It’s easy to think of cybercrime as totally discrete from regular crime. But it would be a bad mistake.
The word “crime” might make you think of robberies, violence or something worse – but most of the acts that come to mind will likely be physical. You won’t think about the less visible crime that causes millions of pounds worth of damage every day.
Visualising crime that takes place in the ether is tricky – but it’s always worth remembering that even the most computational crime has a physical element. To protect adequately against cyberattack, a network has to be utterly watertight in terms both of software and hardware.
Paul Kocher knows this better than anyone. Kocher has developed a number of real-world cybersecurity tools, including the SSL 3.0 standard – part of the foundation of modern internet security. Every time you see a URL begin with https – indicating that your connection is secure – Kocher is partly to thank. This discovery, along with a number of other world-leading innovations, saw Kocher become a member of the National Cyber Security Hall of Fame (who knew?) in 2014.
Kocher specialises in the bridge between hardware and software – specifically in a type of breach known as side-channel attacks. These attacks isolate weaknesses in a computer system’s hardware, rather than its software, allowing a hacker to target a part of the system that doesn’t normally come under scrutiny. Often, that part of the system will be a much softer target than its beefy, expensive cryptographic software.
How side-channel attacks work
Cyberdefences typically protect computers’ files, preventing would-be-ne’er-do-wells from accessing parts of a system containing sensitive information. Side-channel attacks, however, look to gain entry to these systems by analysing a different sort of data.
Take power consumption. The amount of power your computer uses might seem totally inconsequential – but an adversary could examine a graph of your processor’s power demands and use it to bypass your computer’s security protocols. Below, I’ve described an example of simple power analysis (SPA).
A computer encrypting the long number on your credit card would perform 16 mathematical functions, one for each number. Each of these functions will result in a spike in a processor’s power consumption.
In addition, each function will consume a different amount of energy. So, by looking at the precise amount of power used to perform each function, a hacker could determine what type of function was being performed – say, whether a number was being squared or multiplied during encryption. Using a basic oscilloscope, a hacker could visualise the encryption process and reverse-engineer it. And all that without once attempting to penetrate your cyberdefences.
So, cybersecurity is more than a software issue.
Complexity makes computers less, not more, secure
How do we protect against side-channel attacks? The answer’s pretty simple. We need to take the task of protecting our hardware as seriously as we do the task of protecting our software.
Kocher recently published a paper advocating for “simple, high-assurance hardware for secure computation”. In practice, that means that a computer’s cryptographic calculation should be done by a separate, quarantined computer. That computer would be far simpler – and that would be a huge advantage.
A cyberdefence is only as good as its weakest point. So, in a sense, a complex computer exhibits more weaknesses to would-be attackers. In fact, a computer’s vulnerability to cyber-attack increases exponentially with the number of components it has.
Each link between a computer’s constituent parts represents a point of weakness. The more components a computer has, the greater the number of links. In fact, we can approximately calculate the number of vulnerabilities in a computer system by squaring the number of parts it consists of.
If a computer has 1,000 parts, it has just under one million links between them, and thus just under one million vulnerabilities. If we reduce the number of components to 100, we reduce the number of potential weak spots to just shy of 10,000.
That’s why separating a computer’s cryptographic technology from the computer itself can be so crucial. Off-site crypto helps reduce side-channel attacks by making a computer’s “surface area” smaller. Coupled with top-level software, that should shut most routes of cyber-attack to all but the most sophisticated attackers.
If no lesser man than Kocher is advocating it, it’s probably good advice.