Debunking Three Myths about Hardware Security


The federal government should consider hardware-enabled security approaches.

Because cyber criminals have proven over time that they are capable of circumventing the wealth of software-based security solutions intended to stop them, federal agencies need to consider taking an entirely different path: one which opts for hardware-enabled alternatives.

In doing so, they’ll embark upon what looks like the next revolution in cyber defense: Shipments for hardware supporting digital authentication and embedded security will reach 5.3 billion by 2024, doubling the number of shipments in 2019. Overall, the hardware security modules market will exceed $2 billion by 2027, up from about $828.3 million two years ago. True, traditionalist thinkers in government restrict these advancements to uses such as the safeguarding of classified networks via cross-domain solutions. They also contend that hardware is too expensive, impractical and difficult to deploy broadly as a security tool.

But they are wrong.

With state-sponsored attacks targeting a much larger range of victims than classified networks, it’s critical to come up with more formidable tactics to counter them. That’s where hardware can perform an essential role—especially once we debunk the following three myths which are holding back a widespread transformation.

Myth #1: Hardware Security is Too Niche

Reality: Yes, chip designers have deployed hardware security by baking protection features into their products, which means this form of defense has been relevant to only those who invest millions to make their own chips.

But emerging architectures using what are called field-programmable gate array, or FPGA, silicon chips are presenting a compelling case for broader adoption. FPGA chips are integrated circuits which security teams program strictly by using specific physical FPGA pins. Subsequently, the teams ensure that the ability to reprogram the chip is limited to those who are authorized to access a well-protected privileged management environment. Attackers are kept from doing so because they cannot physically transmit data to the pins.

Myth #2: Hardware Security is Difficult

Reality: Despite being hardware devices, FPGA chips make it easy to enhance security functionality because teams can use them to program and reprogram protective measures without the need for physical changes. Yet, as opposed to complex and flexible software-based tools that give adversaries abundant opportunities to exploit, hardware-designed controls are relatively simplistic and narrow. They will do what they are originally told to do, and nothing else, i.e., they are “too dumb” to be hacked.

As a result, FPGAs present an ideal combination: Features that are better positioned to ward off attacks, while allowing updates much in the same way agencies apply software updates.

Myth #3: Hardware Security is Expensive

Reality: This is the biggest myth of all. Here’s why:

  • Hardware reduces the cost of operations. It leverages lower-level computational techniques compared to the Turing machines on which we run software. Simpler computational models greatly eliminate bugs and, even if bugs exist in the hardware, it’s much harder for an adversary to exploit them. In contrast, software is all about taking on the significant costs and burdens of performing constant patches. This, in turn, reveals the fundamental weakness of software—that hackers latch upon inevitable mistakes to potentially take unlimited control over systems and platforms. Hardware brings the peace of mind which comes from no longer depending upon endless “hurry up and patch!” cycles.
  • It lowers the cost of development. Indeed, developers produce software “on the quick and cheap.” But the end product often isn’t very good. To get it right, agencies need to spend a lot of money. In the cross-domain space, for example, the National Cross Domain Strategy Management Office oversees design and implementation requirements for solutions so every “i” is dotted and “t” is crossed—standards that cannot be achieved without spending huge amounts on every software product. While hardware generally involves a higher entry cost, it’s less expensive to develop while obtaining much more effective controls. How so? Because it avoids the enemy of software security—incredibly complex platforms. In addition, the comparatively few mistakes typically do not lead to financially damaging compromises because, again, hackers find it much more difficult to exploit them.
  • It lowers the cost of equipment. This may sound absurd … It’s actually cheaper? But dedicated hardware really is often less expensive than commodity servers. It is also becoming increasingly commoditized, with component options to include small, low-cost devices.

Clearly, government agencies are not going to transform overnight from traditional security strategies. But, more than ever, they’re recognizing that sticking with same software-based approaches amounts to sprinting on a treadmill and getting nowhere while cyber criminals are zooming ahead of them in race cars.

In other words, rapid advancements in attack methods require a completely redefined game plan. Simply stated: Security software is difficult and few get it right. To pursue an alternative that is easy to develop, reprogram and oversee while refusing to allow enemies inside the gates, government leaders must turn to hardware.

Henry Harrison is co-founder and CSO of Garrison.