By Dr. Andreas Kuehn
This article was originally published in the Arm Security Manifesto as one among six expert commentaries.
Cybersecurity is at a crossroads. Cyber incidents that drag critical infrastructure to a standstill, theft of sensitive data, and ransomware targeting municipalities, corporations and even hospitals have become all too common daily news. The attacks are not only becoming more numerous but costlier in terms of social and commercial disruption.
Since the inaugural Arm Security Manifesto in 2017, technology companies have joined hands in a concerted, silicon-to-systems effort to strengthen security. But the tech sector is just one aspect of the response. Governments, legislators, policy makers, and regulators play a role, but the cross-discipline efforts and collaboration need to be redoubled.
Fortunately, the time is right. Recent geopolitical trade disputes, concerns over regional supply-chain concentration, and the global semiconductor shortage have illuminated for the broader public a technology that most of the world isn’t familiar with, even though it powers our daily lives. Not being able to buy a car, a refrigerator, or a microwave was a wake-up call for consumers. Lawmakers, seeing workers furloughed at the plants that make these items, stepped up their efforts to act expeditiously.
The semiconductor industry must seize the moment to not only build and expand on its recent security accomplishments, but to drive the global conversation around holistic approaches to security and trust.
Global Complexity, Major Challenges
This came on top of simmering trade disputes and a growing realization among countries around the world that home-grown expertise in electronics is increasingly key to economic success and national security.
In the U.S., for example, the U.S. Cyber Solarium Commission and the U.S. National Security Commission on Artificial Intelligence have both pointed out the national security threats if the U.S. cannot secure its semiconductor supply chains. And the White House supply chain review outlined a way forward to strengthen U.S. chip manufacturers and international collaboration to ensure manufacturing capacity and supply chain resilience.
Governments across the globe – including the U.S., China, India, South Korea, Japan, and many others – are embarking on multibillion-dollar investments in infrastructure improvements, with semiconductors a leading beneficiary. In a meeting with industry leaders, President Biden referred to silicon as infrastructure and acknowledged the chip industry’s critical role in infrastructure buildout. Modern, sustainable infrastructure is about semiconductors and specialized chips for all types of sectors and functions, including AI and self-driving cars.
Unfortunately, as countries realize the power and potential of vibrant technology ecosystems, bad actors also see opportunities, and this should come as no surprise: At the dawn of the internet of things (IoT), security experts warned against a tsunami of vulnerabilities caused by millions and billions of insecure devices that would be connected to the global Internet in the coming years. The past few months reminded us especially about the vulnerability of physical and digital infrastructure to cyber-attacks as we experienced several systemic, large-scale incidents, including the recent SolarWinds, Hafnium and Colonial Pipeline hacks.
The situation seems untenable. The trajectory of cyber-attacks looks grim, as the attack surface of IoT grows rapidly. The cat-and-mouse game between the white hats and the black hats seems to intensify each week.
But obviously the technology industry has no interest in throwing in the towel, as you can see from other perspectives contained in the Arm Security Manifesto. Silicon-based security functions, including cryptography, secure storage, attestation, update, and authentication will enable software developers, service providers, critical infrastructure operators, and others to leverage hardware-based functions to secure their products and services.
Lighting the Path Ahead
So, how do we proceed? With a bright spotlight on it at this critical time, the semiconductor industry must seize the moment to not only build and expand on its recent security accomplishments, but to drive the global conversation around holistic approaches to security and trust.
Security capabilities designed into silicon – by providing a Root of Trust for functions and services – and certification and attestation efforts – by groups such as PSA Certified, Common Criteria and others – are strong, confident steps forward. They provide a new vision and measures to improve cybersecurity throughout the digital environment in an effective, scalable, and sustainable way. Millions of IoT devices can be equipped with state-of-the-art security capabilities. Designed once by chip engineers, these tested and trusted security functions are easily available to millions of software and system developers, avoiding the pitfall of faulty implementation in software.
The industry also would do well to leverage the attention on broader semiconductor issues to strengthen the security and resilience of digital infrastructure. Traditionally, the semiconductor industry has had a lobbying policy of speaking softly in government capitals while continuing to change the world back at home. But the world’s more complex today, and digital security is a major priority for most governments.
Digital security and trusted environments aren’t something that can be delivered by any one entity. As policy makers embrace semiconductors as the foundation to build the infrastructure of the future and power the digital transformation, industry and government must redouble their efforts at collaboration and communication.
Officials have been grappling with digital security for years. The European Union’s baseline security recommendations for IoT, the UK government’s legislative proposal for mandatory product assurance based on the European Telecommunications and Standards Institute’s (ETSI) IoT cybersecurity standard, California’s requirement to equip IoT devices with reasonable security features illustrate some of the significant progress made in recent years.
Trade associations and industry consortia – PSA Certified, IoT Security Foundation and ioXt, for instance – have individually and collaboratively leveraged these efforts through sector-specific IoT security assessments and certifications. Reciprocity of credentials fosters adoption and helps achieve compliance in the technology industry. Consumers on the other hand benefit from independent IoT security ratings that increase cybersecurity transparency.
Another excellent example of cross-boundary collaboration in hardware-level protection are the initiatives led by the U.S. National Institute of Standards and Technology (NIST) and ETSI around post-quantum cryptography standards. Here industry experts, working within NIST and ETSI frameworks, are suggesting methods to replace the vulnerable algorithms with new quantum-resistant forms able to run on classical digital computers.
One last example of governments investing in hardware-based security is the U.K.’s Digital Security by Design Initiative which has invested significant sums into more secure chip architectures. As governments make new investments in advanced semiconductor R&D, it should prioritize security in the same way it prioritizes performance, efficiency, and other capabilities.
Governments must further leverage the technology industry as a trusted partner to jointly tackle the rapid technological advances of our times.
Better Together: Partnering to Enhance Resilience
The technology industry must continue to drive innovation around security and trust into the supply chain but also exploit this critical moment to drive security thought leadership deeper into conversations with policy makers as major investments in the infrastructure of the future are on top of their agenda.
Governments must further leverage the technology industry as a trusted partner to jointly tackle the rapid technological advances of our times. Working together can lead to the outcome everyone wants: A future that makes the scary headlines of today a distant memory.
*Note: The first paragraph has been lightly edited to incorporate overall context included in other parts of the Arm Security Manifesto.
Dr. Andreas Kuehn is a Senior Fellow at Observer Research Foundation America.