As a proudly British cyber security technology company, we’re delighted to see that in it’s revised Cyber Security Strategy (published today) the UK government reaffirms it’s commitment to “taking the lead in the technologies vital to cyber power”. The strategy commits Her Majesty’s Government to:
“strengthen our ability, led by the technical expertise of the National Cyber Security Centre (NCSC) and others across government, to identify the areas of technology most critical to our cyber power.”
One of those areas of technology – called out specifically in the strategy – is the need for “a robust and resilient national Crypt-Key enterprise which meets the needs of HMG customers, our partners and allies, and has appropriately mitigated our most significant risks including the threat from our most capable of adversaries”. The importance of cryptographic systems to national cyber security is deeply understood across the nation – an understanding built on countless retellings of Bletchley Park’s contribution to cracking Axis codes such as Enigma and Tunny. The strategy is quite right to emphasise the continued importance of strong cryptographic capabilities to protecting our most sensitive assets.
In today’s connected world however, there is a second technology that we equally depend on to keep our most sensitive assets secure: the far less well-understood area of “Cross Domain Solutions”.
Cryptographic systems focus on keeping apart different “domains” – ensuring that a Top Secret domain holding Top Secret information can be kept firmly isolated even when it communicates across insecure transmission systems such as radio or the Internet. But in today’s connected world, it is no longer practical to keep these domains 100% isolated. Top Secret domains need to exchange information with allies, with lower-security systems, and even with the Internet. Doing this while preserving the levels of security we need is the job of Cross Domain Solutions (commonly known as CDS).
Discussion of CDS used to be closely held, but in recent years NCSC has started to become more open about the way the UK and its allies build and deploy CDS – for example earlier this year, publishing its “Security principles for cross domain solutions” (https://www.ncsc.gov.uk/collection/cross-domain-solutions). Some of the UK’s allies also are becoming more open – for example, the Australian ACSC’s “Fundamentals of cross domain solutions” (https://www.cyber.gov.au/acsc/view-all-content/publications/fundamentals-cross-domain-solutions). However, in the United States, discussion of CDS remains closely controlled: American CDS vendors such as Forcepoint talk about initiatives such as “Raise the Bar” (https://www.forcepoint.com/blog/insights/raise-bar-one-year-later-where-are-we-now) but few details are publicly available.
The strategy does discuss long-term R&D initiatives such as more secure microprocessor architectures. But CDS is what the UK and its allies actually rely on today; is an area where the UK has a strong technological lead with techniques such as hardsec (www.hardsec.org); and is central to digital transformation efforts across military and national security organisations. What’s more, the latest generation CDS technology is already (albeit marketed using different terminology!) making significant inroads into the mainstream cyber security market with Banks, law-firms, telcos and other CNI (in many cases without the buyers actually knowing of its CDS provenance).
This latest generation – of which Garrison is one but not the only example – can combine high levels of security with the sort of usability, scalability and high performance that holds out a really practical hope of making a significant impact on a broad swathe of cyber attacks. We applaud some of the potentially valuable – but risky – R&D bets that the UK Government is making. But we feel people should know about the work the UK Government and technology vendors such as Garrison are doing today to deliver the latest generation of CDS: technology that has the potential to scale up massively in the short term to deliver proven benefits across both national security and our broader digital infrastructure.