By now, you’re likely up to speed on Meltdown and Spectre, two massive yet long-unacknowledged security vulnerabilities latent in PCs.
In case you aren’t familiar, these vulnerabilities are grouped together because they both take advantage of the “speculative execution” feature in modern hardware (i.e., your computer, rather than the software you run on it). In Meltdown, this is done by utilizing the isolation between the operating system and user applications, while in Spectre, it’s done in the segmentation between two apps.
Fortunately, Intel, Microsoft, and other companies have worked quickly to issue update patches that guard against these vulnerabilities. But why were they exposed for so long without action? What key lessons have Meltdown and Spectre taught us about the state of modern cybersecurity?
Let’s dive into the key lessons we should be learning from this experience:
1. The inherent risks of innovation.
Part of the problem here is the constant demand for innovation and progression, and chipmakers’ responses to this demand. Consumers want faster and faster processors for the same amount of money, which forces chipmakers to skip the quality checks that could have prevented such glaring security vulnerabilities. Innovation in other industries, like vehicle manufacturing, tends to introduce new features gradually, and only after they’ve been thoroughly tested for safety—but in the world of chipmaking, there are no such standards to maintain. Unchecked innovation almost inevitably produces security flaws like these.
2. Our current security blind spots.
Meltdown and Spectre also introduce us to some of our biggest security blind spots. Experienced app developers are typically tasked with combing their apps for security vulnerabilities, and making sure consumers are engaging in best practices like changing their passwords regularly and keeping their private information protected. However, these new vulnerabilities are inherent to hardware, and exploit the ways an operating system works. It’s a blind spot because few people are directly responsible for proactively catching flaws like these.
3. The effects of groupthink.
One of the most astounding aspects of the Meltdown and Spectre discovery is that the security flaws were discovered independently by four different groups around the same time—despite more than 20 years of existence. There are several potential explanations for this, but one of the most obvious is that all our security teams around the world are thinking and acting in fundamentally similar ways. As an industry, cybersecurity minds function almost as a collective, which makes them efficient at solving problems that are already recognized, but inefficient at discovering new ones or thinking outside the box.
4. Hype and miscommunication.
There’s also something to be said for the amount of hype and panic that Spectre and Meltdown generated; these vulnerabilities weren’t revealed in a proactive, transparent way, and as a result, consumers incorrectly assumed they represented some colossal tech failure that put them at direct risk. While these flaws are important to note, they can’t be weaponized, and are unlikely to directly impact an individual user. Accordingly, tech journalists should have done a better job of explaining their “real” impact.
5. Silos and collaboration.
These flaws also make it evident that we need to encourage more collaboration among the different segments of the tech industry. If chipmakers, app makers, hardware manufacturers, operating system developers, and cybersecurity experts all worked together more closely, they might have been able to discover these vulnerabilities years ago. Specialization in the tech industry is important because it allows each branch to become more efficient, and drive further innovation, but because all these different components are forced to interact with each other for a cohesive tech experience, it leaves gaping flaws in the gaps between them.
As with most security threats, there’s no single party to blame here. Hardware manufacturers, chipmakers, and operating system developers all played a part in producing this vulnerability, and security specialists dropped the ball in not noting these problems sooner. Even consumers failed by not asking the right questions, and by overhyping the issues beyond their real impact. Everyone has something to learn here as we move forward to an even more advanced age.
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access