SANTA CLARA, Calif.—The short term outlook for security is bleak, but a combination of better engineering and more spending should reap long-term benefits, said Paul Kocher, a security expert in a keynote at DesignCon here.
The growing number and complexity of devices will continue to outstrip our ability to secure them for the next few years during which time “we’ll see a lot of failures,” said Kocher, the chief scientist of the cryptography research division of Rambus.
“We’ll have a rocky road ahead for the next decade” given the combination of the emerging Internet of Things with “offensive cyber programs just about every country has,” he said. International Data Corp. predicts within two years 90% of all IT networks will have an IoT-related security breach, he added.
At some point, adding a new feature to a product could reduce its value because it creates more complexity and less security. As an extreme example, he noted that after the Edward Snowden leaks, the Russian guard and the India High Commission both switched from using PCs to typewriters.
“We have to have stronger foundations for security and correct assumptions about software quality,” Kocher said, noting engineers must assume all products —software or hardware — will have bugs. “The ability of the tech industry to change the world depends on solving these problems,” he said.
Kocher predicted the industry’s spending on security will grow faster than other areas, just as aviation and pharmaceutical industries have focused on safety.
The good news is a wider variety of security components are becoming widely used from SIM cards to trusted platform modules. And the costs of adding good security are declining from a few dollars for discrete chips to a few cents for blocks on an SoC.
“I’m most optimistic about doing things in SoCs better” such as supporting multiple secure domains, he said.
For its part, Rambus has developed IP cores for security that are now being used by chip vendors such as Qualcomm. “We are making everything a cryptographically signed, secure process,” he said.
Rambus has also developed techniques for easing the logistics of integrating keys from many third parties into products made at various plants. It also has an approach for using cryptography to unlock features in an SoC so a chip based on a single mask set can be configured for a variety of products.
Long term smartphones that already are used instead of credit cards at the point of sale will also be used as sources of identification – perhaps even a passport. “The contactless chip in the passport could be in the phone, and there are many reasons why it should be in phone,” he said in an interview following the keynote.
— Rick Merritt, Silicon Valley Bureau Chief, EE Times