The digital world has changed significantly over the last decade. Internet access for instance has grown from 2bn users in 2011 (1) to more than 5bn in 2023 (2) with the number of connected devices growing from around 5 bn in 2011 to around 30bn in 2020 (3) with that number continuing to grow.
These changes and the growth in the use of digital technologies offer great opportunities across all business sectors and to the benefit of society as a whole. Governments and industry alike have embraced digital transformation to improve their products and services, however, with this opportunity they also face a major challenge: how to secure the digital world from cyber threats. As the digital world expands, so does the attack surface and the risk of harm from hackers, criminals, and the hostile actors.
The UK Government understands the threats that this raises, therefore, across many of their digital strategies and consultations, security is an ever-present and increasingly important feature. The Integrated Review for instance highlighted that for the UK to become the cyber power it seeks to be, cyber security is the foundation.
Nonetheless, cyber security practice as it currently exists; the constant arms race of monitoring and patching of vulnerabilities against exploitation, is unsustainable. For that reason, we need to ensure the digital world is delivered to be more secure by default and technology will protect against bugs by design, including at the hardware level. The UK’s most recent National Cyber Strategy recognises this need and therefore now includes a technology pillar to focus on more secure hardware with a significant part dedicated to UK Research and Innovation’s Digital Security by Design Programme (DSbD). The programme is also referenced as a key part of the National Semiconductor Strategy, by seeking to make the digital world more secure by design by introducing new hardware approaches that, for example, are already showing they can prevent any impact from around 70% of ongoing vulnerabilities while providing developers new tools to enable other more secure and more productive approaches.
Many industry sectors that embrace digital transformation recognise the need for better security. The Energy Digitalisation Strategy for instance highlights that to increase reliance on connected energy systems we need to ensure robust security and privacy and that security should be embedded into systems by design. This view is now becoming common place across all sectors where the integrity of a system is required for safety, privacy and resilience of operation. To embed this across all sectors, meant starting at the computer design level – something that hasn’t fundamentally changed in terms of security for over 50 years despite been widely reported, and increasingly suffering the consequences of such lacking.
Digital security is a global challenge and as the semiconductor strategy highlights, the DSbD Programme’s international outreach will be expanded by UK Government to promote the need for adoption of the technology that has been developed. Already, joint guidance from an international collaboration from the US, UK, Germany, Australia, Canada, Netherlands and New Zealand advise the move towards more secure by design technologies such as those developed in the DSbD programme.
The Digital Security by Design Programme
The DSbD programme is an initiative of Innovate UK’s Industrial Strategy Challenge Fund, launched in 2019. It aims to create a more secure computer design at the architecture level, using the CHERI technology concepts developed by the University of Cambridge over the previous 15 years. The programme includes key collaborations with Arm Ltd and UKRI to implement a real-world prototype for CHERI, which can show it fixes the design shortcomings that have been plaguing computers since the 1970s. Before this programme, there was no incentive for any one organisation to solve the problem, because new hardware needed software to justify its existence, and new software needed hardware to run on.
The DSbD programme has overcome this failure by catalysing industry, academia and Government into action. The stimulation of £80m Government funding matched by £200m industry investment has engaged essential organisations and people to bring the architecture from a research project to the physical prototype implementation, known as Morello, along with a community of over 70 organisations internationally working on building-out the ecosystem and proving the security capabilities across real world scenarios.
With this new design, research analysis by Microsoft, Google and others shows that it is possible that around 70% of ongoing reported vulnerabilities should be blocked from exploitation by this technology, with other new features of the approach enabling developers to further extend the resilience of software while reducing the effort required to develop such software.
Morello boards are still available to academics and organisations to begin and understand what this technology could do for them and to be a part of building us all a new more secure future. Those with Morello boards are invited into the increasingly international DSbD community all working towards the same goal of ensuring we live in a safer digital world.
A programme focus is now to encourage organisations to investigate beyond their current cyber security best practices. They must also drive for more security in their products and services throughout the supply chain by default and to ensure those vendor organisations make decisions to defend them and demand solutions that are secured by design.
With the Morello boards now available, the programme has focused on providing proof, expanding and enriching the ecosystem ensuring that the relevant tools are available for the future to enable adoption and creating relevant use cases. So far, UKRI has funded around 40 projects across the ecosystem, given access to Morello through the Digital Catapult’s Technology Access Programme to another 30 organisations and provided direct access to boards to another 24 organisations across the world. The MoD through DSTL are also engaged to take advantage of the opportunities of this technology in defence specific scenarios.
The Digital Security by Design Programme featured heavily at the National Cyber Security Centre’s flagship event, Cyber UK 2023 in April. As part of the “fixing the foundations” stream, a session hosted by NCSC was delivered by Google’s Ben Laurie and Microsoft’s Sian John and introduced DSbD and the possibilities that present itself with new technology. This was followed with a panel session hosted by DSbD Deputy Director Agata Samojlowicz and a panel consisting of Ben, Sian, Thomas Olsen from Deltaflare and Paul Caseley from DSTL. The overarching message from these sessions was to encourage all listeners to get involved either by beginning to demand secure technology from the supply chain or getting involved directly in the programme through the Morello board. The closing panel of the day hosted by NCSC CEO Lindy Cameron, continued the theme of security by default and built on the DSbD panel session to demand from the audience to consider security by design.
Implementing Government strategy through Digital Security by Design is crucial in addressing the challenges posed by the expanding digital world. The UK Government recognises the need for enhanced security and has integrated it into various strategies. Traditional cybersecurity measures are struggling to keep up, necessitating vendor secure their product by default, and leverage new technologies to secure their operation by design. The DSbD Programme, supported by international collaboration, aims to make the digital world more secure and productive. As the DSbD community continues to grow, organisations are encouraged to prioritise the consideration for the security, integrity, and resilience of the technologies they use throughout their supply chain.
Together, we can shape a safer and more beneficial digital future.
[1, 2 and 3]: Statista, 2023