Arm Security Manifesto 2021
The Arm Security Manifesto 2021 is a comprehensive look at cybersecurity challenges and outlines new and coming innovations aimed at making digital devices
Security Manifesto
2 0 2 1
Introduction
A shared responsibility to meet
increasing cybersecurity threats
It’s been four years since Arm published its first Security Manifesto in 2017, and digital security has rarely been out of the news.
Whether it’s a new hack or a ransomware attack, serious incidents seem to be happening with increasing frequency and involve higher stakes. And those are just the ones we know about. On the flipside, the world’s response to cyberattacks also has intensified, reflecting the innovation and dedication of countless global players, including technology companies, governmental bodies, and risk regulators.
Everyone shares a responsibility to ensure trust from cloud to endpoint."
Today, the world’s digital infrastructure is composed of a complex and vibrant network of devices, software, services, and systems designed to sense, compute, and act on data. The scale we’ve reached has shone a brighter spotlight on security across all computing arenas – for datacenters, edge, and endpoint devices. Any vulnerability along
this powerful compute continuum threatens to seed distrust among users, compromise valuable data, and quite frankly, imperil our digital future.
Everyone shares a responsibility to ensure trust from cloud to endpoint. That includes business and personal computing users, as it’s up to all of us to learn and embrace best practices to avoid creating side doors for cybercriminals, as Mary Aiken pointed out in our first manifesto. Technologists, though, have a particular duty of care, as Arm CEO Simon Segars said, to not rely on how we dealt with past threats but to prepare relentlessly to deal with the next ones.
This third Arm Security Manifesto was created in that spirit. You’ll read about new and expanding threat surfaces, and detailed explanations of new security solutions and strategies: From the technical foundations of devices all the way to the datacenter; explanations of risk-management strategies between technologists and other industries, as well as technology certification and attestation efforts to ensure trust among end users. We'll explore questions including:
- How will innovations in hardware compartmentalization further frustrate hackers?
- What’s the role of post-quantum cryptography in the overall scheme of improved security?
- How can the insurance industry better quantify cyber risk and then lead their customers toward stronger cyber-defense strategies?
- What steps can technologists take today with lab-validated security to protect this ecosystem tomorrow?
We need all these elements in a multidisciplinary drive to maintain and improve trust going forward.
Result from PSA Certified industry survey.
This manifesto discusses how security efforts have accelerated and expanded over the past four years and how the approach taken has been holistic – across diverse industries, consumer platforms, and governmental stakeholders.
On the next page, you'll find an updated series of principles that we hope will inform and inspire you to continue to partner with the Arm ecosystem in this stepped-up battle for digital security.
Together, we will never stop innovating.
Do you hear the tiger in the grass?
By Matt Griffin, Futurist & Founder, 311 Institute
Today, in this moment, you are the most powerful version of you who has ever
lived – and also the most vulnerable.
Of all the different periods in human history you could have lived, today’s technologies and our digital and connected society have magnified your ability to disrupt the status quo and change the lives of billions of people at a scale and speed that was unimaginable even just a decade ago.
Today, if you hit the right metaphorical buttons, your ideas, opinions, and products can be embraced in real time by more than half the world’s population and change global behaviors in an instant. Step back 50, 100, 1,000 years and no one – not kings or queens, or presidents or prime ministers – wielded that power.
Together, three force multipliers – connectivity, “digital,” and technology – make individuals more powerful than ever, so much so that now all you need to bring a country to its knees is arguably one hacker and some carefully placed ransomware. Ponder this point carefully: Historically, to accomplish this you would have needed lots of expensive assets, resources, and of course, an army.
Today the cost and effort of launching increasingly sophisticated cyberattacks against targets are approaching zero. Put bluntly, the cost of crippling your organization could soon be less than a candy bar. And that’s before we discuss the impact of automation and autonomous systems.
Furthermore, as the force multipliers increase in both ubiquity and utility, and as everything becomes increasingly connected, this situation will only get worse. So it’s no surprise that cybersecurity is top of mind and keeping everyone awake around the globe.
With this resolute focus on cyber, though, it’s easy to forget everything can be weaponized or made vulnerable. That’s why it’s important to remember that keeping your assets and your people safe requires a “defense-in-depth” approach. After all, you might have the world’s most cyber secure datacenter but in the “real world,” I have a bulldozer, a map of the local power grid, and a lit Molotov cocktail.
Dark forces gathering
Think of the world’s greatest innovation communities and I’ll wager you think of Silicon Valley or Cambridge in the U.K. It’s unlikely you’ll think about the criminal underworld, but from Napster, which inspired commercial music-sharing platforms, to the weaponization of the encryption systems designed to protect us, to Deepfakes, these and many other innovations owe their existence to criminal ingenuity.
With reportedly $6 trillion in annual revenues, or 7% of global GDP, criminal communities have grown revenues at double digits for over two decades now. They’ve been supercharged by these force multipliers and resolutely unfazed by the attempts of the world’s most powerful governments, which have spent trillions of dollars to dismantle them.
Today, some criminal enterprises, such as the mafia and Hydra, a dark web marketplace, are so successful that if they were legitimate they’d be the fifth- and 67th-largest organizations in the world with revenues of over $248 billion and $45 billion respectively. Plus, with some lines of business growing by triple digits; with revenues from ransomware operations, for example, now topping $350 billion annually; and, from cyber topping $1 trillion, if they were publicly traded they’d likely be the bulls of the market.
Today criminal enterprises, including the likes of the Mafia and Hydra, a dark web marketplace, are so successful that if they were legitimate, they’d be the fifth- and 67th-largest organizations in the world with revenues of over $248 billion and $45 billion respectively."
Around the world, these criminal communities run schools to train the next generations of hackers and scammers, sell their products, such as DDoS, malware, ransomware, and Zero Day exploits as a service1, and if you have a problem running your attacks then their dark-web support desks are there to help – all for a cut.
How about hacking a police forensics lab by encoding malware into DNA so that when the gene sequencer analyses it, the resulting data becomes a program that takes control of the underlying computer? That one’s not science fiction. It happened2.
Neither are adversarial attacks, where the adjustment of a single pixel on an X-Ray can cause a hospital algorithm to give terminal cancer patients the all clear, or alter the results of clinical trials for the purposes of medical fraud. Then there’s the favorite “sticker-on-a-stop-sign” attack that causes autonomous vehicles to accelerate through intersections, and of course the strap-some-explosives-to-a-suicide-drone while it’s using near infrared to exfiltrate data through the window of your company’s offices attack.
I haven’t even discussed the use of Deepfake or other forms of disinformation campaigns that can undermine democracies or tank your company’s share price so criminals can buy at the bottom and sell high.
Then, of course, there’s hacking verified Twitter accounts3 and using them to promote crypto scams, as well as hacking your cloud instances or smart fridges to get them to mine crypto.
Notching it up, we have criminals adjusting sensor readings in industrial plants to get them to explode, reverse engineering proprietary AI systems and even cyber security software itself from the cloud, and using X-ray lithography to reverse-engineer computer chips. They’re cloning people’s biometric data, including voices4, then using them to phish and scam companies out of huge sums of money – including over $250,000 recently from an anonymous European energy firm.
The future has even more in store: From criminals who are already building NMR (nuclear magnetic resonance) quantum computers in their garages – whose big brothers could crack 4,096 encryption and Bitcoin wallets in hours – to implanting malware on implanted medical devices and literally holding people’s lives to ransom.
We're just starting to get warmed up: From the development of ‘curious’ problem-solving open-ended AI systems and robo-hackers that can probe your company’s defenses and engineer and evolve their own exploits millions of times faster than any human hacker, to autonomous polymorphic malware and the use of synthetic biology tools to re-create viruses like the highly contagious and previously extinct Horse Pox virus (a cousin of small pox), along with its obvious implications.
When it comes to conceiving new ways to threaten our establishments and even our own existence, nothing will be out of bounds so we have to always think the unimaginable."
Notably this latter threat became real when, ironically, legitimate Canadian researchers used $100,000 and mail order DNA to “de-extinct” said virus5. The World Health Organization had this to say in its its public report on the matter: "[This] did not require exceptional biochemical knowledge or skills, significant funds or significant time.”
When it comes to conceiving new ways to threaten to our establishments and even our own existence, we have no shortage of ideas, but when it comes to solutions, it’s often too little too late.
This was perfectly highlighted in 2017 when 40 world-renowned experts met behind closed doors at Arizona State University to play the “Doomsday Games.” When it came to brainstorming future threats they matched the world’s greatest sci-fi writers. But when asked how the teams fared when it came to designing solutions to counter these threats, their reply, as reported by Bloomberg6, was: “Not well.”
Reasons to be positive
As a society, we benefit greatly from new technologies, but the downsides can be as powerful as the upsides, so we must remain vigilant and be prepared for what’s coming.
The advantage that humans have is our well-honed “fight-or-flight” response; it’s why we’ve flourished as a species. It began with our most distant ancestors who quickly realized the rustling in the grass may be a potential predator. Today, when it comes to cybersecurity, we hear the tiger in the grass louder than ever, and we have a call to action: Band together and fight.
Protecting data in use with Confidential Computing
By Richard Grisenthwaite
SVP, Chief Architect & Fellow, Arm
A simple truth guides Arm: Computing won’t reach its full potential unless security becomes a key design requirement in every digital device.
As Matt Griffin wrote in the previous chapter, we face serious threats, but we can manage the risks as long as we put as much effort into strengthening security as we put into areas such as performance and AI.
In the first Arm Security Manifesto four years ago, I wrote about the collective efforts of hardware and software developers to break the cycle of attack-and-repair. I described an architectural direction for improving code security that included defense-in-depth techniques and compartmentalization at the silicon level.
Concurrently, we continued our relentless push to improve secure-by-design by collaborating with the Arm ecosystem with programs such as PSA Certified and SystemReady, which collectively help the ecosystem apply industry best practices, enabling security. PSA Certified was cofounded by Arm in 2017 to provide a security framework for the IoT sector. Back then, it was a vision to change the way embedded security was being deployed, but today it’s a successful reality where the ecosystem has revolutionized the way we approach security centered around the Root of Trust (RoT). In fact, today we have over 70 products PSA Certified across the world. The effort is backed by the majority of world-leading semiconductor companies, OEMs, ODMs, and even recommended by governments, insurers, and many more industry leaders.
We don’t have to look too far into the future to see computing as a distributed utility where sessions can be run on the most appropriate platform at that time. In this environment, the ability to trust the computing infrastructure and the system, is a crucial element in ensuring people feel confident about the security and privacy of their information."
Over these last few years, our work on security has accelerated and intensified, inside Arm and in partnership with the ecosystem. In this manifesto, I will delve into new innovations we’re working on which will continue to enable a more secure-by-design process, including technologies announced recently during the Armv9 architecture launch that focused on Confidential Computing and memory vulnerabilities.
Confidential Computing
We think we’ll soon see 100 percent of all shared digital data securely processed on an Arm-based device at some point in its life; either on an endpoint device, in the data networks or in the cloud – or across all three. This is an important fact as it brings the opportunity to standardize an approach to security.
The collection point for data today can be almost anywhere, either through the sensing performed by ultra-low-power IoT devices based on Arm Cortex M-profile processors or from the Arm-based smartphones that almost all of us carry around with us all of the time. Perhaps the origin point sits deep within the data networks themselves, or in the cloud, or maybe even inside one of the world’s most powerful Arm-based supercomputers.
We don’t have to look too far into the future to see computing as a distributed utility where sessions can be run on the most appropriate platform at that time. In this environment, the ability to trust the computing infrastructure and the system, is a crucial element in ensuring people feel confident about the security and privacy of their information. This data infrastructure is now arguably the most important stronghold we have to defend as it’s one of the most attractive targets for cybercriminals intent on stealing our data.
Companies use various methods to secure data against cybercriminals. (Source: Pulse/Arm Survey, 2021)
Enter Confidential Computing, the end-to-end protection of data in use, at-rest and in-motion. The key is performing computation in hardware-based secure environments that shield portions of code and data from access or modification, even from privileged software.
Today, the traditional model of computing places a huge amount of trust in the operating systems and hypervisors that the applications are run on. Confidential Computing removes the assumption that the privileged software, which is responsible for running the computing system, needs to be able to see or manipulate the data of those running sessions. That removal will make it far easier to trust the computing infrastructure.
The Arm Confidential Compute Architecture (Arm CCA) introduces the concept of dynamically created Realms, useable by ordinary programs, in
From the Arm- Pulse Survey on the Future of Security Technology (2021)
a separate computation world from either the non-secure or secure worlds that we have today in TrustZone. Realms use a small amount of trusted and attestable management software that is inherently separated from the operating system and hypervisor.
For example, because ordinary programs use Realms, a driver’s ride-sharing application downloaded from a standard app store and installed on a personal device could dynamically create a Realm to hold and work with our secrets in a world away from the operating system and hypervisor. This ensures the protection of an employer’s data even if the operating system of an employee device is compromised.
By preventing the theft of commercially valuable algorithms and data, and ensuring that mission-critical supervisory controls needed by the employer cannot be subverted, it’s no longer necessary for drivers (or couriers) to be provided with dedicated corporate devices.
Similarly, over the past year, the pandemic has increased the use of technology to record and manage personal health data, and it is hard to imagine information that needs to be better safeguarded. While the security of current systems is very good, Realms will make it possible for such personal health information to be safeguarded from end to end. This will give much more security to this data, even if the operating systems of the computers holding this information have been subverted.
Realms allow ordinary programs, when necessary, to function in a separate computation world from either the non-secure or secure worlds.
Memory issues
In analyzing the large number of security issues that get reported in the world’s software, a depressing reality is that many relate to the same old memory safety issues that have plagued computing for the past 50 years.
Two particularly common memory-safety problems – buffer overflow and use-after-free – have been incredibly persistent, and a huge part of the problem is they frequently sit undetected in software for years before they are discovered and exploited. For example, Heartbleed was dormant in OpenSSL for a couple of years before it was found.
Uncovering these memory-safety vulnerabilities before they can be exploited is a vital step in improving the security of the world’s software. For this reason, Arm collaborated with Google to develop a technology, called Memory Tagging Extensions (MTE) which can be used to find spatial and temporal memory safety issues in software. These extensions allow software to associate a pointer to memory with a tag, and to check the tag is correct on use of the pointer. If the access is out of range, or if the use of the memory has moved on, the tag check will fail, eliminating the sort of memory-safety issue that has been the cause of so many problems.
MTEs are an integral part of the first-generation Armv9 CPUs available in the next year, and software support for MTE is being introduced as part of Android 11 and into OpenSUSE.
Morello: Secure by design
While finding and fixing security vulnerabilities in existing code is a great step, it would be better if, at a more fundamental level, the hardware made it easier to encapsulate accessibility information with the data.
This approach, encompassed in the Morello Program, would provide a fundamentally more secure building block for software. To this end, Arm has been collaborating with Cambridge University on its CHERI architecture, a new approach to security that we are exploring within our research teams, which defines hardware capabilities that offer precisely this sort of encapsulation. The approach promises an inherently more secure computing platform, though it also involves some substantial changes in the way that some systems will have to be programmed. I’ve frequently been asked for ways to evaluate this technology for real industrial uses as it does seem to be extremely powerful.
Morello takes the concept of encapsulation further, promising inherently more secure computing platforms.
Fortunately, we’ve been given an opportunity by the UK government’s Industrial Strategy Challenge Fund to create an industrial scale prototype of this technology. This is a major UKRI program called Digital Security by Design7, in which Arm is working with the Universities of Cambridge and Edinburgh, Linaro, Microsoft, Google, and others to explore a major architectural enhancement using capabilities as a new paradigm in computing security and robustness. The hardware demonstrator system, called Morello, is being finished at the moment within Arm, and the system should be available for all Morello partners to start working with around the end of 2021. This sort of fundamental shift in computer architecture takes a lot of time, but we have huge interest from within Arm’s partnership. If the Morello Program is successful, it will feed into the Arm architecture as a major component of Armv9-A toward the middle of this decade.
Summary
The technical foundation of the world’s most thriving technology ecosystem is the Arm architecture, which in essence defines the behavioral contract between the hardware, for which Arm is responsible, and the software that runs on it. All of the 200 billion Arm-based devices that have shipped over the past 30 years use the Arm architecture and so can run software from the Arm ecosystem. But the architecture is not a static thing: We keep on innovating and evolving it to meet the ever-changing needs of the computing world.
The powerful security enhancements we’ve introduced with Armv9 will not only ease the process of secure-by-design for our partners but they will form a new foundation for trusted end devices for users. Security is what keeps us up at night but it’s also what propels us forward to continually seek new ways to secure devices and systems for the benefit of society at large. We maintained that philosophy long before the first Arm Security Manifesto and have kept that focus and dedication ever since. We’ll continue to do so in the future. That’s our pledge to you.
Security-design best practices mean trust and certify
By Wouter Slegers, CEO, TrustCB
We’ve reached a crossroads in cybersecurity efforts in an increasingly complicated era of development.
On one side, consumers want to be able to trust the security in their devices. On the other side, among technology providers, there seems to be a reality gap: In a recent survey by PSA Certified, 87 percent of respondents said they’re satisfied with the quality of IoT security implementations within their company. However, 84 percent of the companies that have adopted an IoT strategy have reported8 a security breach. Clearly the self-developed, self-assessed security implementations are not providing what everyone – except for cybercriminals – wants: trusted security in their digital devices. The trick is charting the right course to ensure that happens.
Governments and regulatory bodies, reacting to the headlines and a perceived lack of industry progress, are increasingly enacting standards, laws and rules outlining how security needs to improve. Companies, on the other hand, tend to want to ensure their products will be easily certified in components, enabling reuse of certification in the interests of time, efficiency, and money. This combination of forces demonstrates what should be the path forward: third-party certification and attestation to do security evaluation once and reuse it efficiently.
Certification and attestation is the two-step dance that ensures that, at the hardware level, devices are what they say they are, and going up the software stack, at the product level, validates they are still providing the expected level of security. It enables longevity in the security of connected devices, and an audit trail to ensure best practices are being followed in the supply chain and in the usage.
As the world looks to well-known laboratories and certification authorities to certify the security robustness of countless consumer devices, so too is it beginning to look to our industry for similarly making development, evaluation and certification
Device attestation is the device making some claims about a device’s status that can be useful to OEMs and cloud service providers who want assurance that they can trust the devices."
PSA Certified
fast, easy, and predictable in a modular fashion. The good news is the solution development has been underway for a long time; the challenge is building on the momentum to ensure that industry properly self-regulates and avoids overly heavy governmental intervention.
One-two punch
The two-step approach to enabling more trusted devices is split between hardware and software platforms (the chips and the OS), and making these into end products (the doorbells, voice assistants, and such).
The first step, certification of the platforms, is a validation against well-defined requirements that the platform provides the secure functionality as advertised. Developing such secure functionality and evaluating its robustness against serious attackers is an important, niche skill. But once that functionality is known to be secure, it is easy to use that functionality and make a secure product out of it.
This makes the second step easy: The product developer will rely on the secure platform, and focus on the distinctive functionality to make the product. Thus, certification makes it easy to ensure that your digital doorbell or voice assistant is secure and attestation shows your supply chain security credentials are in order.
Police thy self?
Many companies (62 percent in that PSA Certified report cited earlier) have relied on self-certification to ensure for their customers that their products are trustworthy.
This has the benefit of being controllable by the company and is usually expedient. But this approach is not robust enough (especially if the threat model isn’t well-rounded, or in many cases is non-existent) and has a number of challenges.
Third-party certification can aid device makers in ensuring a consistent standard of security is designed-in to the hardware and firmware of all devices, and the ecosystem has a vital role to play in this."
First, pity the internal compliance administrator urged on by a boss to certify the product so it can get to market quickly. Certify now and risk some vague, potential issues years in the future to be handled by the people over at the security response team then? Or refuse to “be flexible with the rules,” delaying certification and risk getting fired? Are most companies even staffed properly to handle what could be scores of required certifications depending on their product portfolio? Are they positioned to consider every potential breach, especially as the threat landscape evolves? Or will they introduce a serious technical depth of potential security issues in the future, especially in the IoT domain with long operational deployment.
Second, self-certification failures have been prompting severely stricter regulatory requirements, especially where critical infrastructure and societal damage is at stake. And, while there are some logical reasons for a company to self-certify, it also means the company takes on liability for those claims. Lastly, self-certification isolates the interpretations of the requirements – highly relevant in the security domain – which can lead to a market of siloed developments, disparate, proprietary solutions, and an uneven playing field.
Enter third-party certification, which has historically had a strong basis in the governmental eID and payment industry. Device makers can ensure a consistent standard of security is designed-in to the hardware and firmware of all devices, and the ecosystem has a vital role to play in this.
We all need to work together to identify and share industry best practice, so we can overcome current and future security threats and make sure everything is built on a common foundation of security and trust. This works so well that vulnerabilities in the eID and payment card domains are rare nowadays. Surely this is desirable for our consumer IoT, critical infrastructure and personal privacy? And, it suggests that additional security goals can be achieved.
The second prong, attestation, comes as the products are delivered and function in the field. Attestation is a technical means to make sure a product is genuinely what it claims to be, and still operates in a secure manner. Attestation can be used to translate the human-readable certificate of trust into something that’s machine-readable. Previously, to attest to the trustworthiness of a device, you had to take the package off a silicon device and examine its markings to ensure it was what it said it was. This isn’t very practical even for the professional evaluation labs, let alone end-consumers, and also is vulnerable to forgers.
We all need to work together to identify and share industry best practice, so we can overcome current and future security threats and make sure everything is built on a common foundation of security and trust."
Today, to manage this better and ensure scalability, devices have a Root of Trust that can provide the attestation chain from chip to full system. A product with this functionality can prove to its owner and the other devices and services it’s talking to that it is genuine and trusted, and those other devices in turn can trust it. It’s a key element of securing a device throughout the lifecycle, and showing the value of secured devices to the network it is in.
PSA Certified, founded by Arm in 2017 to provide a security framework for the IoT sector, has developed so that today it has more than 70 products PSA Certified across the world,
Ecosystem of trust
Technology alone isn’t enough to make an ecosystem. We at TrustCB9 are just one aspect of a rapidly expanding certification and attestation ecosystem that aims to ensure trusted, validated security from IP to system.
These include partnerships such as PSA Certified (founded by Arm, Brightsight, CAICT, Prove & Run, Riscure and UL) which is an open, industry-standard threat-modeling framework to ensure secure-by-design up through and including security consultation, evaluation and finally certification. PSA Certified is also concentrating on aligning with other schemes (such as GlobalPlatform SESIP, UL IoT Security Rating and ioXt Alliance) to further reduce fragmentation and improve the composite certifications reuse in other schemes.
In the end, third-party certification sets a common bar for everyone to protect the connected world. This enables companies to use certification to build or expand a trusted brand and position against competitors that have avoided certification or employed self-certification. And because it’s an ecosystem of companies dedicated to making the digital world more secure, it’s trusted: These companies put their reputations and business models on the line in the name of security certification.
The business value to the certification ecosystem is shorter time-to-market. Developers need to make a secure end product fast. One can risk time to market using a component of unknown security: Finding out that a core mechanism that’s depended on for the security, is in fact insecure causes a very expensive rush to fix late in the development cycle (even more so if that core mechanism is provided by another party).
Thus the evaluation and certification process needs to be predictably short. The time the product is in limbo for its security certification is very costly to developers and reduce security for all. After all, the attackers do not wait.
Some smaller companies worry that certification schemes could add costs to their product development that, because of their size, they can’t afford. It is quite the opposite: Certification and attestation help the ecosystem spread the cost with the reusable certifications of the platforms.
For example, a company taking a small control and communications module and layering software on top to make it a solution for farm irrigation now only has to worry about certification of its software running on the module. The security of the underlying hardware and OS has been validated and certified, and those costs are spread over the many users of that hardware and OS.
In short, through certification and attestation, companies now see a pathway to trust, just as much as they realize that the cost of inaction can be incalculable.
Insuring against cyber risk in an increasingly complex world
Nils Diekmann, Underwriting Manager Cyber, Munich Re
The numbers are frightening. Cybersecurity Ventures estimates costs arising from global economic cybercrime will grow by 15% per annum over the next five years, rising to $10.5 trillion annually by 2025, versus $6 trillion this year.
This is no surprise10 as the cybercriminal world is advancing at a fast pace, for example by collaborating or leveraging automation and artificial intelligence to create synergies for greater exploitation of weaknesses, as rapidly and profitably as possible. At the same time, while companies across the board are embracing and scaling digitalization of their businesses, 81% of CEOs in the digital economy believe their companies aren’t adequately protected from cyber threats11.
These are just some of the forces driving growth in cyber insurance, which we expect will become a $20 billion industry by 2025. We also face challenges, however, and overcoming them necessitates a coordinated, multi-industry effort to improve security and mitigate risk.
For insurers and reinsurers, the ability to understand and quantify risk is vital for offering sustainable insurance and keeping capacity and premiums manageable."
Assessing and managing risk
Cyber insurers have already proven that they can be part of the solution when it comes to building up resilience and readiness across all industries, but we’re “running into headwinds.”
For digital services to be deployed at scale, insurers must be able to deliver business assurance and that in turn requires insurers have an even deeper understanding of the risk they are underwriting. But given the rapidly changing digital landscape, it can be increasingly difficult to identify and quantify risk.
Why is quantifying risk in this incredibly complex world important? For primary insurers and reinsurers, the ability to understand and quantify risk is vital for offering sustainable insurance and keeping capacity and premiums manageable. It’s also very important for building confidence in order to provide the capacity the insured need for their businesses.
The insurance industry doesn’t insure what it doesn’t understand, and cyber risk is hard to understand because of the almost infinite complexity of devices, software, and systems, as well as the possibilities for foul play.
We need to consider questions such as:
- How significant are the risks for a particular insured company?
- What does the threat environment look like?
- Who is a target and who could be “collateral damage”
- How seriously do they take security
- How vulnerable is revenue generation?
- Could these issues aggregate and multiply?
In addition, perhaps the most important question of all is: Who is responsible/liable if something goes wrong? The sophisticated value chains in the internet of things (IoT) area make the transfer of liabilities between suppliers so complex that they often don’t know how responsibility is shared through the chain. To improve our visibility of potential risk, we need to collectively step up and solidify our cross-industry collaboration, which to date has demonstrated some successes but can always be improved.
With different regulatory approaches and jurisdictions around the world, it can be difficult to obtain a coherent view of liability and risk. In Europe, for example, GDPR is established for privacy protection, California has implemented the California Consumer Protection Act (CCPA). To protect IoT, the United States has NIST 8259 and Europe has the ETSI EN 303 645.
Silicon providers are working diligently to create devices with a Root of Trust (RoT), and their customers build additional security using best practices on top of that.
However, given the widely varied regulatory landscape, it can be difficult for providers to ship at scale and conform locally at the same time.
To overcome these challenges and achieve stronger security together, we need stronger collaboration, clearer communication, and better understanding among key stakeholders.
Redefining terms
For many years, we have been talking about shared responsibility when it comes to security, but it’s actually shared fate that we need to focus on. For example, companies must assume greater responsibility for securing their systems and not consider insurance to be a substitute for security implementations.
This important and necessary shift in thinking emerged from our groundbreaking collaboration12 with Google Cloud and Allianz Global Corporate & Specialty (AGCS), focusing on providing cloud-specific coverage for organizations. The starting point for the cooperation was the continuing trend towards cloud usage: for the majority of larger organizations, the cloud has already been embraced as a way of doing business. Furthermore, elements of corporate IT – including core applications – are moving to the cloud as a result of the growing trend toward digitalization. Organizations are therefore striving to create a technically robust security environment for themselves in the cloud. They also seek to mitigate and insure against any remaining risks with the best possible options. The goal of this new partnership is to address the specific needs of Google Cloud customers and focus on leveraging data insights from Google Cloud for creating innovative and sustainable cyber solutions.
This is just one step in a longer
journey, but it’s a vital one."
Closer collaboration
Meanwhile, ransomware attacks are increasingly common and losses are growing. Insurance companies are becoming much more careful about what they insure and what their customers are doing.
I believe the existing market situation could last for at least another year, and companies might scale back or withdraw coverage for a period of time or increase premiums for riskier aspects of IoT network coverage. Better understanding of the exposure, threats and countermeasures is important to keep the confidence to provide the cover.
We are making progress. Not all that long ago, there was a technology community, a risk community and a regulatory community, and there wasn't really much crossover. Now, there is a lot more exchange. Groups such as the Confidential Computing Consortium, PSA Certified and many others are casting wide nets in the spirit of collaboration. And our industry, which in the past looked more to follow regulatory guidelines, now, in addition, has a role to play in helping everyone understand and more clearly define cyber risk and cyber risk management. As part of that, we need confidence in a certified secure chain of components, built on RoTs to ensure there are no weak links in the chain. And at the same time, the regulatory community needs to provide a framework to apply that black-and-white view of responsibility and shared fate.
Technology is key
As companies scale their digital ambitions in virtually every area, they’re reaching out to the risk industry to understand their potential vulnerability and liability.
For example, to what extent should an automotive manufacturer extend its coverage to take into consideration potential digital hacking of its vehicles once they are on the road? What aspects should they consider regarding the variability of products (hardware and software), field updates and upgrades, and so on? And how long should they support field upgrades to maintain security? In this context, the certification of electronic components can push the boundaries of insurability. This gives us a more solid vantage point from which to view an unbroken chain of components in a system-dependent car that ensures there are no security flaws.
Peter Armstrong, subject matter expert, cyber, Munich Re Group, discusses the challenges insurers have in quantifying cybersecurity risk.
As for technology providers, one of the strengths of the IoT is that the information gathered by such connected devices can be used for more informed decision-making and is often a catalyst for change. Therefore, we must have confidence in the technologies and in the data they generate. Technology is one way to improve security. Here, if we can establish a chain of trust from the device to the data, that will also offer us some assurance with regard to the business-critical services that our products now enable.
A future of trusted data and devices doesn’t rest on the shoulders of any one industry or government. Instead, it is a collective goal, necessitating redoubled efforts to communicate, collaborate, and innovate in technology, insurance, and regulatory environments.
That means putting frameworks in place to give product developers access to world-leading security expertise and helping them meet international legal, regulatory, and baseline requirements. It also involves working together to establish a common security standard that is based on a Root of Trust.
So we have made progress in recent years, but we have also seen our adversaries do so as well. Let’s pledge to never let our guard down in this battle.
The future of cybersecurity
lies in silicon
By Andreas Kuehn, Senior Fellow, Cyberspace Cooperation Initiative at Observer Research Foundation America
Cybersecurity is at a crossroads.
Since the inaugural Arm Security Manifesto in 2017, technology companies have joined hands in a concerted, silicon-to-systems effort to strengthen security. But the tech sector is just one aspect of the response. Governments, legislators, policy makers, and regulators play a role, but the cross-discipline efforts and collaboration need to be redoubled.
Fortunately, the time is right. Recent geopolitical trade disputes, concerns over regional supply-chain concentration, and the global semiconductor shortage have illuminated for the broader public a technology that most of the world isn’t familiar with, even though it powers our daily lives. Not being able to buy a car, a refrigerator, or a microwave was a wake-up call for consumers. Lawmakers, seeing workers furloughed at the plants that make these items, stepped up their efforts to act expeditiously.
Global complexity, major challenges
This came on top of simmering trade disputes and a growing realization among countries around the world that home-grown expertise in electronics is increasingly key to economic success and national security.
In the U.S., for example, the U.S. Cyber Solarium Commission and the U.S. National Security Commission on Artificial Intelligence have both pointed out the national security threats if the U.S. cannot secure its semiconductor supply chains. And the White House supply chain review outlined a way forward to strengthen U.S. chip manufacturers and international collaboration to ensure manufacturing capacity and supply chain resilience.
Governments across the globe – including the U.S., China, India, South Korea, Japan, and many others – are embarking on multibillion-dollar investments in infrastructure improvements, with semiconductors a leading beneficiary. In a meeting with industry leaders, President Biden referred to silicon as infrastructure and acknowledged the chip industry’s critical role in infrastructure buildout. Modern, sustainable infrastructure is about semiconductors and specialized chips for all types of sectors and functions, including AI and self-driving cars.
Unfortunately, as countries realize the power and potential of vibrant technology ecosystems, bad actors also see opportunities, and this should come as no surprise: At the dawn of the internet of things (IoT), security experts warned against a tsunami of vulnerabilities caused by millions and billions of insecure devices that would be connected to the global Internet in the coming years. The past few months reminded us especially about the vulnerability of physical and digital infrastructure to cyber-attacks as we experienced several systemic, large scale incidents, including the recent SolarWinds, Hafnium and Colonial Pipeline hacks.
The situation seems untenable. The trajectory of cyber-attacks looks grim, as the attack surface of IoT grows rapidly. The cat-and-mouse game between the white hats and the black hats seems to intensify each week.
But obviously the technology industry has no interest in throwing in the towel, as you can see from other perspectives contained in this Security Manifesto. Silicon-based security functions, including cryptography, secure storage, attestation, update, and authentication will enable software developers, service providers, critical infrastructure operators, and others to leverage hardware-based functions to secure their products and services.
Lighting the path ahead
So, how do we proceed? With a bright spotlight on it at this critical time, the semiconductor industry must seize the moment to not only build and expand on its recent security accomplishments, but to drive the global conversation around holistic approaches to security and trust.
Security capabilities designed into silicon – by providing a Root of Trust for functions and services – and certification and attestation efforts – by groups such as PSA Certified, Common Criteria and others – are strong, confident steps forward. They provide a new vision and measures to improve cybersecurity throughout the digital environment in an effective, scalable, and sustainable way. Millions of IoT devices can be equipped with state-of-the-art security capabilities. Designed once by chip engineers, these tested and trusted security functions are easily available to millions of software and system developers, avoiding the pitfall of faulty implementation in software.
The semiconductor industry needs to seize the moment to not only build and expand on its security accomplishments of recent years but drive the global conversation around holistic approaches to security and trust."
The industry also would do well to leverage the attention on broader semiconductor issues to strengthen the security and resilience of digital infrastructure. Traditionally, the semiconductor industry has had a lobbying policy of speaking softly in government capitals while continuing to change the world back at home. But the world’s more complex today, and digital security is a major priority for most governments.
Digital security and trusted environments aren’t something that can be delivered by any one entity. As policy makers embrace semiconductors as the foundation to build the infrastructure of the future and power the digital transformation, industry and government must redouble their efforts at collaboration and communication.
Officials have been grappling with digital security for years. The European Union’s baseline security recommendations for IoT, the UK government’s legislative proposal for mandatory product assurance based on the European Telecommunications and Standards Institute’s (ETSI) IoT cybersecurity standard, California’s requirement to equip IoT devices with reasonable security features illustrate some of the significant progress made in recent years.
Trade associations and industry consortia – PSA Certified, IoT Security Foundation and ioXt, for instance – have individually and collaboratively leveraged these efforts through sector-specific IoT security assessments and certifications. Reciprocity of credentials fosters adoption and helps achieve compliance in the technology industry. Consumers on the other hand benefit from independent IoT security ratings that increase cybersecurity transparency.
Governments must further leverage the technology industry as a trusted partner to jointly tackle the rapid technological advances of our times"
Another excellent example of cross-boundary collaboration in hardware-level protection are the initiatives led by the U.S. National Institute of Standards and Technology (NIST) and ETSI around post-quantum cryptography standards. Here industry experts, working within NIST and ETSI frameworks, are suggesting methods to replace the vulnerable algorithms with new quantum-resistant forms able to run on classical digital computers.
One last example of governments investing in hardware-based security is the U.K.’s Digital Security by Design Initiative which has invested significant sums into more secure chip architectures. As governments make new investments in advanced semiconductor R&D, it should prioritize security in the same way it prioritizes performance, efficiency, and other capabilities.
Better together: Partnering
to enhance resilience
The technology industry must continue to drive innovation around security and trust into the supply chain but also exploit this critical moment to drive security thought leadership deeper into conversations with policy makers as major investments in the infrastructure of the future are on top of their agenda.
Governments must further leverage the technology industry as a trusted partner to jointly tackle the rapid technological advances of our times. Working together can lead to the outcome everyone wants: A future that makes the scary headlines of today a distant memory.
The future of digital security requires a quantum leap
By Simon Segars, CEO, Arm
It’s a given that the industry’s security work must always continue. Cybercriminals are constantly inventive, looking for new ways to exploit human and technological vulnerabilities, and it’s hard to anticipate their next move.
It’s not unlike pitchers and bowlers in baseball and cricket: They constantly switch up their attack and use distraction techniques so the batter never knows exactly how the next ball will come at them.
I’ve talked in the past about artificial intelligence and how AI can be a force for mischief but also how it can be a potent security ally. In our inaugural Security Manifesto in 2017, Arm’s Rob Elliott described how machine learning (ML) was being leveraged for device-based pattern recognition to spot anomalies that might suggest a live cyberattack. As ML has been deployed increasingly at the edge and in endpoint devices, this capability has ramped up.
In our second Arm Security Manifesto, Yossi Naar, co-founder of Cybereason, offered insight into how AI was powering his company’s threat hunting-engine.
And in the intervening years, the capabilities of AI and ML have blossomed to the point where security is being enhanced in devices and systems by leveraging behavioral traits. For example, a smartphone might detect that the user’s gait is unusual or that the keystrokes are being made in different ways than normal, suggesting someone other than the owner is using the device.
In conjunction with Arm’s work around future security requirements, we continue to innovative our technology to stay one step ahead of cybercriminals targeting contemporary systems."
Ideas about how we thwart cybercrime continue apace everywhere. And as we look toward the middle horizon for cybersecurity, a new approach is emerging: quantum computing. Until recently, the conventional wisdom was that quantum computers, now in their infancy, weren't mature enough to crack conventional cryptography schemes such as RSA, AES, and elliptical curves (ECC). But as quantum computing improves over the next decade, the time to cracking these cryptography schemes with quantum computers will shrink dramatically.
But on the positive side, the same quantum concepts can also become a tipping point in the battle against crime, allowing us to turn the tables on cyberattackers.
Quantum resistance
Arm's most promising work in this area is in post-quantum cryptography (PQC). PQC is about running algorithms on a classical computer that cannot be broken, even with a quantum computer. This is different from quantum cryptography, in which cryptographic algorithms use quantum phenomena.
PQC standardization efforts are underway to replace the vulnerable algorithms with new quantum-resistant forms able to run on classical digital computers. These initiatives are led by the U.S. National Institute of Standards and Technology (NIST) and the European Telecommunications and Standards Institute (ETSI). Their purpose is to evaluate the proposals not just for security, but to also coordinate and smooth their deployment.
Why is this happening now? Cybersecurity researcher Michele Mosca has argued13 (and NIST agrees) that the time it takes until a quantum computer is powerful enough to break current cryptographic procedures could be as soon as 15 years.
Fifteen years may seem like a long time, but the number of computers and devices connected to the internet is expanding rapidly. Juniper Research predicts there will be 50 billion devices connected to the internet by 202214, while Martech Advisor sees this jumping to 125 billion by decade’s end15. Every single one of these devices is potentially susceptible to quantum hacking.
The NIST and ETSI standards work on security algorithms is therefore crucial and timely. The algorithms will very likely be adopted by other countries, in some cases with customizations for their home markets. The third round of public key encryption (seven finalists and five alternates) plus three digital signature finalists and three alternates were announced in 2020 based on careful analysis by academic, government, and corporate cryptographers.
Recommended algorithms could move into a published draft standard as early as 2022, and additional options drawn from the alternates may follow sometime later pending completion of further security analyses.
There is a hidden challenge with all of the solutions as these new variants will likely introduce new tradeoffs compared to the current ECC- and RSA-based algorithms. Some may require more computation, others will need more memory or longer keys. These tradeoffs can impact network protocol performance. Arm is actively engaged in the creation of the new standards with a view to creating implementations that strike the best balance. It’s worth noting that all of the candidates will be able to run on current Arm CPUs.
Arm is developing acceleration designs and optimizations in anticipation of the announcement of the finalists. Our ecosystem partners can plan on being provided efficient deployable implementations and protocol support, including a TLS implementation, to enable their customers to be able to transition to these new methods.
Arm’s Hanno Becker, Staff Cryptography Research Engineer, has written a detailed whitepaper on PQC that you can find here.
Constant vigilance, relentless innovation
In conjunction with Arm’s research into and work around future security requirements, we continue to evolve and innovative our technology to stay one step ahead of cybercriminals targeting contemporary systems.
In the second Arm Security Manifesto, Arm Chief Architect Richard Grisenthwaite described how Arm responded to the Spectre and Meltdown attacks, a new class of attack using timing side channels to reveal privileged data through the exploitation of processor speculation. He described work Arm is doing around memory-access vulnerability.
In 2019, Arm introduced Memory Tagging Extension (MTE) in the Armv8.5-A release. MTE brings a scalable hardware solution that reduces the exploitability of memory-safety violations that might be present in code written in unsafe languages. Now, with the introduction of the Armv9 architecture roadmap with the Arm Confidential Compute Architecture, this holistic approach to security expands as these technologies arrive on the market in the coming years.
It goes without saying that security is ever more crucial as the world becomes fully digitized and as electronic systems and devices increasingly become magnets for cybercriminals. The list already seems endless: Oil pipelines, beef processors, healthcare systems, governmental organizations, baby monitors, fish tanks; and yet the number of attacks that become public knowledge is tiny.
Do not despair, though, as the Arm ecosystem’s dedication to improving security is long-standing, and we cast a wide net globally. We shared with you security innovations in each of the last two Arm Security Manifestos, and, earlier in this edition, Richard outlined our work in Confidential Computing, which will help to protect data in motion. And we continue to invest in mitigating side channel attacks and memory vulnerabilities because it's not just important to the computers we have been building for a long time, but it's important to the computers we want to build in the future. Further, the Arm ecosystem works tirelessly to deploy other security features, such as attestation and certification, and identify and mitigate risk, as we’ve shown earlier in this publication.
I hope the information and perspectives we’ve provided in this manifesto give you confidence in the industry’s security efforts and inspire you to continue innovating in security within your own organizations and with partners. Together, we can work to harden security from IP to silicon to systems and enhance the trust in solutions we create to enable a more secure world.
Security Manifesto references
& citations
1“Cybercrime-as-a-Service Economy: Stronger Than Ever,” Bank Info Security, September 14, 2016
2“Scientists Hack a Computer Using DNA,” MIT Technology Review, August 10, 2017
3“Verified Twitter accounts have been hacked by crypto scammers, again,” Techradar Pro, January 15, 2021
4 ”A Voice Deepfake Was Used To Scam A CEO Out Of $243,000,” Forbes, September 3, 2019
5“How Canadian researchers reconstituted an extinct poxvirus for $100,000 using mail-order DNA,” Science, July 6, 2017
6 “AI Scientists Gather to Plot Doomsday Scenarios (and Solutions),” Bloomberg (subscription), March 2, 2017
7“Digital security by design challenge,” U.K. Research and Innovation, May 24, 2021
8"IoT Heading for Mass Adoption by 2019 Driven by Better-Than-Expected Business Results,” Aruba/HPE, February 28, 2017
9TrustCB
10“Cybercrime To Cost The World $10.5 Trillion Annually By 2025,” Cybercrime Magazine, November 13, 2020
11 “Munich Re Global Cyber Risk and Insurance Survey,” Munich Re, March 11, 2021
12 “Pioneering cyber insurance: Munich Re partners with Google Cloud and Allianz,” Munich Re, March 3, 2021
13“Cybersecurity in a Quantum World: will we be ready?” Michele Mosca, April 2, 2015
14"IoT Connections to grow 140% to hit 50 billion by 2022, as edge computing accelerates ROI," Juniper Research, June 12, 2018
15"By 2030, Each Person Will Own 15 Connected Devices," Martech Research, March 4, 2019
Nils Diekmann
Underwriting Manager Cyber, Munich Re Facultative & Corporate London
Early in his career, Nils was responsible for developing and implementing Munich Re’s worldwide security architecture. He later joined the underwriting side of Munich Re, where he developed the company’s large corporate cyber insurance offering.
In 2016, he became the Underwriting Manager for Cyber at Munich Re’s Great Lakes Insurance, where he's responsible for the cyber business for large corporate clients written out of London.
Matt Griffin
Futurist & Founder, 311 Institute
Matt is a futurist and strategic advisor helping build centennial companies. He founded the 311 Institute, a global Futures and Deep Futures consultancy working across the next 50 years. He also founded the World Futures Forum and XPotential University, two philanthropic organizations with the mission to reduce global inequality and ensure the benefits of the future are accessible to everyone, irrespective of their abilities or background. He wrote the Codex of the Future series and "How to Build Exponential Enterprises."
Richard Grisenthwaite
SVP, Chief Architect & Fellow, Arm
Richard has worked for Arm for the past 21 years. He is responsible for the long-term evolution of the Arm architecture and has led the architecture since heading up the introduction of Armv6 in 2001. In his early days at Arm, Richard worked on Arm720T, Arm940T, and Arm1136EJF-S. Prior to Arm, Richard worked for Analog Devices on fixed-function DSP, and at Inmos/ST on the Transputer. Richard has a BA from the University of Cambridge and holds 85 patents in the field of microprocessors.
Andreas Kuehn Senior Fellow, Observer Research Foundation America
Andreas leads the Cyberspace Cooperation Initiative’s research and policy workstreams at the Washington DC-based public policy institute. He looks at new risks and challenges to international security at the intersection of emerging technology, cybersecurity, and geopolitics. Andreas works with international organizations, governments, and corporations to strengthen security and stability in cyberspace.
Simon Segars
CEO, Arm
Joining Arm as employee #16, Simon led the development of early ground-breaking Arm processors – the Arm7 and Arm9 – powering the world’s first digital mobile phones. He played a key role in developing industry standards and his engineering work led to him being granted several embedded-systems patents. He held several strategy positions, including global head of sales and vice president of engineering, before he was named Arm CEO in 2013.
Wouter Slegers
CEO, TrustCB
Wouter is a prolific creator of security certification schemes, including evaluation methodologies and Certification Bodies (CBs). His work includes standards like SESIP (complementing PSA Certified), MIFARE security, and the GSMA eSA certification program. Wouter is the CEO of TrustCB, a commercial CB known for its predictably short time to certification.
