Cybersecurity is at a crossroads. Cyber incidents that bring critical infrastructure to a standstill, theft of sensitive data, and ransomware targeting municipalities, corporations, and even hospitals have become all too common daily news. The attacks are becoming not only more numerous but more costly in terms of social and commercial disruption.
Since the inaugural Arm Security Manifesto in 2017, technology companies have joined hands in a concerted, silicon-to-systems effort to strengthen security. But the tech sector is just one aspect of the response. Governments, legislators, policymakers, and regulators play a role but the cross-discipline efforts and collaboration need to be redoubled.
Fortunately, the time is right. Recent geopolitical trade disputes, concerns over regional supply-chain concentration, and the global semiconductor shortage have illuminated for the broader public a technology that most of the world isn’t familiar with, even though it powers our daily lives. Not being able to buy a car, refrigerator, or microwave was a wake-up call for consumers. Lawmakers, seeing workers furloughed at the plants that make these items, stepped up their efforts to act expeditiously.
The future of the future
This came on top of simmering trade disputes and a growing realization among countries around the world that home-grown expertise in electronics is increasingly key to economic success and national security.
In the United States, for example, the U.S. Cyber Solarium Commission and the U.S. National Security Commission on Artificial Intelligence (AI) have both pointed out the national security threats if the U.S. cannot secure its semiconductor supply chains. And the White House supply chain review outlined a way forward to strengthen U.S. chip manufacturers and international collaboration to ensure manufacturing capacity and supply chain resilience.
Governments across the globe – including the United States, China, India, South Korea, Japan and many others – are embarking on multi-billion-dollar investments in infrastructure improvements, with semiconductors a leading beneficiary. In a meeting with industry leaders, President Biden referred to silicon as infrastructure and acknowledged the chip industry’s critical role in infrastructure buildout. Modern, sustainable infrastructure is about semiconductors and specialized chips for all types of sectors and functions including AI and self-driving cars.
Unfortunately, as countries realize the power and potential of vibrant technology ecosystems, bad actors also see opportunities, and this should come as no surprise: At the dawn of the Internet of things (IoT), security experts warned against a tsunami of vulnerabilities caused by millions and billions of insecure devices that would be connected to the global Internet in the coming years. The past few months reminded us especially about the vulnerability of physical and digital infrastructure to cyber-attacks as we experienced several systemic, large-scale incidents, including the recent SolarWinds, Hafnium and Colonial Pipeline hacks.
The situation seems untenable. The trajectory of cyber-attacks looks grim, as the attack surface of the IoT grows rapidly. The cat-and-mouse game between the white hats and the black hats seems to intensify each week.
But obviously, the technology industry has no interest in throwing in the towel, as you can see from other perspectives contained in this Manifesto. Silicon-based security functions, including cryptography, secure storage, attestation, update, authentication, among others, will enable software developers, service providers, critical infrastructure operators, and others to leverage hardware-based functions to secure their products and services.
The way forward
So, how do we proceed? With a bright spotlight on it at this critical time, the semiconductor industry needs to seize the moment to not only build and expand on its security accomplishments of recent years but drive the global conversation around holistic approaches to security and trust.
Security capabilities designed into silicon – by providing a Root of Trust for functions and services – and certification and attestation efforts – by groups such as PSA Certified, Common Criteria and others – are strong, confident steps forward. They provide a new vision and measures to improve cybersecurity throughout the digital environment in an effective, scalable, and sustainable way. Millions of IoT devices can be equipped with state-of-the-art security capabilities. Designed once by chip engineers, these tested and trusted security functions are easily available to millions of software and system developers, avoiding the pitfall of faulty implementation in software.
The industry also would do well to leverage the attention on broader semiconductor issues to strengthen the security and resilience of digital infrastructure. Traditionally, the semiconductor industry has had a lobbying policy of speaking softly in government capitals while continuing to change the world back at home. But the world’s more complex today, and digital security is a major priority for most governments.
Digital security and trusted environments aren’t something that can be delivered by any one entity. As policymakers embrace semiconductors as the foundation to build the infrastructure of the future and power the digital transformation, industry and government must redouble their efforts at collaboration and communication.
In fact, officials have been grappling with digital security for years. The European Union’s baseline security recommendations for IoT, the UK government’s legislative proposal for mandatory product assurance based on the European Telecommunications and Standards Institute’s (ETSI) IoT cybersecurity standard, and the State of California’s requirement to equip IoT devices with reasonable security features illustrate some of the significant progress made in recent years.
Trade associations and industry consortia – PSA Certified, IoT Security Foundation, and ioXt, for instance – have individually and collaboratively leveraged these efforts through sector-specific IoT security assessments and certifications. Reciprocity of credentials fosters adoption and helps achieve compliance in the technology industry. Consumers on the other hand benefit from independent IoT security ratings that increase cybersecurity transparency in the marketplace.
Another excellent example of cross-boundary collaboration in hardware-level protection is the initiatives led by the U.S. National Institute of Standards and Technology (NIST) and ETSI around post-quantum cryptography standards. Here industry experts, working within NIST and ETSI frameworks, are suggesting methods to replace the vulnerable algorithms with new quantum-resistant forms able to run on classical digital computers.
One last example of governments investing in hardware-based security was the U.K.’s Digital Security by Design Initiative which has invested significant sums into more secure chip architectures. As governments make new investments in advanced semiconductor R&D, it should prioritize security in the same way it prioritizes performance, efficiency and other capabilities.
Better together: partnering to enhance resilience
The technology industry must continue to drive innovation around security and trust into the supply chain but also exploit this critical moment to drive security thought leadership deeper into conversations with policymakers as major investments in the infrastructure of the future are on top of their agenda.
Governments must further leverage the technology industry as a trusted partner to jointly tackle the rapid technological advances of our times. Working together leads to the outcome everyone wants: A future that makes the scary headlines of today a distant memory.
Read the 2021 Arm Security Manifesto
The third Arm Security Manifesto surveys the threat landscape today and details the tremendous strides the industry has made in the past four years.