Security is Everyone’s Responsibility

Geof Wheelwright: Welcome back to the Arm Viewpoints podcast. Today, we have an episode that tackles an important topic impacting everyone, as we explore the latest developments and innovations in digital security. My guest today is Richard Grisenthwaite, Senior Vice President, Chief Architect, and Fellow at Arm.

Richard has worked for arm for the past 21 years. He’s responsible for the long-term evolution of the Arm architecture and has led the architecture since heading up the introduction of ARM6 in 2001.Welcome Richard.

Richard Grisenthwaite: Thank you

Geof Wheelwright: It seems like cybercrime, whether it’s malicious attacks or ransomware attacks is increasingly in the news. Can you explain the explosion in these attacks and what’s behind the increase?

Richard Grisenthwaite: I think the reality of the world is that crime always goes where the money is. I think it’s always done that. And the more that computing is central to our lives, the more he’s going to attract criminals. If you think about what’s happened to us all over the last 20 years, we’re putting more and more of our information, our banking, our health information, everything, onto computers, rather than keeping it in the desk drawer or whatever and that becomes an attractive thing for criminals to try and exploit in a variety of different ways. Whether it’s simply try to steal your money or do you use information against you or whatever it is. And it’s kind of just human nature, crime has always been the sort of dark side of all technologies. And so as computing becomes more and more central to our lives, both nationally, commercially, individually, the scale of the opportunity for the criminal is increasing and it is immense. So you see some horrifying statistics, there’s something like $6 trillion worth of cybercrime in 2021 and that’s predicted to rise to some $10 trillion by 2025. Now I’m going to be careful about the term cybercrime because it covers a huge range of different activities.

It covers, you know, espionage in governments, organized crime, ransomware, the low level fraud that target individuals and particularly people who are not desperately knowledgeable about computers. And it’s really important to realize when we start talking about security, that security isn’t one thing.

In fact, it’s inappropriate to talk about being secure in an abstract sense without really defining what you are secure against. There isn’t a magic bullet to solve security and as the old saying goes “your own new secure as your weakest link”. And depressingly the cyber-criminals are incredibly good at finding the weak links of security.

So every organization and indeed every individual has a role to play in fighting cybercrime. It won’t be solved by one company or one individual alone. But Arm as a leading provider of CPUs is very keen to play a part in providing processes with security features against the range of threats that we see being deployed and can imagine being deployed in the future.

But also because we are in this position with a whole ecosystem of other companies, we want to encourage that ecosystem to adopt the best practices, to really do the best they can to provide security. Arm has been adding features to address security for really couple of decades. And four years ago, we published what we called a security manifesto as a way of broadening our influence in computer security because we recognized that an awful lot of people kind of rolling their own things and providing a very attractive target for these sort of criminals.

And this was at about the time when IoT was ramping up and we were seeing that there was a space for the ecosystem to come together to protect the future. So in that manifesto we detailed key vulnerabilities and mapped division of how the industry should respond. We followed that up a couple of years later with a second manifesto that reflected on the lessons learned by some of the new attacks that we saw such as Spectre and Meltdown which made a lot of headlines, but we’re actually just part of this whole spectrum of different attacks that cybercriminals use.

Yeah. So a very long answer to your question. I’m afraid, but it’s really there because of the size of the opportunity and the sheer range of different things that can be attacked. And we’ve just launched a third edition of the security manifesto, which surveys the current threat landscape, its recent evolution and the strides the industry has been taking over the past four years.

Geof Wheelwright: Okay. Are these attacks expected to worsen in the near future?

Richard Grisenthwaite: I mean, I think simple answer to that question is yes, the ongoing digitization of our lives is increasing the attractiveness of the target to go after, you know, the size of the prize in the eyes of the criminal is growing to be more and more attractive. And that means that are going to be more attempts for more people to try to break in. But it’s worth observing that some of the measures that we have been bringing in are actually closing down the avenues of attack. And so the threat is evolving over time. And this is part of the ongoing struggle that exists between the architects who are improving the security against these attacks and the sophistication of the cyber criminals. If you look back over the last couple of decades, we’ve seen a ratcheting up of the sophistication of attacks in response to the measures that we have put in to address what criminals are currently doing. To give a really concrete example of this is something called data-oriented attacks. It’s where people download a photograph or something, something that you get a little warning message on your computer saying, “warning this might damage your computer” or it might be a source of an attack.

Those warnings exist because people have found ways of taking data and using that to actually take control of your computer. Now, the very first parts of that were desperately simple, essentially within the image, there’ll be little snippets of code and people would be able to execute that. And the architects added in features such as our Execute Never (UXN) to make it impossible to have data that we’ve been recently had been written to be executed, or we kind of thought job done.

But then the criminals came back with attacks, which reuse snippets of code with things like return-to-libc and return onto programming and certain responses. We introduced pointer authentication to try and close that off. And we’re hearing that where that has been deployed, the attackers are moving on to find new avenues of attack.

So what we see is an evolution of the attacks but the basic question of do we expect them to worsen? I think they are continuing and I think there are more and more incentives simply because more and more of our lives exist in cyberspace.

Geof Wheelwright: The potential vulnerability stretch from hardware to software, to human error. Are you able to walk us through some of the ways the industry is responding to strengthen security and improve trust?

Richard Grisenthwaite: Yeah. I mean, I think there’s a number of points to this. I mean one of the big advantages Arm’s got is that we provide IP to wide range of the industry. We’re used in servers, in client devices, in IOT systems.

And we can actually learn lessons from those different segments about what the attacks are. To give a very concrete example of that we recently introduced into our microcontrollers, features to, from our point authentication that was talking about a couple of minutes ago. We were originally derived in our client computing space, things like phones and, tablets and the like, in order to provide robustness for our future microcontrollers against these sort of attacks. Now at the moment, we don’t see those sorts of attacks because actually the cybercriminals are finding other routes in because actually the IoT space historically didn’t have a lot of areas of security, but once we deal with the basics, what we can imagine is they will step up to use the techniques that have worked so well in other spaces. So we want to try and keep ahead of that by bringing in security features that are ready for the future. But in order to deal with some of the things we’ve seen in the IoT space a few years ago, we introduced something called the Platform Security Architecture and a certification program called PSA Certified to provide a security framework for the IoT sector.

And this was really a first step of us encouraging the IoT ecosystem to follow the best practices and security. Because as when people were getting very excited about you could connect things like light bulbs on to onto the internet, they got desperately excited about doing it. Let’s get that out there and perhaps they didn’t pay enough attention to security from the get-go.

I’m sure people have seen examples. I think there’s a bit nice video on YouTube where a drone flying past a house manages to hack into the light bulbs of the house and to get them the whole house flashing on and off because the security of those systems wasn’t very good. Now that actually doesn’t require some of these sophisticated attacks that we see today in the client space, there is a much more basic levels of security failure there.

So what we did with the Platform Security Architecture was to put together a framework to drive the basic fundamentals of security with standardization of the threat models, to have a common definition of what a secure IoT system really looks like. And since the launch of this PSA Certified scheme, we’ve seen over 70 certified products, that’s chip, software, devices across the world, adopting these standards. And again, just raising the bar of secure. Arm recently

Geof Wheelwright: Arm recently launched Arm Confidential Computing. Can you describe how this technology can deter cybercriminals? Well,

Richard Grisenthwaite: Well, actually confidential computing is going to almost the other end of the spectrum from what we’re talking about on the PSA side. It’s looking at some of the really very sophisticated levels of attack where an attacker can end up compromising the key system software, such as the hypervisor or the operating system. And perhaps that comes to the culmination of various exploits that they find throughout the system. Now in the traditional model of computing, the system software can see all of the data of all of the applications of virtual machines that it manages, which means that if your critical data is held in an application there, if the attack has got into that system software, it can see your data and that data might be your bank information. It might be your health and health data. It might be your company’s biggest secrets, all of that stuff that you really want to protect. What we’re doing with confidential compute is providing a mechanism to keep the data of an application or virtual machine inaccessible to the system software that is managing the application of virtual machine.

So that even if an attacker gets to the level of being able to compromise the operating system or the hypervisor, your data will still be kept secret and can’t be corrupted. And this is kind of an important part of a mindset of led security. People listening to this might be thinking well, can’t you just make it impossible for attackers to get into that system software. And the reality is that’s not how security people need to think because it is so hard to prevent attacks. And because there are so many possible avenues because software is actually so complicated. As well as trying to make it very, very hard to get that escalation of attack. You need to ask the question. “Well, if that does happen, what damage can be done?” So you end up with this security in depth. It’s not good enough to have just a single, very hard to get through door. Behind that you want to have more layers of security. So there’s, somebody gets through the door. There is still a limit to what you can do with it and confidential compute is all about saying that even if the attacker gets control of your operating system, your most secure data will not be accessible to the criminal.

Geof Wheelwright: I can imagine that’s particularly important. Personal health data, for example. And we’ve seen an explosion of that in the last year.

Richard Grisenthwaite: Absolutely. I mean, health data is very popular. I mean, obviously with the pandemic and all of that. It’s been vital there and people are rightly very sensitive about what information they want to share with. And, and therefore you want to be very careful too to protect that sort of information and also financial transaction data as I said before, your company’s secrets should nowadays increasingly lie on your phones or on your devices and all sorts of information, whatever you need, you need that data to be protected.

Geof Wheelwright: As you talk about working with these industry bodies. And we start thinking about things like certification and verification. Um, how important are they in the overall push to improve security?

Richard Grisenthwaite: We have an adage in Arm that there is no specification without verification. It’s an easy phrase to trot out, but it actually has a real truth behind it. Unless you verify it, what you built actually follows the specification, all the specification really becomes is as an aspiration of what you wanted it to do, but it’s not necessarily what you did. So verification is really vitally important. It’s an important part of what it means to specify security. I specified this and I verified what I built is actually consistent with that.

And you’ve got to be very careful that the verification is done by people who are trying to defeat the security. In other words, you’re not marking your own homework and that somebody else is actually checking that what you’ve built is genuinely secure because that way people can trust. (They can review and say)  “Oh, look, that is actually properly secure against those threats because somebody has really tried to break into it and they know what they’re doing rather than I tried to break in and I knew what I had done. So verification is vital and then certification is really about communication of the trustworthiness and of the security status of systems. As I said before, everyone has a part to play in the defeat of cybercriminals. But not everyone wants to or is able to be an expert in exactly what is necessary on this.

If I’m a hotel manager, for example, or run a set of hotels and I’m installing a set of door locks into my hotels, the last thing I need to do we spend my entire time understanding all of the possible cybersecurity threats that could exist against my new, easy-entry open-with-your-phone door locks.

So they need to be able to trust that this is a secure system. Now certification provides a route to being able to say, “here is a label where somebody who knows what they are talking about, what the possible attacks could be” has verified the security of the system and I’m then able to trust that certification and so therefore I feel good about, um, the installation of an example I gave about the door locks in my hotel. And then when I’m having a conversation with an insurance company, I’ll be able to say, well, actually I’m using something that’s been certified to this level of security. And if that’s a recognized certification, the insurance company might, for example, give me a discount on the insurance that I’ve got to do.

So certification is really a way of communicating the status of the security of systems. And this is why we’ve been putting so much work into the PSA Certified scheme that I talked about before, because it’s really about getting the entire ecosystem of the IoT space that the chip manufacturers, the people building the systems, and then the people downstream using them, recognizing that this is actually a valuable label to apply to an object because it tells me I can trust this and gives me actually some benefits because I’ve told people downstream that this is a trustworthy system. And so it’s about communicating the trustworthiness of systems.

Geof Wheelwright: You were saying that everyone has a role to play. So I’m wondering what role regulators and policymakers should play in a global response to cybercrime?

Richard Grisenthwaite: The reality of the world is that people will tend to look for shortcuts, find routes around the things and the reason you have regulation, and government policies and so on is to ensure that where these things are critical to an infrastructure, for example, that shortcuts aren’t being taken.

So having governments or regulators turn around and say “for part of the telecoms infrastructure, you must have this level of security” is really desperately important for people to be able to trust that key infrastructure. So that becomes really important at other sort of the global level, but equally when you are looking at simpler systems and, you know, if for example, my mother who is quite elderly and not desperately technologically aware needs to buy a new router, she doesn’t want to have to cope with a range of different labels and standards from people. Being able to pick up something that has been published by the government, published by regulators and policy makers to say, you know, here is good practice for securing the home Wi-Fi that nowadays everybody has got in their homes.

How else do you communicate to a large public what good is? Individual companies have a role in doing it but actually you want to work with governments so that governments can turn around and say to the entire world “this is good for your systems” and to be very clear about this, we don’t want government say you must use an Arm based system. That would be creating some sort of national monopoly, but equally, if we can provide standards that people use and they get referenced by government then people will recognize that systems we produce are consistent with government policy. And then that gets trusted with the people and helps build a more secure system. Because if somebody can start hacking into the internet from my mother’s poorly secured, Wi-Fi system, because she didn’t know what she was doing when she bought something and just bought the cheapest thing on the shelf, then that actually could compromise other things than just her set up.

So this is why in this incredibly interconnected world, the security of the world is incredibly interconnected as well. And that means that the role of regulators and policy makers is to encourage that best practice to be used by people who really don’t know what they’re doing. And this is where governments have a role, but the technology companies, people like Arm have a role.

And similarly, as you get standards, such as the cryptographic standards we were talking about before then, again how do you know a cryptographic standard is actually worth having? Well you need to have independent experts, reviewing it is no good me saying, “Hey, trust me, I’m good,” when you know nothing about me and so the role of policy makers and regulators really to be the body that people trust.

Geof Wheelwright: Yeah. And I know that a lot of the innovation you’re talking about in digital security is designed to improve security in conventional digital systems. But I also know the work doesn’t stop there. So how do you think about future developments, such as quantum computing, for example?

Richard Grisenthwaite: Quantum computing is getting in the headlines a little bit at the moment because one of the fundamentals of computer security is cryptography, encoding and decoding stuff. And that one of the main algorithms that is used for cryptography is the asymmetric key cryptography. And that tends to be based around the difficulty in performing various mathematical operations such as the factoring of the product of two very large prime numbers.

But the problem is that with a conventional computer that is really hard. However, we project that with quantum computers that turns out to be remarkably easy which means that the fundamental premise upon which the cryptography is based will be undermined. If that happens then we would be in a situation where people would then be able to break that public key cryptography very easily.

And that typically is used for things like key distribution. And then you start unravelling some of the principles of security. Now the good news is that the main bodies that certify and come up with cryptography algorithms, people like NIST in the US and ETSI in Europe. ETSI being the European Telecommunications and Standards Institute, they are working on new techniques called post quantum cryptography to come up with problems that actually aren’t going to be solved by quantum computers or by conventional computers and we’re tracking the development of those technologies and will be deploying them when they’re ready.

Geof Wheelwright: Well, thank you for that, Richard, I’m feeling a little more secure and I’m sure your mother is too, as a result of hearing what you had to say. The new Arm Security Manifesto that Richard mentioned can be found in the security solutions area on arm.com.

And we look forward to bringing you more conversation in the next episode of arm viewpoint.