Security by Design: Learning from the Past to Reimagine the Future

Written by

Innovation “is about expanding the range of our anticipated future to think about everything that might be possible,” observed Professor Genevieve Liveley, Professor of Classics, RISCS Fellow, and Turing Fellow at the University of Bristol, UK, speaking during the inaugural Digital Security by Design (DSbD) roadshow event this week.

This sentiment encapsulates the DSbD initiative, supported by the UK government in collaboration with academia and industry. The approach aims to revolutionize cybersecurity in the UK, shifting away from the continuous cycle of patching and mitigating vulnerabilities that permeates across organizations. Instead, the initiative seeks to embrace the current and future potential of technology to build computers that can block vulnerabilities by design.

This involves developing technologies that are beyond current capabilities. To help harness this vision, one part of the DSbD program is the promotion of the Morello Board, a prototype system-on-chip (SoC) development board developed by Arm in collaboration with the University of Cambridge and SRI International. This prototype architecture adapts the hardware concepts of Capability Hardware Enhanced RISC Instructions (CHERI). Under the Morello program, hundreds of the boards will be sent to academics and industry to experiment on, who will, in turn, provide feedback to gain insights on developing ways to enable security by design.

The strategy is ambitious and requires significant buy-in across the cybersecurity sector. Therefore, it is being promoted in a series of roadshow events across all four nations of the UK, involving a range of expert speakers. The first of these was in the historic Bletchley Park, Milton Keynes in England on February 21. This will be followed by events in Glasgow, Scotland on March 3, Caerleon, Wales on March 8 and Belfast, Northern Ireland on March 10.

The events will follow a narrative, starting with the origin of computers to understand why we face the cybersecurity issues we have today, as well as try to learn lessons from the past that can help facilitate future innovations. What better setting to undertake this task than Bletchley Park, the top-secret home of World War Two codebreakers, a place in which enormous strides in computing took place.

The Origins and Development of Computing

The roadshow began with a presentation by Sir Dermot Turing, who has written numerous books about the work of his famous uncle Alan Turing, codebreaking and computing history. Turing noted that the work of his uncle and other early pioneers in this area was primarily motivated by a desire to enhance mathematics and solve equations that are impossible with a human mind. He also pointed out that Alan Turing didn’t conceptualize computers in the 3D hardware form that we see today. In respect of Alan Turing’s theoretical paper On Computable Numbers in 1936, “what he was trying to do was create a new part of number theory, which was to define a new class of numbers, computable numbers.”

Enigma code breaking machine, Bletchley Park
Enigma code breaking machine, Bletchley Park

Turing then explained that computing became digitized in the post-war period, and early programming methods emerged.

The next presentation was delivered by Dr Andrew Herbert, chairman of the board of trustees at the National Museum of Computing at Bletchley Park, who described the developments in computer performance over the decades. Notable advances included magnetic core store memory, bit sliced implementation, cache memory, multiprogramming and array processors. However, none of these developments were undertaken with security in mind. Herbert noted that while studying for his PhD in Computer Science at the University of Cambridge from 1975-1978, “we had one big problem with trying to do digital security by design; we didn’t have enough transistors, and that’s what’s different in the modern age.”

This has meant that advances in computing have corresponded with security issues. Herbert explained: “As computers got bigger and faster, those of us who come from the software side of the story had the conceit to write larger programs and then been surprised that they go wrong and have bugs. That’s created the cybersecurity challenges.”

Reimagining the Future in Cybersecurity

Changing how we think about future possibilities will be crucial in DSbD’s ambition to radically enhance future cybersecurity. This was the message Genevieve Liveley during her presentation. She said it is crucial to avoid being constrained by what seems plausible in the present and “avoid placing undue emphasis on the predictability, certainty and clarity on the future of DSbD.”

Instead, we should try to imagine technologies that have not yet been invented. This "requires the interrogation of a whole range of different desired futures,” she stressed. “It requires resisting the notion that present and historical trends are inevitable – we call this chronocentrism.”

Liveley said this mistake had been made too often in the past, creating blind spots. For example, she highlighted the prediction by Thomas Watson, chairman and CEO of IBM in 1943, that there’s only a world market for five computers.

She then showed a series of illustrations from the 19th and 20th centuries that depicted future life, “which showed a failure of imagination.” These included radical ideas, like robots and flying cars. They were, however, constrained by the technology of the time, such as being powered by steam.

Liveley believes a number of lessons can be learned from these historical examples about the art of future thinking. “They prompt us to take seriously the attempts to predict the future of DSbD in the year 2030 or perhaps 2050 without falling into the same snares,” she stated.

Liveley concluded: “We can learn from this remarkable history of future thinking to help enhance our own future work in the present and in the context of the new and radical innovation in digital security that’s imagined by DSbD.”

“We can learn from this remarkable history of future thinking to help enhance our own future work in the present"

The session's final presentation was provided by Andrew Elliot, deputy director, cyber security innovation and skills, DCMS, who discussed cyber challenges in the modern world and the DSbD initiative in more detail. He noted that there is significant “tension” between technological innovation and security. “We’re all connected today in more ways than ever before; the internet is not just accessed by our computers. We’re adopting connected devices at an increasing rate and into more aspects of our lives,” he noted. “While this is positive, it’s also made cybersecurity more and more challenging.”

At present, cybersecurity is focused on mitigating threats and patching vulnerabilities, which “places the primary responsibility on the users rather than on those building the systems.” Elliot highlighted efforts by the government to require products are developed with stronger in-built security, for example, the Product Security and Telecommunications Infrastructure (PSTI) bill, which will place new cybersecurity standards on manufacturers, importers and distributors of internet-connectable devices. However, he acknowledged that regulation like this will not solve cybersecurity challenges by itself.

The answer is offering solutions to make products secure by design, preventing most vulnerabilities from ever emerging. With this in mind, “the DSbD program exists to unblock the market failure that was stopping the industry from producing new technologies to block vulnerabilities,” explained Elliot. This was the motivation for the government’s five-year research partnership with software design company arm, “to develop cyber-attack resistant chip technology; this technology has the potential to beat hacks such as buffer overflow and side-channel attacks.”

This includes the development of the Morello hardware, which will be used “to design new secure products and services. We want to help support and create a new system for people using and adopting this new technology, and help them overcome any commercial or performance barriers to improving the security of their project,” he commented. DSbD is now inviting relevant organizations and individuals to experiment with the technology, with four cohorts planned over the next two years.

Elliot concluded by describing the significant growth of the UK’s cybersecurity sector, demonstrated by the findings of the DCMS Annual Cyber Sector Report 2022 published last week. “I’m encouraged that our sector continues to evolve and innovate. We want to build on this success and take advantage of the UK being home to this new expertise to build more secure products and services.”

What’s hot on Infosecurity Magazine?