Simon Segars opened the second day of Arm TechCon (or for exhibitors who didn't notice the first day since they were setting up, the first day). Simon, of course, is the CEO of Arm, although Arm is no longer a public company since Japan's SoftBank acquired them for $35B in September last year. Simon opened with some reassurance: Arm is the same company after Softbank acquisition. Last year Masoyoshi was here, but not this year. Masayoshi-san had talked about the explosion of computing and benefits it will bring for society. Arm has been getting on with that vision. Since the acquisition, there has been an R&D spending increase of 25%. While Arm is dominant in mobile (see my post Why Was Arm Successful in Mobile? ) their focus is clearly moving onto the Internet of Things (IoT), which they see as potentially being a trillion devices. In fact, a couple of the keynotes and several other sessions looked at what it will take to get to a trillion things. The other big focus area is security. Just on cue, as if we didn't need any reminder after the recent Equifax breach, was the arrival on the scene of the Krack attack, a vulnerability in the Wi-FI security protocol itself. Simon said that Arm has shipped 100B chips (or, rather, Arm's licensees have shipped chips containing 100B Arm processors, or 100B chips containing Arm processors, which is probably close but not quite the same). He then quoted his predecessor, the founding CEO of Arm, Sir Robin Saxby: One day there will be an Arm processor for everyone on the planet Well, 100B is over 10 times the number of people on the planet, roughly the number of people who have ever lived. Arm expects another 100B in just the next four years. Simon talked about some of the changes that will come: earlier diagnosis in medicine, removal of the most dangerous things most of us do on a regular basis; namely, getting into a car (35,000 people killed annually in the US). But none of this will happen if we don't fix security. It is not just cars and medical devices that need security, all the little devices are potential wormholes into the valuable networks behind. For a perspective on this, see my post from GOMAC What Keeps MGM's Head of Security Up at Night? Lightbulbs! or see CNN's report on how a smart fishtank left a Vegas casino vulnerable to hackers , a breach that Simon mentioned in passing. Another thing he pointed out was that October was National Cyber Security Month in the US. However, nobody knows that (hey, it wouldn't be secure if everyone knew). Most people do not have degrees in computer science or electrical engineering, but they are exposed to problems every day. Simon almost bricked his expensive TV, and managed to fix it after a few hours—and he does have a degree in EE. So solving the security problem is "our" problem, Simon said, referring to the audience and the semiconductor ecosystem. This will probably require some changes to the law. Compare the experience of a car: a good system has grown up to make cars safer but recalls happen, which shows that the car companies take responsibility for your safety, even after you drive the car off the lot. It is imperfect, but the tech industry is (mostly) not like that. They/we never take responsibility once you have purchased a product, and clicked on some terms and conditions without reading them. This will have to change. There is a social and moral contract with the consumer. Arm Security Manifesto Of course, Arm has been thinking about this and have created an Arm Security Manifesto, which talks about the need for accountability as products are shipped to consumers. Every time a hack happens, trust is eroded, and we won't get the benefits of this stuff without trust. I think the manifesto, and especially the change in attitude that it calls for, is very important and I will cover it in its own post. A couple of days before Simon's talk, Arm announced the Platform Security Architecture (see my post on this Putting the Bad Guys in an Arm Lock ). This is a practical step towards making IoT devices safe, from the smallest microcontroller upwards (and it is at the low end where the problems are most acute since the companies that create those devices do not have the resources of an Arm or a Qualcomm). Lloyds of London estimates that the cost of security breaches is $400B per year, and is getting worse. Just as a quick summary for those of you that didn't read the post where I covered PSA, it has four legs to the platform: Device identity doesn’t change over time Trusted boot sequence Secure over-the-air (OTA) software updates Certificate-based authentication (not usernames and passwords) This is largely aimed at taking the human out of the loop, and ensuring that "things" just work. Further, when breaches happen (and they will), the system can respond and update without humans having to get back in the loop. The analogy is the human immune system. Biological viruses are alive and mutate, and electronic threats are also (sort of) alive and mutating. We need to be able to quarantine a device, revoke its privileges, update its firmware. Something more than either nothing, which is the most common response today, to sending you a text or email saying you should update your firmware. In effect, the systems that secure the product need to be alive too. No one company can do this. It requires an ecosystem. A large part of that ecosystem was at TechCon. There needs to be a social contract between the people who buy these products and the people that make them, so we all need to step up, Simon said. One category of job we should work to make obsolete is the cyber criminal. Panel Simon's keynote was followed by a discussion. Simon was joined by Mary Aitken, who is a cyber psychologist from the University of Dublin, moderated by Don Clark, who was at the Wall Street Journal for what seems like forever, based in San Francisco, and now works with the New York Times. Don's first question was for Mary, on how people joining the workforce today have changed in thinking about security. Mary warned that it is not a question of how smart you are—smart people do stupid things online. We are like lab rats being dragged into click-bait behavior, which is not good security behavior. We want people to be smarter than their smartphones in how they behave. Simon said that we are seeing moves towards detection, especially in corporate networks, but most individuals wouldn't know if their devices had been hacked. Mary was asked about the hacker mentality. It has gone from a loser in a dorm room to sophisticated criminals, largely not in the US. What about the international aspect? Mary pointed out some good news. NATO declared cyberspace a domain of operations: land, sea, air... and computer networks. To Mary, that was a seismic shift. The bad news is that nobody noticed. Simon pointed out that we have international treaties about things like maritime law, developed over centuries. We may need something similar for cyberspace. Mary was doubtful. It moves too fast for international treaties, we need a framework sooner. Don's next question was what ways the machines can help us. Simon pointed out that some are trivial. He gets phishing emails every day of the week. He knows he is an obvious target. But he is technical enough to handle this, but we need to make it cleaner. Mary pointed out that if she was going to hack Simon she wouldn't do it directly, he is too savvy. She'd hack someone in his trusted circle. Remember that the Target intrusion was done via an HVAC subcontractor. Arm created Trustzone a long time ago, but technology needs to move beyond just an area of memory with the keys in. Segregating what you can trust and what you can't is important, hence Arm's PSA. Don went back to the social dimension and asked Mary about liability. It is not defined like GM when a car blows up. It is different in the cyber world. Take the Equifax breach. The lawsuits are against Equifax, not whoever sold the systems. Mary noted that it is really hard to take real-world things and extend to technology. Take Equifax. It is great that one company has data on half the country, but she would be focusing on "what could possibly go wrong?" and she predicts that maybe it doesn't make sense to have all the data in one place. She also said that we need to think about "too big to fail". Again, what could possibly go wrong? Simon said that even thinking about what could go wrong, rather than just preventative actions, is a change. The world of computing grew up before we connected everything, every person, fitbits, even the aforementioned fish-tanks. We need to look at risks and be a bit more paranoid. But you can't "solve" security, it is a living thing. Mary emphasized that we need a trans-disciplinary approach. Currently, the behavioral scientists are blindsided since it is going too fast and only just starting to catch up. The manifesto is a great step forward in trying to make a difference. Perhaps we need to add philosophers and economists too. Simon wrapped up saying that Arm has been here before, building an ecosystem. They need an ecosystem to engage on this problem, which means everyone needs to work together. It is not just an investment to make security good, but a requirement to grow the market. Lloyd's of London I mentioned Lloyd's of London above. And Simon, in the panel session, talked about maritime law. Lloyd's are famous as an insurance "company", especially in maritime insurance. In fact, they are not a company, they are an insurance market between the insurers, known as underwriters, and the people wanting risks insured. Who was Lloyd? A major insurer? The founder of the market? In fact, the market started in a café in London in 1688, and Lloyd was the man who owned the coffee house. People financing voyages would go there to insure their cargo and ships against loss. Maritime insurance is still a big part of Lloyd's, and the Lutine bell still hangs in the lobby. This was the bell from HMS Lutine which sank with a large load of gold and silver (and perhaps the Dutch crown jewels) en route to Hamburg to stall a stock market crash. But it was wrecked in a storm. It was a huge disaster for everyone involved. But there was a silver lining. The claim was paid in full two weeks after the ship was lost, cementing Lloyd's reputation as both paying any valid claim and having the financial backing to withstand a loss of such legendary proportions. Why are the insurers called underwriters? Marine insurance was done by writing down the ship's name and the underwriters would sign underneath if they accepted the risk. Since they wrote their name underneath, this was known as underwriting. These terms are still common in insurance today. Sign up for Sunday Brunch, the weekly Breakfast Bytes email.![]()
↧