Digital Security by Design: Transforming Digital Technology for a Safer Future.
The second day of CyberUK 2023 focused on the newly launched joint guide for Security by Design and Default by CISA and NCSC. The guide highlights the best practices for a secure hardware foundation, including fine-grained memory protection as provided by the CHERI architecture, which is at the heart of The Digital Security by Design programme.
The Digital Security by Design programme aims to transform digital technology and create a more secure and resilient foundation for a safer future. The initiative is supported by the UK government and has the backing of tech giants such as Microsoft and Google.
During the CyberUK 2023 event, the programme was showcased in the main auditorium with Microsoft and Google demonstrating their support. Siân John, MBE, Senior Director, Microsoft Security Business Development, emphasised that the initiative aims to overcome market failures and update the insecure digital computing infrastructure that underpins the entire economy by 2025.
The speakers discussed how the CHERI architecture, which mitigates vulnerabilities in existing code and provides tools to build new security models, offers much stronger security than traditional methods such as privilege levels and a memory protection unit. They also highlighted how the CHERI architecture makes code memory safe and limits the impacts of bugs.
Ben Laurie, Principal Engineer at Google, stressed the importance of secure-by-design and secure-by-default principles in providing integrity and enhancing trust through memory safety and compartmentalisation. He described how the CHERI architecture promises a radical simplification of the lower layers of future generations of computers, citing Microsoft’s CHERIoT’s experiment, which has a TCB of less than 300 instructions.
The final plenary of the conference, chaired by Lindy Cameron CB, OBE, CEO, NCSC, discussed the importance of the Digital Security by Design programme and why more action is needed to secure the future of computing.
Richard Grisenthwaite, Executive Vice President and Chief Architect and Fellow at ARM, explained that 70% of all exploitable vulnerabilities come from memory safety issues and that the CHERI technology has the potential to provide a step change in security.
However, he highlighted the challenges of deploying the technology at an industrial scale due to the long and complicated supply chain, and the need to establish its value and ensure that the benefits are passed on to all stakeholders.
Despite these challenges, the speakers emphasised the need to keep innovating and create a pull for secure-by-design technology. They called on all stakeholders to get involved in the Digital Security by Design programme and make a difference in securing the future of computing.
In conclusion, the Digital Security by Design programme offers a promising way to address the challenges of securing digital technology and creating a more resilient and secure foundation for a safer future. The support of tech giants such as Microsoft and Google, as well as the UK government, provides a strong foundation for the programme’s success.
If you care about the future of computing, join us in the ManySecured Working Group and be part of the Digital Security by Design programme. Then we will create a more secure and resilient digital infrastructure for all.
Dr. Nick Allott, Secure Networking by Design, Project lead, demonstrating the progress of ManySecured at CyberUK 2023.