The revelation from Google’s Project Zero team and others that the way memory is handled in modern computer chips creates 2 major security vulnerabilities doesn’t come as a surprise, but will take time and money to mitigate and much of the Moore’s law increases given us in all last year’s new processors will be swallowed up by the work-arounds and patches needed to prevent smart hackers from mining sensitive data from all types of computers.
The microprocessor designers and fabricators (Intel, AMD, Qualcomm, Apple, IBM, Oracle, ARM, Fujitsu and others) and operating system suppliers (Microsoft, Google, Oracle, Red Hat and others) have done well to talk to their customers about the vulnerabilities in their products and publish road maps of patches, which will mitigate them – but these will add processing overhead and create a headache for leading digital companies providing near real-time answers by processing masses of sensitive unstructured personal data. It will also put up the costs of multi-tenanted cloud services and slow down their adoption, especially by those who have always believed they were unacceptably insecure. Cybersecurity companies – already enjoying the benefits of extra spending to meet the requirements of the EU’s GDPR and other new data protection legislation – will be making even more from providing countermeasures and extra protection.
Most chip and operating suppliers have reacted by producing patches, which will have varying negative effects on processing times, forcing more reboots and (in rare cases) stopping your computer from working altogether. Unfortunately these vulnerabilities affect universally accepted multi-processing techniques, which predict and pre-fetch data into the microprocessor’s cache memory, rather than a flaw in specific chips – which is why the patches are work-arounds rather than fixes. Only a few products have been declared to be free of vulnerabilities, including Apple’s iWatch and IBM’s storage appliances.
Client devices – 61% vulnerable, 3% extra processing for mitigation
As a smart phone, tablet and/or PC user there’s little more you can do than change your passwords regularly, perhaps stop using password keeping software, install the upgrades offered by your operating system suppliers and reign back on how deeply you want to immerse yourself in the digital world. It’s more likely that an associated cyber-attack will be on the servers holding your private data than your device itself, but it’s worthwhile changing your password to stop criminals from identifying you from using past data breaches such as those at Yahoo and Uber.
In total 61% of the 4.4 billion client devices installed to the end of September are potentially vulnerable to Spectre and/or Meltdown and the extra processing overhead required for changes in operating systems is 3% at an extra cost of $18b.
Enterprise devices – 73% vulnerable, 8% extra processing for mitigation
As an enterprise computer user you need to think about the security, performance and cost consequences of adopting or building advanced (especially multi-tenanted) cloud services. These vulnerabilities only affect ‘open’ systems, since firewalls can prevent any outsider from accessing your storage appliances and other ‘closed’ ones; unfortunately the proportion of ‘closed’ systems is small and decreasing. I’m particularly concerned about the vulnerability of edge computing and IoT devices, many of which will be easier to attack than data center equipment.
Data encryption (on the increase to help reach compliance with DPR and other data protection legislation around the world) won’t help you today, since the potentially accessible data will be unencrypted in cache memory. It’s possible that homomorphic encryption will help you in future, but – like every other counter measure – it will require extra processing, processors and budget to run.
Altogether 73% of the 97 million installed enterprise computing devices are vulnerable to Spectre and/or Meltdown – the extra processing overhead will be 6%, which is equivalent to $8b extra spending.
Cloud computing – $10b more needed for mitigation
Public cloud service suppliers are of course also enterprise computer users selling their services to business and consumers. They are particularly vulnerable to potential Spectre and Meltdown attacks – especially when providing multi-tenanted services. Addressing the vulnerabilities will be hardest for the largest who design and build their own systems, taking out elements to maximise efficiency in the process. I estimate that the extra costs of mitigation will be $10b – 6% of the total annual spend. Of the three types of cloud service, SaaS is the most vulnerable – since criminals will have an idea of what types of record and transactions they may discover through their attacks.
The mitigation costs will come out of the pockets of both users and suppliers. In fact the total will probably come up short of the $37b I forecast, because some will decide to modify their systems from ‘open’ to ‘closed’, while others will chose not to install patches in order to maintain their processing speeds however insecurely for their customers. However the total cost of the Spectre and Meltdown vulnerabilities will be far higher than the mitigation costs, as users invest even more in cybersecurity protection and counter measures. My advice to all users is to continue to review and enhance the virus checkers, immunisation and firewall solutions you use and ask your cloud service provider for assurance that it’s going to address these vulnerabilities seriously without increasing costs significantly.
There is no evidence yet that criminal have exploited the Spectre and Meltdown ‘vulnerabilities’, but there’s no doubt that they’re working on it. I fear that unscrupulous BitCoin miners will turn to sensitive data mining now the value of their target crypto-currencies has crashed. So let’s do everything we can to prevent them from being successful
There are few safety barriers in our headlong drive into the digital future – and we’ve just discovered that our engine’s leaky!