Calls for digital Geneva Convention being made at the 2018 edition of RSAConference
SAN FRANCISCO — Hardware design needs to focus more on security and less on performance, according to some experts at the annual RSA Conference here. All sides agreed that the number and sophistication of threats are growing in a landscape where tech companies and governments can be both adversaries and partners.
The past year revealed the dark side of social networks and brought the largest government-sponsored attacks to date. It also has shown that blockchain and quantum computing are neither immediate threats or panaceas for security, said experts.
“The threat picture is getting darker,” said Kirstjen Nielsen, Secretary of the U.S. Department of Homeland Security (DHS), in a keynote at the event that attracted nearly 50,000 registrants. “In each morning briefing, I see digital threats multiplying faster than we can keep up.”
Last year’s Equifax hack alone exposed data of half of all U.S. citizens. NotPetya was considered the costliest single hack to date, and the annual costs of cyberattacks are projected to hit $6 trillion, or 10% of the world’s GDP, in a few years.
“Our adversaries are getting more sophisticated and sinister and harder to detect … with diverse actors and objectives … every facet of our society is targeted at every level,” she said.
“We live in an era when we feel the attackers are winning,” said Ron Rivest, co-developer of RSA, one of the first public-key-cryptography systems.
The state-sponsored NotPetya and WannaCry attacks were a wakeup call, said Brad Smith, president and chief legal officer of Microsoft. “We saw governments attack civilians in a time of peace — these are not just attacks on machines; they are endangering people’s lives.”
To fight back, he announced the Cybersecurity Tech Accord, an agreement initially among 34 tech companies including ARM, Cisco, Dell, Facebook, HP, and Microsoft. They agreed not to participate in government cyberattacks and to collaborate on stronger defenses for their customers. So far, giants including Amazon, Apple, Alphabet, and Twitter did not sign the Microsoft-led pledge.
Smith also called for a digital Geneva Convention under which governments would agree not to target consumers, businesses, and utilities as well as show restraint in the development and proliferation of cyber-weapons.
Smith painted tech companies as the heroes in a world “where cyberspace is the new battlefield … we are the first responders … there’s a shortage of trust between people and governments today” that the tech industry can fill with an inclusive community that develops the best defensive tools.
Nielsen of DHS applauded the accord and called for partnerships between the government and the tech sector. “The threats today are too widespread for anyone to fight alone,” she said in an onstage interview.
U.S. calls for more secure products
Industry needs to do a better job of sharing and addressing threats and delivering resilient products, said Secretary Nielsen, previewing a new cybersecurity strategy that the DHS will release soon.
She called for new incentives for making and buying more secure products. “Today, products are rushed to market for the lowest cost, not the best security. Who wants to sell a secure pedometer for $30 when you can sell a basic one for $5?”
Instead, security should be seen as a competitive advantage, she said, calling for designs that show persistent resilience.
“Despite prevention measures, we will get hit. It’s gone from a question of when to how often to how long we can sustain persistent attacks. We need to be obsessed with redundancy so systems fail gracefully and are designed so parts can work even if they are disconnected.”
As if in response, Microsoft used the event to roll out its Azure Sphere cloud IoT service. It uses a new secure IP block for MCUs that Microsoft will make available to chipmakers royalty-free and first implemented by Mediatek. It also uses a custom Linux kernel embedding security advances first released in Windows.
Separately, Nielsen of DHS called on industry to form sector-specific threat groups such as one focused on the financial sector. “The bad guys are crowdsourcing their attacks, so we have to crowdsource our defenses,” she said.
She also encouraged industry to follow DHS in making its risk assessments and tools more systematic. “We are investigating supply chains to hunt down security gaps and share information on how to close them, including companies who have unnoticed risks,”
Spectre leaves behind unresolved ghosts
Paul Kocher, co-author of the paper on the Spectre hardware flaw, called for a shift in semiconductor design and a new class of secure chips.
“All the value gains over our careers came from products being faster, and everything else was secondary,” said Kocher, who also serves as a chief scientist and security advisor for Rambus. “I think we need to take a new look at this. Now security is a multi-trillion-dollar issue and performance gains are relatively small.”
Like ARM’s designs for low- and high-power processors, “we have to start bifurcating efforts and customizing systems for security. We have to build systems with security as a primary objective, not an afterthought.”
“Better hardware is something people are putting more resources into … you can make a chip that does cryptography with a low chance of being buggy,” he added.
The industry still lacks a clear process to handle discoveries of hardware vulnerabilities like Spectre and Meltdown, said Kocher. Independent of Google’s work, he stumbled upon the vulnerabilities in speculative execution, a performance enhancement that microprocessors have used for a decade.
A wide group of companies kept quiet about the exploits for months while engineers worked on fixes. But ultimately, word got out before remedial measures were all in place.
“How can you fix a hardware problem in ARM processors that go to dozens of chipmakers and thousands of systems or Intel processors with massive clouds using them?” he asked.
“I still have the list of emails from people unhappy [that] I didn’t tell them about it, but we told more people than could keep a secret. So press leaks led to a panicked end of the embargo. We need a roadmap of what to do with problems in systems that can’t be updated easily when you don’t want to give away information about how to conduct the attacks.”
There’s still “a pretty large amount to do” to close the Meltdown/Spectre vulnerabilities. “We’re using instructions that are slow, and tools don’t exist.”
The good news is that “this hardware bug is interesting for computer scientists but not one to make us run for the hills … but there will be others,” he said.
“I’m worried about vulnerabilities where thousands of processors are bricked by playing with their microcode,” said Adi Shamir, a co-inventor of RSA security. “There is possibility for a huge disaster.”
More broadly, there’s “a lack of preciseness in cybersecurity,” he said. “Everything is mushy. Unlike cryptography, there aren’t definitions, theorems, and proofs. I’ve been trying to think how to make it quantitative rather than qualitative — it’s time to make this move.”
On Facebook, quantum computers, and blockchain
In a year of insecurities, “the utopian view of social networking connecting everyone for good is coming to end across the political spectrum,” said Moxie Marlinspike, a security researcher on the cryptographer’s panel here and a former head of security at Twitter. “Now it’s seen less as a hopeful tool and more as a weapon that everyone thinks is in the wrong hands.”
“In many ways, Facebook is like the Exxon of our time — an indispensable tool that everyone despises — Exxon, maybe Comcast, and now Facebook; there’s not a lot of brands like that.”
Marlinspike compared Facebook’s latest plans for protecting privacy to an underwater camera that an Exxon might use to show an offshore rig leaking oil into the ocean. “After enough oil spills, we started investing in solar and battery technology … now we need to find our digital solar and batteries to invest in,” he said.
Europe’s GDPR “helps Facebook because they can refuse service if you don’t consent, and for many people, Facebook is the internet,” he added.
In an on-stage interview, Nielsen of DHS said that the U.S. government is exploring what could be its own version of privacy regulations.
“We don’t want unintended consequences of losing a heads-up from vendors or researchers on threats … privacy is really interesting because it emanates from a culture. In the U.S., we opt in rather than opt out … so it makes it hard for [global] companies.”
Separately, Shamir and others agreed that, despite advances, it will be many years before quantum computers threaten today’s security techniques. He expressed skepticism about a Microsoft researcher’s claim that it will have a system ready in five years based on a new style of topological qubits.
U.S. researchers at NIST hope to pick quantum-resistant security algorithms within three years. However, Shamir was skeptical of the time frame given that NIST must sort through 64 detailed proposals from a recent workshop on the topic. It took 15 years for today’s RSA and elliptic curve cryptography schemes to become mainstream, he noted.
Nevertheless, “I was surprised by the speeds of hundreds of microseconds or a few milliseconds of some of the proposals and key and signature sizes of 1 to 10 KBytes that are unpleasant but we can live with.”
All sides agreed that blockchain will have limited use and is not the “security pixie dust” that some claim due to problems such as high latency and uncertain accuracy, said Rivest.
Few applications can make use of the distributed nature of blockchains, and some suffer from it, said Marlinspike. “The consumer space sees it as zero-value.”
— Rick Merritt, Silicon Valley Bureau Chief, EE Times