The Price Of Fear

The number of cyberattacks is skyrocketing. Hardware engineers should take note.


Fear sells, and judging from the attendance numbers and the messages coming out of this week’s RSA Conference, it’s selling quite well. Increasing connectedness comes at a significant price, and apparently lots of people are willing to pay that price. Security has become a huge and growing business.

Attendance is one indicator. There were an estimated 40,000 attendees at this year’s conference, which represents a solid 20% growth rate since 2014. A decade ago this was a small IT conference. It now consumes all three halls in San Francisco’s Moscone Center.

A second indicator is the number of reported attacks. Chris Young, general manager of the Intel Security Group, said during his keynote speech that a decade ago McAffee (now owned by Intel) received about 25 new threats a day. Today that number has increased to about 500,000 per day.

Third, the number of unfilled jobs in this space is staggering. Young said there are more than 200,000 unfilled cybersecurity positions in the United States today. He said that by 2020, the number of open cybersecurity positions will increase to an estimated 20 million.

Fourth, investment capital is pouring into this market. In addition to long-time players in this market, there were dozens of startups from all over the globe, particularly from Israel, Germany and the United States.

Fifth, the number of new viruses is growing. These aren’t coming from smart geeks sitting in their basements or small-time criminal organizations. Kaspersky Labs estimates the cost of developing the new ATAs, or advanced targeted attack platforms, is more than $50 million each.

Moreover, this malware is mutating—with help from some very smart people. Stuxnet, which was used to shut down Iran’s nuclear centrifuges, has links to other viruses such as Flame, Equation, Miniflame, Carbanak, and Duqu 1 and Duqu 2. Carbanak, which is classified as an advanced persistent threat, has been used to steal more than $800 million from financial institutions, according to Julian Garcia, sales engineer at Kaspersky.

Publicly, most of these efforts target weaknesses in software. No one knows how much has crossed into the sphere of hardware because much of that information is being tightly held by the U.S. Department of Defense. But there is no doubt that with this kind of effort and large sums of money being spent, every possible weakness will be leveraged.

The problem with hardware is that it is much more difficult to patch. It also tends to stick around much longer than software, meaning hardware designers have to recognize that what they design today might be hacked with much more sophisticated tools 10 years from now. That may not be so important in a mobile consumer device, but it’s certainly relevant in automotive, industrial, mil/aero and medical equipment. Replacing malfunctioning sensor in smart valves, smart meters, or deep inside machinery on an assembly line can be very costly in terms of downtime, damage assessments and having to replace the hardware itself.

If chipmakers, semiconductor IP vendors and embedded software developers expect to be in business 5 or 10 years from now, they would be wise to start taking security much more seriously than they have so far. For most companies, it has been a checklist item, at best. But in a connected world, liability and risk issues will stick around much longer than the products being developed today. And judging from the messages out of this year’s RSA Conference, the number and complexity of threats will continue to rise at an alarming rate. It’s only a matter of time before semiconductors get drawn in on a grand and much more publicized scale.

Related stories
Back Doors Are Everywhere
Securing The Cloud
When Cryptographers Disagree