Cyber Security Demands Deeper Look At Hardware Issues
A vulnerability in chips made by Intel, ARM, AMD and Qualcomm has dominated the recent news cycle, causing many enterprise security officials to, perhaps, question the efficacy of their hardware.
In fact, the concern has deepened – with some industry insiders suggesting that hardware security, in its entirety, demands more attention at the research and development (R&D) stage, along with securing it in the enterprise.
In a recent report for Defense One, two IT professionals weighed in on the issue of hardware security, and questioned whether the industry demands a hardware re-alignment, so to speak. Despite the massive overhead of such an undertaking, the contributors provided various financial reasons for consideration – one being national security, the other being the steady progress of security as a whole.
The piece was compiled by Michael Fritze, director of the Vital Infrastructure, Technology and Logistics (VITAL) Center, and Kathryn Schiller-Wurster, chief policy officer at the Potomac Institute for Policy Studies. It discusses challenges on the road to hardware investment, along with reasons to overcome any red tape. Despite the fact that their assessment is mainly leveled at critical infrastructure and military and government outposts and operations, the insight is applicable across the cyber landscape.
Fritze and Schiller-Wurster said that despite reassurances from major technology companies, the real way to mitigate this lingering threat stretches far past simple software updates.
“The fix will probably require some sort of hardware replacement in each of the millions of devices and systems that use these ubiquitous chips,” the writers suggested. “(This includes): laptops, smartphones, cloud servers, critical infrastructure control systems, weapons from missiles to fighter jets, other defense-related systems, and more.”
Despite any measure of panic in the wake of the Meltdown and Spectre vulnerabilities, Fritze and Schiller-Wurster opined that a hardware overhaul has been front and center in a number of commissioned studies. This includes from: the President’s Council of Advisors on Science and Technology, the Government Accountability Office, the Senate Armed Services Committee and think tanks, to name a few.
Most findings suggest that large-scale vulnerabilities could emerge due to poor design, malicious malware/defects and by capitalizing on any inherent vulnerability.
Nevertheless, have U.S. policymakers been led astray when it comes to these investments and initiatives? Fritze and Schiller-Wurster suggest that previous efforts have been almost exclusively software-based.
“It is high time to expand such efforts to hardware security – and in particular, to develop a national strategy for acquiring secure hardware for our military and critical infrastructure needs,” the piece reads.
In their steps for remedying this systemic issue, the contributors highlighted the importance of government funding and information-sharing. They also suggested that chip creation should be carried out in a secure and contained environment, despite the government’s partnerships with industry. They also stressed the importance of research; one effort they pointed to was DARPA’s new Electronics Resurgence Initiative.
Estimates at creating and securing chips, for the Department of Defense, come in at around $250 - $500 million. Still, the expense would likely be welcomed, considering the Pentagon spends around $100 billion per year on chip-dependent systems, the report notes.
The contributors suggested that it’s time to invest and incubate this technology.
On a wider plain, this chip/hardware security debate cuts to the core of many issues plaguing the modern enterprise – be it small or midsize businesses (SMB) or the large enterprise. Security posture emanates from conscious decisions on the security team to deploy solutions, monitor threats in real time, and carry out forensics tasks.
In reality, that is mostly dependent on much of the hardware being sound – the basic architecture in place. Does this mean enterprises demand a complete overhaul of their in-use devices? No, but it means extra diligence, as always, is required – as is the mindset that security may need to incubate its technology more, along with spearhead different initiatives in the R&D phase that can benefit organizations (public and private).
Any visibility with different advances in the field would also likely carry over to enterprise security habits – or the enterprise’s purchasing ability or risk profile.
The larger theme is that realigning the cyber focus would, in theory, only bolster a weightier portion of an organization’s security.