Different Approaches To Security

Platform approaches, better understanding of security holes and new technologies could help deter attackers.

popularity

Everyone acknowledges the necessity for cybersecurity precautions, yet the world continues to be challenged by an invisible, inventive army of hackers.

The massive data breach at Equifax was only the latest in a series of successful cyberattacks on the credit monitoring firm. Lessons learned from the previous breaches apparently didn’t mitigate this year’s embarrassment for the company. The company’s CEO was forced into retirement.

At the recent TechCon, Arm CEO Simon Segars emphasized security in his keynote, and he later sat down onstage with Mary Aiken, an author and an industry expert in cybersecurity and cyberpsychology, to discuss the topic. Aiken pointed to the recognition of cyberspace and cyberwarfare by the North Atlantic Treaty Organization (NATO) as an important milestone in the recent history of cybersecurity.

And to drive home the importance of cybersecurity, Arm distributed a “Security Manifesto” to all attendees at the keynote session with Segars, Aiken, and others.

In the manifesto and her keynote remarks, Aiken emphasized the role of ordinary people in maintaining proper cybersecurity hygiene. “People are their own first line of defense, but not everybody behaves responsibly,” she wrote. “We are not all IT experts, and security is not always built into devices and systems by default.”

Aiken concluded in the manifesto’s foreword, “Technology can be used well or poorly. Industry’s key challenge is to keep pace with threat actors’ technological advances. The volume and continuous evolution of attack behavior in cyber contexts requires increasingly sophisticated human intelligence augmentation (IA) solutions, which place the human at the center of the process, developing and deploying technological solutions to mitigate technology-facilitated security threats.”

The manifesto includes a “Technology Vision” section with essays by Arm’s Milosch Meriac principal security research lead; Rob Elliott, director of vision architecture; and Richard Grisenthwaite, chief architect and Arm Fellow.


Fig. 1: Strategy for limiting attack damage. Source: Arm

“As technology providers we must embrace our responsibilities under what we are calling the ‘Digital Social Contract’ and endeavor to protect users no matter what,” Segars wrote. “The approaches and thinking we set out in this Manifesto can make a difference, and I can see a world where we will have put hackers out of business.”

Those are lofty ambitions, to be sure, but they are also prerequisites for such markets as the IoT, the industrial IoT, and medical technology to live up to their full potential.
How much of this is preventable using today’s technology isn’t entirely clear. Jessica Barker, a cybersecurity consultant and founder of cyber.uk, gave a keynote at the recent TechCon entitled, “How to Hack a Human.”

“That’s essentially a lot of what we refer to as cyberattacks,” Barker said. “A lot of it is about taking advantage of human nature. And a lot of what we call social engineering has been around, really, for as long as mankind. We call it social engineering, which is probably a different kind of engineering to what most of you are used to, but, really, it’s con artistry. It’s con artistry that has just taken off and is now carried out in a huge case and on a large scale because of our connectivity. When we think of cybersecurity, most people will think of this as being something very technical. It’s defined by the English dictionary as ‘measures taken to protect a computer or a computer system from attack.’ It sounds technical. It sounds like it’s about ones and zeros. If we just start to unpack the subject a bit, if we start to think about who is doing the attacking, how they are gaining access to the networks, why they’re doing it, the impacts that it has, then we very quickly see, as Bruce Schneier said many, many years ago, ‘Cybersecurity is about people, process, and technology.’ I’m going to focus very much on the people side of things.”

Temporary relief?
One of the issues with security is that just because a device is secure today, it doesn’t mean it will be secure in the future. The tools used by hackers, and their understanding of where there are vulnerabilities, are constantly evolving.

This is why there is so much concern about the impact of quantum computing. Any device can be hacked, but one of the key defenses is that it takes too long using existing technology. A multi-qubit quantum computer can significantly shorten that time, requiring much greater security efforts.

“[Cryptographer] Bruce Schneier said a couple of decades ago that if you think the technology can solve your security problems, then you don’t understand the problem and you don’t understand the solution,” Barker said. “Now, I would love for us to get to the stage where technology can solve our security problems. That would be fanstastic. It would mean that I would probably be out of a job. But I could deal with that. It would be fantastic, that’s what we’re all aiming for. I would really hope that in a few years’ time, we get to that point. But we are still very far from that point right now. For example, 15 years ago, Bill Gates said the password will soon die. That was 15 years ago. Okay, we’ve got some other solutions. But if you go to use fingerprinting on your phone, what you will likely get when you go to set it up is a warning message saying, ‘This is not as secure as using a password. Do you want to do this?’ And it’s because the password is the least worst alternative. It’s the best we’ve come up with, so a lot of the security burden does still fall to people. And so what it means is we need an awareness of what this actually means, how security actually impacts us, how we might be used as a vector for attack, and what we can do to better protect ourselves.”

She noted that a good starting point for understanding the problem is the intent of hackers. “If we think about the different attack groups, what their motivations are, if we look at those attack groups one by one, then we see how this is very much a human subject. We have cyberwarfare, and cyberwarfare is just an extension of the usual warfare. It’s been going on for many years. But, of course, in the last couple of years, and particularly in America, it’s been much more discussed in the public domain. We have ‘hacktivism.’ Hacktivism is online activism. It is hacking for a political or ideological purpose. This is inherently very human. This is very much about what people believe and change in society that they want to see. We have attacks that take place by a third party.”

Platform approach
One way to reduce security issues is to utilize a platform approach—basically updating the platform as necessary, rather than trying to secure every device. Most of the major chip vendors have security built into their architectures, but Arm has extended that with a common framework for the IoT with its Platform Security Architecture.

“That’s something we need to start building in,” said Ian Smythe, senior director of marketing programs for Arm’s CPU Group. “Security is multilayer. We have a range of IP within that security layer. We have a history in security.”

Arm started providing secure IP in 2003, leading to the development and launch of TrustZone and the Trusted Execution Environment (TEE), among other products, he noted.

Rob Coombs, Arm’s director of security marketing, noted this is an open-source reference implementation. “We do an open-source reference implementation. What we found for mobile devices was mobile devices have a TrustZone-based execution environment. It was very successful in mobile, but actually a bit too complicated for some other areas. So Arm developed some open-source code to make it easier to use. We developed some open-source TrustZone, and we’ve been doing that for a few years, and it made it really easy for people to build the TEE and use it in a smart TV, or a car, or something else. We do something similar for microcontrollers, and we’re going to make it a specific open-source project for these new TrustZone-enabled microcontrollers.”

Arm has enlisted Amazon, Cisco and Google in supporting the Platform Security Architecture, which will become available to IoT device developers in the first quarter of next year.

How effective this ultimately will be remains an open question, and one that could change at any time. But at least it’s a step in the right direction.

Related Security Stories
How To Build An IoT Chip
Experts at the Table, part 2: Where data gets processed, how to secure devices, and questions about whether there can be economies of scale in this sector.
Security Issues Up With Heterogeneity
Supply chain becomes central focus as more processors and memories are added into devices.
Security: Losses Outpace Gains
Complexity, new and highly connected technology, and more valuable data are making it harder to keep out hackers.
IoT Security Challenges, Opportunities
Vendors see the importance of cybersecurity, but not everyone has gotten the memo yet.
Making Secure Chips For IoT Devices
Technology is improving, but so is awareness about the need for security.