By Simon Segars, CEO, Arm
It’s not unlike pitchers and bowlers in baseball and cricket: They constantly switch up their attack and use distraction techniques so the batter never knows exactly how the next ball will come at them.
I’ve talked in the past about artificial intelligence and how AI can be a force for mischief but also how it can be a potent security ally. In our inaugural Security Manifesto in 2017, Arm’s Rob Elliott described how machine learning (ML) was being leveraged for device-based pattern recognition to spot anomalies that might suggest a live cyberattack. As ML has been deployed increasingly at the edge and in endpoint devices, this capability has ramped up.
In our second Arm Security Manifesto, Yossi Naar, co-founder of Cybereason, offered insight into how AI was powering his company’s threat hunting-engine.
And in the intervening years, the capabilities of AI and ML have blossomed to the point where security is being enhanced in devices and systems by leveraging behavioral traits. For example, a smartphone might detect that the user’s gait is unusual or that the keystrokes are being made in different ways than normal, suggesting someone other than the owner is using the device.
Ideas about how we thwart cybercrime continue apace everywhere. And as we look toward the middle horizon for cybersecurity, a new approach is emerging: quantum computing. Until recently, the conventional wisdom was that quantum computers, now in their infancy, weren't mature enough to crack conventional cryptography schemes such as RSA, AES, and elliptical curves (ECC). But as quantum computing improves over the next decade, the time to cracking these cryptography schemes with quantum computers will shrink dramatically.
But on the positive side, the same quantum concepts can also become a tipping point in the battle against crime, allowing us to turn the tables on cyberattackers.
Quantum resistance
Arm's most promising work in this area is in post-quantum cryptography (PQC). PQC is about running algorithms on a classical computer that cannot be broken, even with a quantum computer. This is different from quantum cryptography, in which cryptographic algorithms use quantum phenomena.
PQC standardization efforts are underway to replace the vulnerable algorithms with new quantum-resistant forms able to run on classical digital computers. These initiatives are led by the U.S. National Institute of Standards and Technology (NIST) and the European Telecommunications and Standards Institute (ETSI). Their purpose is to evaluate the proposals not just for security, but to also coordinate and smooth their deployment.
Why is this happening now? Cybersecurity researcher Michele Mosca has argued13 (and NIST agrees) that the time it takes until a quantum computer is powerful enough to break current cryptographic procedures could be as soon as 15 years.
Fifteen years may seem like a long time, but the number of computers and devices connected to the internet is expanding rapidly. Juniper Research predicts there will be 50 billion devices connected to the internet by 202214, while Martech Advisor sees this jumping to 125 billion by decade’s end15. Every single one of these devices is potentially susceptible to quantum hacking.
The NIST and ETSI standards work on security algorithms is therefore crucial and timely. The algorithms will very likely be adopted by other countries, in some cases with customizations for their home markets. The third round of public key encryption (seven finalists and five alternates) plus three digital signature finalists and three alternates were announced in 2020 based on careful analysis by academic, government, and corporate cryptographers.
Recommended algorithms could move into a published draft standard as early as 2022, and additional options drawn from the alternates may follow sometime later pending completion of further security analyses.
There is a hidden challenge with all of the solutions as these new variants will likely introduce new tradeoffs compared to the current ECC- and RSA-based algorithms. Some may require more computation, others will need more memory or longer keys. These tradeoffs can impact network protocol performance. Arm is actively engaged in the creation of the new standards with a view to creating implementations that strike the best balance. It’s worth noting that all of the candidates will be able to run on current Arm CPUs.
Arm is developing acceleration designs and optimizations in anticipation of the announcement of the finalists. Our ecosystem partners can plan on being provided efficient deployable implementations and protocol support, including a TLS implementation, to enable their customers to be able to transition to these new methods.
Arm’s Hanno Becker, Staff Cryptography Research Engineer, has written a detailed whitepaper on PQC that you can find here.
Constant vigilance, relentless innovation
In conjunction with Arm’s research into and work around future security requirements, we continue to evolve and innovative our technology to stay one step ahead of cybercriminals targeting contemporary systems.
In the second Arm Security Manifesto, Arm Chief Architect Richard Grisenthwaite described how Arm responded to the Spectre and Meltdown attacks, a new class of attack using timing side channels to reveal privileged data through the exploitation of processor speculation. He described work Arm is doing around memory-access vulnerability.
In 2019, Arm introduced Memory Tagging Extension (MTE) in the Armv8.5-A release. MTE brings a scalable hardware solution that reduces the exploitability of memory-safety violations that might be present in code written in unsafe languages. Now, with the introduction of the Armv9 architecture roadmap with the Arm Confidential Compute Architecture, this holistic approach to security expands as these technologies arrive on the market in the coming years.
It goes without saying that security is ever more crucial as the world becomes fully digitized and as electronic systems and devices increasingly become magnets for cybercriminals. The list already seems endless: Oil pipelines, beef processors, healthcare systems, governmental organizations, baby monitors, fish tanks; and yet the number of attacks that become public knowledge is tiny.
Do not despair, though, as the Arm ecosystem’s dedication to improving security is long-standing, and we cast a wide net globally. We shared with you security innovations in each of the last two Arm Security Manifestos, and, earlier in this edition, Richard outlined our work in Confidential Computing, which will help to protect data in motion. And we continue to invest in mitigating side channel attacks and memory vulnerabilities because it's not just important to the computers we have been building for a long time, but it's important to the computers we want to build in the future. Further, the Arm ecosystem works tirelessly to deploy other security features, such as attestation and certification, and identify and mitigate risk, as we’ve shown earlier in this publication.
I hope the information and perspectives we’ve provided in this manifesto give you confidence in the industry’s security efforts and inspire you to continue innovating in security within your own organizations and with partners. Together, we can work to harden security from IP to silicon to systems and enhance the trust in solutions we create to enable a more secure world.
