Digital Security by Design: A Government Strategy That Can’t Afford to Fail

The UK government-backed Digital Security by Design (DSbD) initiative aims to secure underlying computer hardware, preventing most vulnerabilities from ever occurring. James Coker investigates how this ambitious plan works and whether it can have the desired impact

Vulnerability management is undoubtedly becoming an increasingly vital component of IT security teams’ roles amid surging digital adoption. The continuous nature of the vulnerability management lifecycle is highlighted by initiatives like Microsoft’s monthly ‘patch Tuesday,’ in which the tech giant rolls out a fresh batch of vulnerability patches across all its applications every second Tuesday of the month.

Yet, given the sheer scale of software used in modern organizations, vulnerabilities will inevitably fall through the cracks and be exploited by nefarious actors before a patch is enacted. This scenario has been highlighted by the discovery of the notorious Log4j vulnerability, which continues to be heavily abused by nation-states and cyber-criminal groups.

As visions of smart cities and the use of emerging technologies like quantum and artificial intelligence (AI) become ever more realistic, this never-ending patch management cycle looks unsustainable. Professor John Goodacre is the challenge director at Digital Security by Design, UK Research and Innovation (UKRI), and Professor of Computer Architectures at The University of Manchester. In his view, the current track could lead to many technologies being deemed too non-secure to use. “Unfortunately, attackers only need to find a single vulnerability to exploit and steal data or hold your system to ransom. As we use more technology, the number of attacks is also increasing, and the only response we have today is to keep patching when a vulnerability is identified – this cannot be sustained and is already costing the world trillions to lost productivity and crime,” he argues.

Part of the solution is ensuring software manufacturers build better security into their products before going to market. This is being increasingly recognized in policy circles, as demonstrated by the UK’s Product Security and Telecommunications Infrastructure (PSTI) legislation, which will place new cybersecurity standards on manufacturers, importers and distributors of internet-connectable devices.

However, placing additional security obligations on software manufacturers is only part of the solution. Much of the problem boils down to the fact that computer hardware, the components upon which software products are built, is outdated, traced back to designs developed in the UK during the 1940s and 1950s. Therefore, it is insufficient to deal with the enormous growth in technology and subsequent cyber-threats. “The use of digital systems is exploding and extending into all facets of modern life. If we can’t break the vulnerability-exploited-patched cycle, we will see an ever-increasing number of cyber disasters resulting in significant harm and cost,” warns Goodacre.

Thankfully, a well-funded and ambitious project is underway to tackle this fundamental “market failure” in cybersecurity. Digital Security by Design (DSbD), an initiative supported by the UK government to the tune of £70m in partnership with industry and academia, seeks to develop technology that enables computers that block vulnerabilities by design to be built, a vision that feels almost utopian in its ambition. If successful, this scheme will substantially reduce the current emphasis on vulnerability management.

Andrew Elliot, deputy director, cyber security innovation and skills at the Department for Digital, Culture, Media and Sport (DCMS), explains: “Good cybersecurity requires the technology that we use to be securely designed. It also requires organizations to apply good cybersecurity principles and have the skills necessary to build securely, test, detect and respond to threats. We need everyone to play their part by being aware and adopting good cyber behaviors. The DSbD initiative is a key building block upon which everything else rests.”

How Does DSbD Work?

The program is currently focused on adapting the hardware concepts of the Capability Hardware Enhanced RISC Instructions (CHERI) project, a collaboration between semiconductor and software design company Arm and University of Cambridge researchers that goes back to 2014. This aims to “define the hardware capabilities that would provide a fundamentally more secure building block for software,” explains Richard Grisenthwaite, SVP chief architect and fellow at Arm. 

As part of the research project, the team designed and built a system on chip (SoC) and demonstrator board, known as the Morello board. The prototype architecture provides the basis upon which the security by design hardware can be developed. Grisenthwaite tells Infosecurity that the Morello architecture allows for this in three main ways:

  1. It will enable programs to be built out of self-contained secure compartments, meaning only a limited area of code and/or data can be accessed by any one attack
  2. The capabilities directly allow the application of spatial memory safety to existing software, written in languages such as C, to mitigate attacks such as buffer overflow
  3. Capabilities can be used to generate fine-grained compartments in memory, making it far more difficult for an attacker, having compromised a piece of memory, to achieve a wider compromise of the system

“If the architecture performs as we expect, it could have a huge impact on future processor designs, protecting businesses, individuals and devices of tomorrow – the memory issues that CHERI and Morello address are known to be responsible for about 70% of known memory security software patches,” he notes.

However, implementing such a system is a momentous challenge and impossible via natural market forces. In essence, the cost involved in making such a fundamental shift in computer hardware prevents a return on investment from being made. Therefore, the support and funding for CHERI, given by UKRI, a non-departmental governmental body, are critical.

Goodacre explains: “The DSbD initiative was started by industry asking government to intervene and help them overcome the failures in the market. The ubiquity of digital and structure of suppliers makes it impossible to commercially address this cyber challenge, which can be likened to other global impact issues such as global warming. The DSbD program works by intervening in the parts of the market supply chain that must accomplish non-economically beneficial activities while creating a multi-sector, multi-discipline ecosystem from which other businesses can align investments and activities which together will solve the overall challenge.”

DCMS’s Elliot agrees that such a fundamental shift cannot be achieved without government support and coordination. “There are market failures to overcome, such as the assumption that cybersecurity is only a problem for those using a product or service and not for its manufacturer. The government needs to create incentives for organizations and encourage collaboration.”

Current and Future Steps

The project is now seeking insights from cybersecurity experts to refine and improve the CHERI and Morello Board technology. With the help of approximately £10m of government funding, over the next two years, academia and industry are being invited to test, write code and collaboratively offer feedback on the boards to help determine future versions of the technology. Among other insights, this process will help determine how the technology performs across a wide range of different usage models and provide a better understanding of how different languages and run-times can use capabilities; for example, Javascript or Java rather than just C and C++.

“This type of fundamental shift, i.e., creating an entirely new architecture, is a revolution rather than an incremental evolution. To take it from concept to a deployable, scalable solution requires wide industry commitment, investment and time. We need to establish whether the capability concepts of the Morello architecture are suitable for commercial deployment and will work in practice,” says Arm’s Grisenthwaite.

Once the technology has been refined and readied for commercial application, implementation will be the next stage. For Goodacre, this challenge is social and economic rather than technological. It requires widespread understanding and buy-in for DSbD across society, in which secure-by-design hardware is expected and demanded by consumers. DSbD is already taking steps in this regard, working with its growing community of stakeholders to share and communicate this step-change in cybersecurity through events and other means.

“Although the DSbD outcomes will overcome the market failures, the main challenge is around making product manufacturers and service suppliers understand the DSbD approach isn’t just another cybersecurity tool, but a mindset change to the kind of questions they must ask their technology suppliers,” outlines Goodacre.

“Today, speed, power and cost are the main requirements when selecting the hardware, with software then providing the functionality – and any cybersecurity. We must enter a transition when software can no longer be hardware agnostic, and they must ask in what way the components and chips are secured by design, and offer capabilities to ensure the resulting products can be secured by default.”

This is why the UK government views DSbD as the foundation of its ‘whole of society’ National Cyber Security Strategy, published at the end of 2021. “Through collaboration between academia, industry and government, the capability of DSbD to make information more secure and make it harder for malicious actors to gain access to an entire system will pave the way for business and people to use and trust technology. We are all essential components to deliver this transformation in secure technology,” comments DCMS’s Elliot.

Currently, a large proportion of cybersecurity is reminiscent of ‘whack-a-mole,’ whereby security teams continuously search for security flaws and rapidly attempt to fix them before they are exploited by cyber-criminals. DSbD aims to revolutionize this aspect of cybersecurity by strengthening the components used to build software, ensuring that most, if not all, vulnerabilities are prevented from ever emerging. It’s an ambitious plan and will take time and collaborative efforts to succeed. Yet, as society becomes ever more digitized and vulnerabilities ever more frequent, it is becoming increasingly apparent that it is a strategy that cannot afford to fail