Arm wants to wrestle industry into a seat on the's £70m hardware security train

We're taking it seriously, says chief architect

Arm has declared that it feels the "weight of our responsibility" as it jumps on board with's £70m plans to influence "hardware and chip designs" to enhance security.

The Digital Security by Design project is "a combination of the best practice approaches to security laid out in the Digital Security by Design review in 2018", which also gave us GCHQ's code of practice on IoT device security.

“With businesses having to invest more and more in cyber security, ‘designing in’ security measures into the hardware’s fabric will not only protect our businesses and consumers but ultimately cut cybersecurity costs to businesses,” said Business Secretary Greg Clark MP, in a canned quote announcing the move. The project is led by a government body, UK Research and Industry (UKRI).

Cambridge-headquartered Arm, while increasingly global in outlook following its buyout by Japan’s Softbank in 2016, is taking the initiative seriously. Its chief architect, Richard Grisenthwaite, said: "Arm is fully supporting UKRI’s push on security as it will catalyze research by the UK’s top computer engineering departments and, in partnership with industry, turn advanced security ideas into commercially-deployable technologies more rapidly."

He continued, referring to Cambridge University's Capability Hardware Enhanced RISC Instructions (CHERI) project, whose fruits are soon to be seen in Arm-architected chips: "CHERI technology offers the potential to derive formally-proven security properties of the memory system, addressing basic spatial memory safety which is a root cause of many existing security exploits... we must think about security in its entirety – not just at a point in time or at a particular layer in a hardware or software stack."

The "up to £70m" Digital Security by Design Challenge will be delivered by UKRI through the Industrial Strategy Challenge Fund, which we are told will be "subject to business case approval and match funding from industry". Similarly, the £30.6m "Ensuring the Security of Digital Technology at the Periphery" programme will be overseen by UKRI via its Strategic Priorities Fund.

The latter programme is targeted at IoT device security, with informing us all: "Effective solutions need to combine cyber and physical safety and security with human behaviour, influence new regulatory response and validate and demonstrate novel approaches. This will build on current investments including the PETRAS Internet of Things Research Hub and other activities supported through IoT UK."

Digital minister Margot James chipped in to add: "We're moving the burden away from consumers to manufacturers, so strong cyber security is built into the design of products. This funding will help us work with industry to do just that, improving the strength and resilience of hardware to better protect consumers from cyber-attacks."

A sum of "up to" £70m spread across different projects compares less than favourably with, for example, Intel's R&D budget of $13bn in FY2017/18. Nonetheless, Arm's Grisenthwaite concluded: "Now the UK government has taken this stronger position on security, it is up to industry to show support. That will mean putting in money and resource and it is in all of our interests to do the right thing." ®

Similar topics

Other stories you might like

  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Slack-for-engineers Mattermost on open source and data sovereignty
    Control and access are becoming a hot button for orgs

    Interview "It's our data, it's our intellectual property. Being able to migrate it out those systems is near impossible... It was a real frustration for us."

    These were the words of communication and collaboration platform Mattermost's founder and CTO, Corey Hulen, speaking to The Register about open source, sovereignty and audio bridges.

    "Some of the history of Mattermost is exactly that problem," says Hulen of the issue of closed source software. "We were using proprietary tools – we were not a collaboration platform before, we were a games company before – [and] we were extremely frustrated because we couldn't get our intellectual property out of those systems..."

    Continue reading
  • UK government having hard time complying with its own IR35 tax rules
    This shouldn't come as much of a surprise if you've been reading the headlines at all

    Government departments are guilty of high levels of non-compliance with the UK's off-payroll tax regime, according to a report by MPs.

    Difficulties meeting the IR35 rules, which apply to many IT contractors, in central government reflect poor implementation by Her Majesty's Revenue & Customs (HMRC) and other government bodies, the Public Accounts Committee (PAC) said.

    "Central government is spending hundreds of millions of pounds to cover tax owed for individuals wrongly assessed as self-employed. Government departments and agencies owed, or expected to owe, HMRC £263 million in 2020–21 due to incorrect administration of the rules," the report said.

    Continue reading

Biting the hand that feeds IT © 1998–2022