In cybersecurity, 2005 is a year that looms large. It marked the moment when cybercrime graduated from a malicious and somewhat sophisticated sport to a business with money, information and strategic advantage as its goals.
The year started with a breach at George Mason University that exposed the records and Social Security numbers of students and 32,000 staffers.
A few months later, hackers exposed a million customer records from DSW Shoe Warehouse, marking the first million victim breach. Later, an estimated 40 million credit card numbers from the files of CardSystems Solutions got out. The rush of data breaches became so rapid that the Privacy Rights Clearinghouse began keeping a chronology of data breaches.
And, while the wider world may not have learned about the Stuxnet virus until 2010, development on it—and its lasting impact it has had on breaching the defenses of manufacturing system like robots and chemical furnaces—probably began in 2005. So did the $20 billion problem of ransomware.
The modus operandi of cybercrime
From a high level, cybercrime can be grouped into three categories:
- Data theft. Arguably the most common and lucrative form of cybercrime. Data breaches will cost an estimated $6 trillion this year in theft, embezzlement, loss of intellectual property and the associated damages that come with it. And as British Airways and Marriott learned, it can also mean multimillion fines.
- Falsification. Research into uncovering digital fakes started gaining momentum in 2005 as well. Since then, fake news and the problems it causes has become part of our lives. General Vincent Stewart (USMC) says falsified data will the foundation of the fifth generation of warfare where victory can be achieved by taking away a combatant’s ability to make rational decisions.
- Weaponization Ransomware experts have branched out from hijacking data to licensing tools to newcomers while the average ransom demand more than doubled to $170,000. Meanwhile, security firm Dragos says that hacker penetration into utilities and critical systems is becoming pervasive.
Compounding these problems is the uncertainty and doubt among businesses and consumers on how best to protect themselves. In a recent report by PSA Certified, 54% of respondents said the uncertain ROI and potential lack of buy in for security among their employees lead to an unwillingness to invest continuously in security measures. Only 47% said they carry out a threat analysis of new products (a figure that drops to 33% for smaller companies).
An architecture approach
Our goal at Arm is to provide defenses against these attacks and more by integrating strong, intelligent and pervasive security into architecture of devices and systems. Some security innovations are integrated into Armv9, our most recent architecture. Others are implemented through industry initiatives such as PSA Certified. Below are some of the ideas we are developing to combat the problems above.
A fundamental feature of our Arm Confidential Compute Architecture of v9, Realms effectively allows consumers or trusted application vendors to create highly secure, temporary enclaves for sharing critical data and prevent data theft. It is for protecting data in use, in contrast to encryption which protects data in transit or at rest in a storage system.
Let’s say a patient wants to share medical records with a disease researcher, but the patient is also rightfully concerned about copies of its medical records being inadvertently exposed by a breach at the research hospital. The patient might also want to separate his or her personal information from the medical file.
With realms, a virtual enclave—separated from the operating system and hypervisor—would be brought into being. The patient would un-encrypt her records. The researcher would then analyze the data, encrypt the results, and leave. The realm would dissolve. The patient records would never leave the host computer. The researcher, however, would have the data she needs. Even if her computer where compromised, hackers in all likelihood could not reconstruct it to obtain the original record.
The underlying technology and concepts for Realms grow out of TrustZone, a technology Arm first began including in processors over a decade ago. Realms expands the uses and use cases.
PSA Certified, an initiative started by Arm, set outs standards and a certification process for chips, software, sensors and intelligent devices to overcome the paralyzing uncertainty of implementing better security. PSA Certified provides manufacturers and developers an established process for creating a foundational root of trust for their products. Additionally, the process gives businesses, which typically don’t have the time or expertise to evaluate risks, a foundation for choosing wisely.
The coalition, whose members include the BBC, Microsoft and Adobe, seeks to address the problem of fake videos, photos and content through embedded mechanisms and standards. Imagine an app that would allow a photographer to conclusively prove that (1) a particular photo was taken with his or her phone, (2) it has not been altered and (3) if it has been altered, what those alterations are. It would create a chain of authenticity that could restore trust in what our eyes see.
The same technology could also potentially be employed to protect the intellectual property rights of artists.
Being developed by Arm in conjunction with the UK Research and Innovation, Google and Microsoft, Morello isolates attacks at their point on entry through a combination of hardware and software. Imagine a burglar breaking into your garage, but not being able to get into the house from the garage. Fine grain compartmentalization can prevent data theft, virus propagation and the zombie attacks that allow hackers to weaponize a system.
Arm’s Morello prototype architecture specifications are now available to download. If Morello can meet our goals, it could be included in v9 processors toward the middle of the decade.
Applications like ride sharing, electronic banking and ecommerce all depend on staying steps ahead of cybercriminals. New, emerging technologies like IoT that can play a potentially large role in combating climate change could seize up because of security and privacy concerns. Without trust, digital systems can’t scale. A broad-based approach that takes advantage of the processing power and capabilities inherent in the devices people already own will become one of the most effective ways to stem the tide and raise people’s confidence in computing.