In this week’s Security Ledger podcast, Joe Unsworth has been covering the semiconductor space for Gartner for 15 years, but he’s never seen anything like Meltdown and Spectre, the two vulnerabilities that Google researchers identified in a wide range of microprocessors. In this podcast, Joe comes in to talk with us about what the flaws will mean for major chip vendors. Also: we kick off 2018 with a pair of predictions for the New Year from two of the smartest guys in the information security business. Lawyer and Lawfare blogger Paul Rosenzweig speaks with us about the year ahead including the possibility of a data war between the US and the EU. Also: Experian VP for Consumer Protection Mike Bruemmer comes in to talk to us about that company’s Data Breach Industry Forecast for 2018.
The big news last week came from researchers at Google and elsewhere, who discovered serious vulnerabilities in software that powers the processors in most computers, laptops and smart phones.
Contrary to initial reports, the flaws dubbed “Specter” (PDF) and “Meltdown” (PDF) are not limited to chips by Intel, but exist in central processing unit (CPU) chips by a wide range of vendors including Intel, AMD and ARM, according to a blog post on the Google Security Blog. Using them a malicious actor who had already gained access to a system that used a vulnerable processor could game a common CPU feature known as “speculative execution” to access and read parts of system memory that should be beyond their reach.
[ Like what you’re hearing? Check out our other podcasts here.]
Small chips, big holes
The implications of the holes are huge, not just for the billions of users out there with affected gear, but also for the major chip vendors including Intel, AMD, ARM and more. To understand a bit more about the flaws and how they managed to affect chips by so many different vendors, we invited Joe Unsworth, an analyst at Gartner who has covered the semiconductor industry for the last 15 years.
Joe said that the reach of these holes is huge. “This spans all of microprocessors. This is an Intel, AMD, ARM. It’s also an IBM Power issue, a Mainframe z series issue and a spare issue. This has amazing reach. That spans PCs smartphones, servers, pretty much everything using a microprocessor. I don’t think we’ve seen a security vulnerability of this magnitude.”
“I don’t think we’ve seen a security vulnerability of this magnitude”
– Joe Unsworth, Gartner
Prediction: a trans-Atlantic data war in 2018?
Up next: now that the new year’s confetti has fallen, the big question on everyone’s mind is what the New Year will bring. There are no shortage of prediction lists from security industry luminaries. One of the most interesting sets of predictions I read was by Paul Rosenzweig, an attorney, a lecturer at George Washington U, a senior fellow at the R-Street institute and a contributor to the much-cited blog Lawfare. Paul struck a decidedly pessimistic note in his predictions – especially when it came to federal efforts to crack down on data theft and cyber crime and safeguard the US election system.
I invited him into our studio to talk about his predictions for the New Year and I started by asking him to assess the most meaningful developments of the year just passed – 2017.
Data breach forecast: clouds on the horizon
And finally, the credit rating firm Experian has been reporting on data breach trends for a number of years. And, while its probably not accurate to say there’s been no progress, it is fair to say that there hasn’t been notable progress in putting a halt to devastating intrusions and data thefts. That may not change in 2018, but one thing will: the stakes for companies that lose data. That’s due in large part to the advent of an EU law: the general data protection rule or GDPR.
To talk about the impact of GDPR and the rest of Experian’s Data Breach Industry Forecast for 2018, we invited Michael Bruemmer, the Vice President of Experian’s Data Breach Resolution Group back into the Security Ledger studio. He said that U.S. companies need to wake up to the potential of GDPR to impose substantial and even punitive fines on companies that mishandle data. And, while full compliance with the law might take years, in the short term doing something – anything – to move towards full compliance is better than doing nothing.