Biden’s plan for strengthening US cybersecurity is too soft
As a security professional, I applaud President Biden’s Executive Order on Improving the Nation’s Cybersecurity. Cyberattacks are growing greater in scope and number and have a direct impact on us. From our gas and water supply to the most recent attack on the world’s largest meat supplier, cyberterrorism is becoming a national security threat. So, it’s about time we treat it like one.
Biden’s plan is a good first step but is missing a critical component: secure hardware. The Executive Order focuses on the security of software and processes related to security.
Without doubt, software is an obvious and viable vulnerability that bad actors can take advantage of, but most security experts agree that strong security cannot exist without ensuring the complete system is secure. The government plan is conspicuously silent on that aspect of the cybersecurity threat, which is particularly ironic given the emphasis recently on investing more in American hardware (semiconductor) initiatives.
A comprehensive solution starts with the trustworthiness of the underlying hardware: chips and boards. Without sufficient security for every hardware component and its supply chain, the hardware itself cannot be trusted.
Any given chip might have been tampered with, replaced and/or counterfeited. We’ve seen hacks where chips were programmed to run malicious software, be influenced by malicious third parties, and send confidential data to enemies. The risk is real and looming. Like one cannot build a castle on quicksand, software cannot be secure unless it leverages the trustworthiness and security of the underlying hardware on which it runs.
Hardware-first security is embodied in the zero-trust approach that is referenced in the Executive Order and that is being adopted by commercial and national-level security systems around the globe. Any authentication process in the zero-trust approach starts with having a Root of Trust (RoT) in the hardware.
A RoT is an area that holds all secret keys and credentials of a device in a way that keeps them safe from adversaries. The RoT consists of secure hardware to protect this sensitive data, which needs to be provided to the RoT in a trusted manner at some point in the supply chain. Without being able to trust the secret keys and credentials in a device and without knowing that the RoT will keep them safe, there is no way to perform the authentication steps that are the cornerstone of the zero-trust approach. Hence, zero trust cannot exist without trusting the hardware and its supply chain.
Once secure hardware has been implemented, the hardware and software can start working together to make the system safe. Now, software can authenticate the hardware and vice versa, as required for the zero-trust approach. This eliminates the risks of running secure software on insecure hardware or running insecure software on secure hardware, as both will create attack vectors that leave systems vulnerable to cybercriminals and cyberterrorists alike.
When strong hardware security is implemented, it can be leveraged by the software and the security level of the whole system is raised significantly.
The Executive Order is an important step, but it must be extended. Hardware security and the security of the hardware supply chain should be included explicitly as an integral part of the total solution. Without the inclusion of secure hardware, the other excellent efforts this order seeks to put in place will be futile. A chain is only as strong as its weakest link – and you can bet that is where the enemy will strike. Since all cyber systems are based on hardware, secure hardware is a conditio sine qua non and one that impacts all of us.