Arm has declared that it feels the "weight of our responsibility" as it jumps on board with UK.gov's £70m plans to influence "hardware and chip designs" to enhance security.
The Digital Security by Design project is "a combination of the best practice approaches to security laid out in the Digital Security by Design review in 2018", which also gave us GCHQ's code of practice on IoT device security.
“With businesses having to invest more and more in cyber security, ‘designing in’ security measures into the hardware’s fabric will not only protect our businesses and consumers but ultimately cut cybersecurity costs to businesses,” said Business Secretary Greg Clark MP, in a canned quote announcing the move. The project is led by a government body, UK Research and Industry (UKRI).
Cambridge-headquartered Arm, while increasingly global in outlook following its buyout by Japan’s Softbank in 2016, is taking the initiative seriously. Its chief architect, Richard Grisenthwaite, said: "Arm is fully supporting UKRI’s push on security as it will catalyze research by the UK’s top computer engineering departments and, in partnership with industry, turn advanced security ideas into commercially-deployable technologies more rapidly."
He continued, referring to Cambridge University's Capability Hardware Enhanced RISC Instructions (CHERI) project, whose fruits are soon to be seen in Arm-architected chips: "CHERI technology offers the potential to derive formally-proven security properties of the memory system, addressing basic spatial memory safety which is a root cause of many existing security exploits... we must think about security in its entirety – not just at a point in time or at a particular layer in a hardware or software stack."
The "up to £70m" Digital Security by Design Challenge will be delivered by UKRI through the Industrial Strategy Challenge Fund, which we are told will be "subject to business case approval and match funding from industry". Similarly, the £30.6m "Ensuring the Security of Digital Technology at the Periphery" programme will be overseen by UKRI via its Strategic Priorities Fund.
The latter programme is targeted at IoT device security, with UK.gov informing us all: "Effective solutions need to combine cyber and physical safety and security with human behaviour, influence new regulatory response and validate and demonstrate novel approaches. This will build on current investments including the PETRAS Internet of Things Research Hub and other activities supported through IoT UK."
Digital minister Margot James chipped in to add: "We're moving the burden away from consumers to manufacturers, so strong cyber security is built into the design of products. This funding will help us work with industry to do just that, improving the strength and resilience of hardware to better protect consumers from cyber-attacks."
A sum of "up to" £70m spread across different projects compares less than favourably with, for example, Intel's R&D budget of $13bn in FY2017/18. Nonetheless, Arm's Grisenthwaite concluded: "Now the UK government has taken this stronger position on security, it is up to industry to show support. That will mean putting in money and resource and it is in all of our interests to do the right thing." ®