How hardsec can deliver next level of cyber defense
- By Henry Harrison
- Jul 17, 2020
The federal government is making admirable progress in the battle against cyber threats: A total of 72 agencies received an overall rating of "managing risk" in the latest Risk Management Assessment from the Office of Management and Budget – up from 33 in FY 2017. However, this is no time to declare victory. The national security apparatus must continue to sharpen its edge by constantly seeking out new innovation.
Today’s hackers are growing increasingly sophisticated. Lawless attackers face no restrictions or regulations when carrying out their exploits, while IT teams must follow protocol and rely heavily on security resources in hand. As hackers get more aggressive and creative, government’s defense mechanisms must adapt.
Fortunately, we are on the cusp of a major revolution in cybersecurity: An emerging technology called hardsec is changing how organizations defend themselves. Hardsec rejects the paradigm that has dominated security thinking since the beginning -- that protecting against threats is rooted in a software challenge.
Treating security as a software challenge ignores the essence of cyber risk. Computers use processors (or Turing machines) to run different kinds of applications, and sophisticated hackers can take advantage of the adaptability of those Turing machines by convincing them to run malicious applications that lead to data breaches, ransomware and other malware. In other words, the very power that allows us to “do amazing things” with software simply by giving it instructions is also the power that allows adversaries to substitute their instructions and sabotage a computing platform.
Hardsec, in contrast, treats risk as a hardware challenge, rethinking how hardware is built. Originating from the intelligence community about a decade ago as an alternative architecture, it is a computer-science‐based approach that deploys “non‐Turing machines” to eliminate threats. It leverages field programmable gate array integrated circuits that can only be programmed using specific physical FPGA pins. IT teams can restrict -- by physical hardware design and implementation -- who can reprogram the FPGA to those who have access to a well-protected privileged management environment. Attackers are kept from doing so because they cannot physically transmit data to the pins. IT teams can safeguard the enterprise without significantly compromising solutions to carry out the tasks required of them.
Despite being hardware devices, FPGA chips enhance security functionality because IT teams can use them to program and reprogram protective measures without the need for physical changes. Yet, as opposed to complex and flexible software-based tools that give adversaries abundant opportunities to exploit, hardsec controls are comparatively simplistic and narrow. They will do what they are originally instructed to do and nothing else. Essentially, they are too dumb and primitive to be hacked.
In terms of practical application, hardsec allows professionals working on devices containing sensitive information to access high-risk areas such as the internet. This means agency staffers can click on links and browse the web from government devices and otherwise work on critical missions without fear.
In its report titled “Innovation Insight for Remote Browser Isolation,” Gartner indicates that through 2022, organizations that “isolate high-risk internet browsing and access to URLs in email will experience a 70% reduction in attacks that compromise end-user systems.” Through hardsec, agencies can transform users’ web sessions into safe video pixels and isolate browsers at the hardware level, essentially eradicating web-borne threats such as malware, phishing attempts and drive-by downloads.
As a result, hardsec supports information-focused missions in governments around the world. The security embedded in the technology is strong enough to provide internet access even from highly classified systems that would otherwise be air-gapped. At a non-classified level, it enables thousands of users to work without fear of endangering the enterprise by an accidental click on an email link or a search on the web.
We live in a world where increasingly formidable attackers demonstrate -- over and over again -- that they have “solved” the riddle of software. Therefore, we must redefine the way we think of cybersecurity, by combining the isolation of internet interactions with hardware-driven protective measures. In the process, agencies will discover that defense strategies based upon dumb machines will actually turn out to be a very smart plan indeed.
Henry Harrison is co-founder and CSO at Garrison.