Security industry must get hard on cyber threats, says expert

Cryptography Research's Paul Kocher says industry should focus more on hardware-based security

The security industry should focus more on embedding security in hardware rather than software.

This is according to Paul Kocher, president and chief scientist at security firm Cryptography Research, and it goes against what many commentators on the subject argue.

Speaking exclusively to Computing, Kocher said that security software may be effective against viruses, but it won't withstand a persistent targeted attack.

"Security software is best at addressing threats such as viruses that propagate widely and are therefore known to the security software developer.

"Security software can also help limit the amount of functionality that a malicious adversary can directly access, but is much less effective against targeted, customised attacks."

Those who argue against security embedded in the hardware say that hardware isn't adaptable to new threats.

For example, Jay Abbott, director UK threat and vulnerability management, PwC, said: "Moving security into hardware brings performance and complexity increases, but also creates inflexibility to change."

But Kocher explained that even a perfectly written piece of security software still won't necessarily protect a device from failures in other programmes.

"Suppose you write a secure email application and, for the sake of argument, make your program completely bug-free. Even though your program is perfect, your users will also run other applications.

"For example, if a user visits a web site that exploits a vulnerability in the user's web browser, an adversary can install some malware on the user's computer. Even though your application was not at fault, that malware can compromise the security of your email program."

Security in hardware will help protect against software vulnerabilities elsewhere, he said.

"With hardware you can achieve much better separation. For example, if the email application and the browser ran on separate computers, vulnerabilities in the browser wouldn't automatically compromise the email application."