the threat posed by the Meltdown and Spectre exploits, for example (and despite the reassurances being issued by major technology companies) will likely take more just a software patch. 

The fix will probably require some sort of hardware replacement in each of the millions of devices and systems that use these ubiquitous chips: laptops, smartphones, cloud servers, critical infrastructure control systems, weapons from missiles to fighter jets, other defense-related systems, and more.

This sort of thing is hardly unexpected. The enormous potential consequences of major hardware vulnerabilities, including the daunting and costly prospect of fixing them, have been the subject of literally dozens of studies. These reports note that exploits may arise from inadvertently poor security design or from “the malicious insertion of defects or malware into microelectronics and embedded software, and from the exploitation of latent vulnerabilities in these systems,” as the Defense Science Board wrote in its 2017 “Cyber Supply Chain” report.

Yet US and other policymakers, who have devoted billions and millions of dollars in recent years to securing critical infrastructure and defense systems, have focused almost entirely on software. 

It is high time to expand such efforts to hardware security, and in particular, to develop a national strategy for acquiring secure hardware for military and critical infrastructure needs. 

Such a strategy would include such steps as:

1. Create a comprehensive hardware cyber initiative. Industry cannot solve these difficult security issues alone; they require government investment and information-sharing on threats to improve chip security, both for consumers and national security systems.

2. Obtain secure and assured access to critical chips. We can’t replace bad chips with good ones if commercial sources are compromised. The government’s partnerships with industry are important, but it needs long-term capabilities to either buy or make every chip they need in a secure environment, from certified and trusted US sources. 
The Defense Department’s Trusted Foundry and Trusted Supplier programs can meet this need, but they are not being fully utilised. The Defense Microelectronics Activity, which runs these programs, has not been fully funded to accomplish this mission. 

3. Prioritise hardware security research. We can’t fix old vulnerabilities without new tools. One such effort is DARPA’s new Electronics Resurgence Initiative; more are needed.

Proposals to fund a dedicated DoD capability to produce secure chips range from $250 million to $500 million, a security investment that is well worth the cost. (Compare it to the roughly $100 billion a year that the Pentagon spends annually on systems that depend on chips, including $3 billion to $5 billion on the chips themselves.)  
The time to debate the risks or likelihood of hardware security threats is over. The US government needs to take swift action.

Defense One

You Might Also Read: 

New IoT Chips See, Think & Act Autonomously:

Attacks On UK Critical Infrastructure Will Double:

Guide to Russian Infrastructure Hacking:

 

 

« Russia Will Create Its Own Internet
India’s Political Parties Fighting A Cyberwar »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Nubo Software

Nubo Software

Nubo’s Virtual Mobile Infrastructure creates a virtual corporate device on your employee smartphones and tablets. Enable unlimited mobility without leaving any data at risk.

XTN Cognitive Security

XTN Cognitive Security

XTN is focused on the development of security, Fraud and Mobile Threat Prevention advanced behaviour-based solutions.

Global Cyber Alliance (GCA)

Global Cyber Alliance (GCA)

Global Cyber Alliance is an international, cross-sector effort dedicated to eradicating cyber risk and improving our connected world.

Netragard

Netragard

Netragard has an established reputation for providing high-quality offensive and defensive security services.

Spohn Solutions

Spohn Solutions

Spohn combines highly-experienced staff with a vendor neutral approach to deliver optimal solutions for IT Security and Compliance.

Data Privacy Office (DPO)

Data Privacy Office (DPO)

Data Privacy Office is a company that specializes in privacy and personal data protection, following the highest standards in its sector.

Proximity

Proximity

Proximity is a leading professional services organisation providing consulting, legal and commercial advisory solutions with a focus on government and regulated industries.

Nineteen Group

Nineteen Group

Nineteen Group delivers major-scale exhibitions within the security, fire, emergency services, health and safety, facilities management and maintenance engineering sectors.

DeepFactor

DeepFactor

DeepFactor is the industry’s first Continuous Observability platform enabling Engineering and AppSec teams to find and triage RUNTIME security, privacy, and compliance risks in your applications.

Mr Backup (MRB)

Mr Backup (MRB)

MRB offers Data Protection as a Service for businesses looking to reduce the time, cost and complexity of securing your company data.

Occentus Network

Occentus Network

Occentus Network is a telecommunications service provider specialized in High Availability Servers & managed Cloud services.

Core4ce

Core4ce

Core4ce is a mission-oriented company that serves as a trusted partner to the national security community.

ShieldIO

ShieldIO

ShieldIO Real-Time Homomorphic Encryption™ enables your organization to reach regulatory compliance without compromising data availability.

Radiant Security

Radiant Security

Radiant Security offers an AI-powered security co-pilot for Security Operations Centers (SOCs). Reinforce your SOC with an AI assistant.

UFS Technology

UFS Technology

UFS, the bank technology outfitter for community banks, provides purpose-built, bank-exclusive technology services and solutions including cybersecurity.

Cyber Brain Academy

Cyber Brain Academy

At Cyber Brain Academy, our mission is to provide high-quality IT certification training for the cyber security workforce.