The recent reports of hacks such as SolarWind and Maze ransomware successfully striking computer networks belonging to Federal agencies and Fortune 500 companies highlight the continuing vulnerability of current software-based approaches to securing critical networks.
The US, like other countries, is vulnerable to hacking in large part because most of our current cyberdefenses are software-based and because the state-of-the-art in modern software design still requires regular patches and updates, a fact which hackers can exploit.
This has sparked a move to adopt more hardware-based approaches to cyber-security – an idea which industry experts have been suggesting for the last two years, with Fortinet CEO Ken Xie going on record as suggesting that current software-based solutions are becoming too costly in terms of the computing power needed to meet customer expectations for processing speeds in the context of richer content and more complex malware, making security “very costly and very slow.”
Xie, who recommends hardware solutions using “specialized chips that offer built-in security protections” – the same type of chips his company manufactures – says that without changes in approaches to cybersecurity, costs for big organizations are going to rise – from about 10 percent of total IT costs to as much as 40 percent.
Those specialized chips that Xie is talking about are called Application-Specific Integrated Circuits (ASICs), and one of their greatest benefits is not the speed at which they can process inbound and outbound data, but the fact that they are hardwired for a specific purpose and, therefore, malware can't alter their functionality.
Dr. Ronald Indeck, whose cybersecurity firm deals with applying hardware-based endpoints to computer networks, describes the problem with the current method, which is to use general purpose processors running software to deter cyber threats. According to Indeck, this approach has a problem because both user data and functional code data are running in the same system; and because all to this data is ultimately just ones and zeros, Dr. Indeck says that "any system that's leveraging general-purpose processors… none of those systems are provably secure." There are plenty of things that general purpose processors running software are good for, according to Indeck – “if the requirements are to build some kind of word processor or spreadsheet, a general-purpose processor is awesome for that. But if you want to do security, don't use a general-purpose processor. Use something that is immutable, something that can't be changed, and something that has strong security.”
The “something” that he advocates for using are Field Programmable Gate Arrays (FPGAs) which are similar to Ken Xie’s ASICs – but instead of cost and speed, Indeck is focused on security and says the key advantage to these circuits is that there is no software for a malware program to alter. "If you try to make that an FPGA do something that it's not designed to do by going in and sending it information, by running certain things through that process… it won't be able to be changed, it won't be able to deviate… you can't compromise that engine.”
The timing is probably optimal for early adopters of the approach recommended by Xie and Indeck. The complexity and functionality of FPGAs and ASICs have scaled rapidly, and they can now include enough features to be considered "systems on a chip." In fact, some researchers are warning that the end of the general purpose processor is nigh. And chipmakers are already working toward integrating general purpose and specialized processors on the same chip – which may mean that hardware-based cybersecurity will be a built-in feature in future computers.
But that future is not yet here, and in the meantime, the people in charge of securing America’s most critical electronic infrastructure are looking at standalone FPGA and ASIC-based solutions to harden the endpoints of their existing networks, or, in some cases, to allow the instant creation of secure networks in remote locations.
The Air Force has recently awarded a $3M Phase II Innovation Research Contract for Indeck’s firm to expand research in this area, and there are already signs that this investment may be paying off. During a recent cyber wargame, hardware endpoints were the only defensive measure not compromised by the Red Team. SOCOM is now looking at these devices to quickly create secure networks in austere locations, leveraging whatever communications infrastructure is already there. A handful of ASIC-based endpoint units (black boxes about the size of a small paperback book) would allow the operators to go onto an unsecured network and create “a hack-proof, totally secured communications between the endpoints,” according to Indeck.
Proponents of hardware solutions for endpoint encryption are marketing their technologies as “quantum-resistant,” but this is not a Quantum Key Distribution (QKD) or Quantum Cryptography (QC) approach, which the NSA claims are unsatisfactory for securing the nation’s critical networks due an inherent vulnerability to Denial of Service (DOS) attacks and the difficulties with integrating these technologies into existing network equipment.
Current software-based endpoints encrypt outgoing packets at the using Advanced Encryption Standard with Galois Counter Mode with a key-length of 256 bits (AES-GCM 256) the NIST currently holds as the gold standard against brute force attacks, which would require billions of years and trillions of terabytes of storage space to compromise the encryption key.
Unfortunately, AES keys generated by software running on general processors have proven to be vulnerable to side-channel attacks, with studies published on the topic since 2006. And while those studies have tended to focus on the less-secure 128-bit keys, a 2020 report by Dr. Colin O’Flynn and Dr. Zhizhang Chen shows that these attacks can quickly crack the 256-bit key as well, concluding that:
Simply using strong encryption such as AES-256 is insufficient to guarantee an embedded device will remain secure. A side-channel power analysis attack can be performed with a reasonable number of traces on a standard AES implementation, revealing the encryption key.
Hardware-based endpoints like the ones recommended by Xie and Indeck use the same AES-GCM 256 encryption, but side-channel attacks won't work against them because there is no software. These devices have some other significant advantages; they require no updates, no maintenance, and can work with any operating system, from the most modern to legacy SCADA devices running Windows NT and Windows 95.
Given these properties, and with early adopters in the DoD already coming on board, it may be that the military will finally have a solution to at least one of its cyber-security challenges, but servicemembers and DoD civilians won’t be able to say goodbye to annual cyber-awareness training just yet; not even hardware-based encryption can eliminate the threat of social engineering, though these endpoints can slow the spread of malware across a network if it is introduced by human error.