Business could learn plenty about cybersecurity from the secret state

The national security apparatus – the secret state – of many countries has long recognized the risk of cyberattack and has sought to be at the leading edge of trends in cybersecurity. Increasingly, business leaders all over the world are now also coming to recognize that cyberattacks form one of their top business risks. In the World Economic Forum’s Global Risks Report 2019, survey respondents put cyberattacks among the top five risks for both likelihood and impact.

Commercial entities are now significant providers of critical infrastructure and the controllers of increasing amounts of sensitive data. Banks, telecoms companies and energy providers all operate critical operational systems. Even dating apps hold sensitive and critical information.

As a result, systems that are critical to the functioning of society are no longer solely the purview of national security agencies. In fact, they face many of the same sophisticated threats that the state has been facing for a number of years. As just one example, in October 2018, the US Justice Department indicted intelligence officers with conspiring to attack a number of commercial entities, including a nuclear energy company. In June 2019, it was reported that hackers possibly sponsored by a nation state had breached five of the world’s 10 biggest technology service providers.

Unlike governments and state-run organizations, businesses all too often accept that being hacked is an inevitability. They spend a significant amount on services to detect breaches and implement recovery, without considering that they are in fact facing similar threats to those the state has faced for a number of years, and that a change in approach and new market incentives are needed to meet these challenges.

Some innovative cyber companies have understood this and are working to develop solutions that would allow commercial entities to be as well protected as governmental ones. To achieve this, it’s necessary to reconsider the fundamentals of how cyber-risk is managed.

For decades, ever since the first computer worms were programmed in the 1980s, the cybersecurity industry has been treating cyber-risk as a software issue. The problem with this is that software operates on computer processors, or “Turing machines”, which can be used to run and interpret all kinds of software. Sophisticated hacking generally involves finding unexpected ways in which to trick those Turing machines into running nefarious applications rather than (or in addition to) the originally intended application.

A new technology, known as “hardsec”, treats the problem at the hardware level by using a different computational model: revisiting the early days of computer science to use “non-Turing machine” techniques that are simpler and more primitive, and hence less vulnerable to hacking.

In many ways that is not a new idea, because these non-Turing techniques are the basis of the “hardware security” measures that lie at the heart of commonly used Intel or ARM processor chips. (The processors on the chips are Turing machines, but they are combined within the silicon with non-Turing security measures.) But because of the costs and impracticality of manufacturing chips, hardware security measures are problematic in practice.

What makes hardsec an exciting innovation is the ability to use non-Turing security techniques in a much broader range of scenarios, raising the possibility of a future where strong cybersecurity is widespread. Hardsec achieves this in two ways: first, by using some clever techniques known as “transform and verify” that were invented by the UK’s GCHQ; and second, with the use of a type of silicon chip called a FPGA (Field Programmable Gate Array). FPGAs were invented for other purposes – there is an approximately $5 billion global annual market in them – but they are perfect for hardsec because they can be used to program, and reprogram, non-Turing-machine security measures without the need for physical manufacturing or changes.

By making the use of these strong, non-Turing techniques practical, hardsec can radically eliminate threats to a computer system, while accepting that no model can ever be completely secure. By definition, hardsec is not just software – it requires hardsec-capable hardware that is built using FPGA chips. Practically speaking, these hardware appliances are either installed in a customer’s data centre, or can be used over the internet as a cloud service.

Alongside the use of hardsec by government organizations, some hardsec pioneers are venturing into the commercial space. For example, Garrison is working with firms in financial services and other sectors to protect some of their most sensitive systems by making it possible for users to click on links without putting those systems at risk. We do that by using technology including hardsec to transform the web into harmless pixels. Other providers are using hardsec to protect against risks from email attachments, or critical APIs (application programming interfaces). The challenge with getting the commercial world to adopt hardsec is that current security-buying behaviours in the commercial market do not incentivize the purchase of strong security.

Perhaps surprisingly, commercial buyers today typically acquire cybersecurity products based on features and functions, rather than security. Even leading technology analyst firms admit that their reports on cybersecurity products do not incorporate any actual security analysis. This is in stark contrast to the practice of national security organizations – at least in leading cyber nations. They carry out extensive and probing security analysis on products before they decide to rely on them.

To some extent, this discrepancy can be addressed through better education, but there is also a structural market problem: unlike a nation state, any individual firm is unlikely to be able to afford the level of cost, effort and skills required to carry out a meaningful security analysis. As a result, firms continue to buy firewalls and other security products that contain serious vulnerabilities – sometimes proving even more vulnerable than the systems they are designed to protect.

To address this market failing, there needs to be a shift to ensure that the probing levels of security product analysis required can match the level of analysis conducted by nation states. Such analysis is time-consuming and expensive, and would require either collaboration across peer groups – to create structures that can commit the requisite levels of resource – or collaboration across private and public sectors to share results of analysis on specific products.

It’s highly probable that hardsec technology will play a major role in products that can withstand such analysis. Hardsec is changing the way that national security organizations defend against hackers. With the ongoing convergence between the types of cyberthreats perpetrated in the public and private sectors, and considering the major role that commercial entities are increasingly playing in safeguarding critical data and systems in the future, business leaders need to adapt their cyberdefence mechanisms and can benefit from protective technologies that have originated in the public sector. The tools for this are already available – the business models and incentives now need to develop, too.