The UK could be heading for a “cyber disaster” if it continues with its current approach to cybersecurity. This was the message of Professor John Goodacre, challenge director – Digital Security by Design, UKRI, and Professor of Computer Architectures, The University of Manchester, speaking during the latest leg of the DSbD roadshow, in Newport, Wales, UK, this week.
Goodacre began by highlighting how Microsoft, “the predominant platform that’s attacked today,” looks to tackle cyber-threats. “They’ve had to spend a lot of time making it secure,” he noted. “They’ve had to create a patch Tuesday mechanism, they’ve worked with the industry to create a database for the vulnerabilities – basically, it’s a major initiative to be able to track cyber issues in today’s technologies.”
This approach of discovering and patching vulnerabilities is becoming unsustainable amid the digital revolution, particularly with the growth of IoT devices. This means there is a lot more software but correspondingly no evolution in technology platforms to prevent vulnerabilities from emerging. “Even with the huge effort going into mitigating vulnerabilities, we’re seeing a huge exponential growth in the number of reported vulnerabilities,” pointed out Goodacre.
Therefore, he argued that today’s cybersecurity is around the point of use of the software, with “the person responsible for that security is the person who is using it.” The DSbD initiative aims to change this trajectory, putting far more responsibility for the security of technologies “in the hands of those that build it” and creating a culture of “secure by default.”
The UK government is already taking steps in this direction; for example, with its Product Security and Telecommunications Infrastructure (PSTI) Bill, which places new cybersecurity standards on manufacturers, importers and distributors of internet-connectable devices. However, Goodacre explained that DSbD strategy aims to go further and “actually change the way the components used to build products are secure,” thereby “stopping issues at a higher level of the stack.”
Goodacre acknowledged this would be an enormous challenge due to a fundamental “market failure” in the cybersecurity industry. He revealed that when Arm first started talking to Cambridge University about the Capability Hardware Enhanced RISC Instructions (CHERI) research project, there was no way to get the concept into market as there was no return on investment changing computer hardware. Essentially, they told Goodacre: “We can’t change it fundamentally because we can’t get our customers to build chips if there’s no software that runs on them.”
This problem must be solved because otherwise, we risk losing trust in computers due to endemic hacks and breaches, according to Goodacre. For this reason, UKRI, a non-departmental government body, decided to run a program for the initiative. He revealed that 2025 is the earliest estimate of when this technology will be commercially available, allowing time for research and feedback from the industry.
Goodacre equated the scale of the project to the government’s net-zero strategy for the environment. This means it requires a thorough understanding of the socio-economic issues involved, as well as building the necessary ecosystem through which it can be tested and delivered.
Therefore, a major current priority for DSbD is to generate awareness of the project in the industry. This includes explaining “what does it mean to have a technology that changes the rules of how a computer works.”