The Meltdown and Spectre vulnerabilities should be the kick in the pants that moves the US government past wishful thinking.
When we hear about a new cyber vulnerability, we often think of software bugs or poorly written code — serious problems to be sure, yet typically solved with an appropriate patch. But fixing hardware problems like the recently discovered vulnerabilities in chips made by Intel, ARM, AMD, and Qualcomm is generally far more expensive, time-consuming, and disruptive.
Eliminating the threat posed by the Meltdown and Spectre exploits, for example (and despite the reassurances being issued by major technology companies) will likely take more just a software patch. The fix will probably require some sort of hardware replacement in each of the millions of devices and systems that use these ubiquitous chips: laptops, smartphones, cloud servers, critical infrastructure control systems, weapons from missiles to fighter jets, other defense-related systems, and more.
This sort of thing is hardly unexpected. The enormous potential consequences of major hardware vulnerabilities, including the daunting and costly prospect of fixing them, have been the subject of literally dozens of studies. (Examples include reports produced by the President’s Council of Advisors on Science and Technology, the Air Force Studies Board, the Government Accountability Office, the Senate Armed Services Committee, the National Defense Industrial Association, and several think tanks, including the Potomac Institute.) These reports note that exploits may arise from inadvertently poor security design or from “the malicious insertion of defects or malware into microelectronics and embedded software, and from the exploitation of latent vulnerabilities in these systems,” as the Defense Science Board wrote in its 2017 “Cyber Supply Chain” report.
Yet U.S. policymakers, who have devoted billions of dollars in recent years to securing critical infrastructure and defense systems, have focused almost entirely on software. It is high time to expand such efforts to hardware security — and in particular, to develop a national strategy for acquiring secure hardware for our military and critical infrastructure needs. Such a strategy would include such steps as:
- Create a comprehensive hardware cyber initiative. Industry cannot solve these difficult security issues alone; they require government investment and information-sharing on threats to improve chip security, both for consumers and national security systems.
- Obtain secure and assured access to critical chips. We can’t replace bad chips with good ones if commercial sources are compromised. The government’s partnerships with industry are important, but it needs long-term capabilities to either buy or make every chip they need in a secure environment, from certified and trusted U.S. sources. The Defense Department’s Trusted Foundry and Trusted Supplier programs can meet this need, but they are not being fully utilized. The Defense Microelectronics Activity, which runs these programs, has not been fully funded to accomplish this mission.
- Prioritize hardware security research. We can’t fix old vulnerabilities without new tools. One such effort is DARPA’s new Electronics Resurgence Initiative; more are needed.
Proposals to fund a dedicated DoD capability to produce secure chips range from $250 million to $500 million — a security investment that is well worth the cost. (Compare it to the roughly $100 billion a year that the Pentagon spends annually on systems that depend on chips, including $3 billion to $5 billion on the chips themselves.) The time to debate the risks or likelihood of hardware security threats is over. The U.S. government needs to take swift action.