SlideShare a Scribd company logo

Kill Switch Report

Download as DOCX, PDF
R
Ryan Andersen
1 of 3
To: Will Levi From: Ryan Andersen Re: Labeling “Kill Switches” Date: July 15, 2015 Will: You asked me to look into computer chip integrity and the possibility that “kill switches,” or hardware built into microprocessors that allow a remote user to access a device without the operator’s consent or knowledge, could present a national security concern and a liability for individual consumers. The Department of Defense drafted a report on the topic in response to Senate Report 113-85 and S. 1429, and identified issues like large volume of microprocessors it uses and the difficulty in detecting kill switches as areas of ongoing vulnerability. The Department devised several plans, however, to correct that vulnerability including the development of hardware able to detect kill switches and other microprocessor defects. Dr. Phillip M. Adams also wrote a memorandum on the issue, suggesting that the Consumer Products Safety Commission could use its regulatory power to require microprocessor manufactures to so label their products if they include a kill switch. It is unlikely, however, that such an action would fall within the Consumer Product Safety Commission’s scope of authority. You also asked me for recommendations for future actions. The Defense Department’s report indicates that its complex supply chain, the volume of microprocessors it regularly acquires, and the difficulty in detecting kill switches makes it somewhat vulnerable to an attack utilizing kill switches. Therefore, such a scenario should be included in national security contingency plans. It would also be prudent for the Department of Defense to coordinate with private entities to ensure the safety of critical infrastructure as it works to minimize the vulnerability to kill switches and regularly inform Congress of its progress in that direction. Discussion Kill switches pose a potential threat to both national and consumer security. Generally, they are difficult if not impossible to detect before they are activated. California is currently the only jurisdiction with law related to kill switches. That law requires smartphones to have a kill switch in order to shut down a device in the event it is stolen in order to protect the owners’ personal information. Consumer rights groups argue that engineering back-door access to a device
could allow a hacker to use that same door to remotely shut down a device as well, thus allowing cybercriminals another avenue of action. This concern also applies to government agencies, particularly the Department of Defense. Because the vast majority of microprocessors are manufactured in Taiwan and China, there is concern that military or other critical components contain kill switches manufactured by the Chinese for the purpose of sabotage. While some military equipment uses custom-built electronics, the Department purchases a substantial amount of off-the-shelf equipment that could be vulnerable. In 2003, the Department of Defense began reviewing its acquisition process and developed protocols for future actions including protecting a domestic microprocessor manufacturing base, working with the National Security Agency to fully identify related vulnerabilities, and accrediting trusted providers. The Department is also developing hardware able to detect a kill switch. The sheer volume of microprocessors the Department regularly acquires, however, and the difficulty in detection makes the task of combating kill switches problematic. The Department’s report states that conventional methods of detection “will not uncover intentional and surreptitiously implanted flaws” within a microprocessor. Recommendations The difficulty in detection is one reason why labeling microprocessors if they contained kill switches would be ineffective. Without means of verifying compliance, a statute requiring manufactures to label their products would rely solely on manufacturers’ assertions that non- labeled microprocessors did not contain kill switches. This creates a regulatory environment where the regulators cannot verify compliance unless a kill switch is activated. Therefore, labeling could not prevent any harm a kill switch might inflict; regulators’ only actions would be in reaction. If, however, labeling microprocessors could be effective the Consumer Products Safety Commission does not possess the regulatory power to force microprocessor manufacturers to label kill switches. The Consumer Products Safety Commission derives its authority from 15 USCS § 2058. In order for something to fall within the Commission’s scope of authority, it must incur the “risk of injury.” This is defined as “a risk of death, personal injury, or serious or frequent illness.” While it is not inconceivable that a kill switch could, depending on the nature of the affected device, cause physical actions to occur, remotely accessing and shutting down most computer
systems does not produce the risk of injury defined in 15 USCS § 2058. Therefore, the Consumer Products Safety Commission does not likely possess the regulatory authority to force manufacturers to label kill switches. Despite these challenges, there are proactive measures that can be taken in response to kill switches. Both consumers and the military should prepare for an event related to kill switches. One promising development is the Department of Defense’s ongoing development of hardware that will detect kill switches. The Department should be encouraged to share this technology with critical infrastructure when it becomes available, and continue to update Congress as to its progress on the issue.

Recommended

Medical Device Cybersecurity : A Regulatory Perspective
Medical Device Cybersecurity : A Regulatory PerspectiveMedical Device Cybersecurity : A Regulatory Perspective
Medical Device Cybersecurity : A Regulatory PerspectiveJon Lendrum
 
Mobile Security Qualcom mr. patrick tsie - qualcomm
Mobile Security Qualcom mr. patrick tsie - qualcommMobile Security Qualcom mr. patrick tsie - qualcomm
Mobile Security Qualcom mr. patrick tsie - qualcommTien Hoang
 
A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...
A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...
A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...SyedImranAliKazmi1
 
FDA’s Updated Guidance on Cybersecurity
FDA’s Updated Guidance on CybersecurityFDA’s Updated Guidance on Cybersecurity
FDA’s Updated Guidance on CybersecurityEMMAIntl
 
Doc1
Doc1Doc1
Doc1Americo Hugo Solano
 
卸売グッチのハンドバッグは
卸売グッチのハンドバッグは卸売グッチのハンドバッグは
卸売グッチのハンドバッグはliudun356
 
Glosario
GlosarioGlosario
GlosarioAlejandraNYA
 
uagro
uagrouagro
uagroayotzinapa
 

Recommended

Medical Device Cybersecurity : A Regulatory Perspective
Medical Device Cybersecurity : A Regulatory PerspectiveMedical Device Cybersecurity : A Regulatory Perspective
Medical Device Cybersecurity : A Regulatory PerspectiveJon Lendrum
 
Mobile Security Qualcom mr. patrick tsie - qualcomm
Mobile Security Qualcom mr. patrick tsie - qualcommMobile Security Qualcom mr. patrick tsie - qualcomm
Mobile Security Qualcom mr. patrick tsie - qualcommTien Hoang
 
A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...
A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...
A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...SyedImranAliKazmi1
 
FDA’s Updated Guidance on Cybersecurity
FDA’s Updated Guidance on CybersecurityFDA’s Updated Guidance on Cybersecurity
FDA’s Updated Guidance on CybersecurityEMMAIntl
 
Doc1
Doc1Doc1
Doc1Americo Hugo Solano
 
卸売グッチのハンドバッグは
卸売グッチのハンドバッグは卸売グッチのハンドバッグは
卸売グッチのハンドバッグはliudun356
 
Glosario
GlosarioGlosario
GlosarioAlejandraNYA
 
uagro
uagrouagro
uagroayotzinapa
 
Mitigating the Risk of Counterfeit ICT in the DoD Supply Chain
Mitigating the Risk of Counterfeit ICT in the DoD Supply ChainMitigating the Risk of Counterfeit ICT in the DoD Supply Chain
Mitigating the Risk of Counterfeit ICT in the DoD Supply ChainKyrl Erickson
 
Substation Cyber Security
Substation Cyber SecuritySubstation Cyber Security
Substation Cyber SecuritySchneider Electric
 
Written by Mark Stanislav and Tod Beardsley September 2015.docx
Written by Mark Stanislav and Tod Beardsley September 2015.docxWritten by Mark Stanislav and Tod Beardsley September 2015.docx
Written by Mark Stanislav and Tod Beardsley September 2015.docxjeffevans62972
 
Written by Mark Stanislav and Tod Beardsley September 2015.docx
Written by Mark Stanislav and Tod Beardsley September 2015.docxWritten by Mark Stanislav and Tod Beardsley September 2015.docx
Written by Mark Stanislav and Tod Beardsley September 2015.docxodiliagilby
 
Security In an IoT World
Security In an IoT WorldSecurity In an IoT World
Security In an IoT Worldsyrinxtech
 
Port security
Port securityPort security
Port securityborepatch
 
Acus intel medical_devices
Acus intel medical_devicesAcus intel medical_devices
Acus intel medical_devicesatlanticcouncil
 
The Healthcare Internet of Things: Rewards and Risks
The Healthcare Internet of Things: Rewards and RisksThe Healthcare Internet of Things: Rewards and Risks
The Healthcare Internet of Things: Rewards and Risksatlanticcouncil
 
Need for Improved Critical Industrial Infrastructure Protection
Need for Improved Critical Industrial Infrastructure ProtectionNeed for Improved Critical Industrial Infrastructure Protection
Need for Improved Critical Industrial Infrastructure ProtectionWilliam McBorrough
 
Case study 11
Case study 11Case study 11
Case study 11khaled alsaeh
 
Building security into the internetofthings
Building security into the internetofthingsBuilding security into the internetofthings
Building security into the internetofthingsPrayukth K V
 
Cyber-insurance and liability caps proposed as incentives by Department of Co...
Cyber-insurance and liability caps proposed as incentives by Department of Co...Cyber-insurance and liability caps proposed as incentives by Department of Co...
Cyber-insurance and liability caps proposed as incentives by Department of Co...David Sweigert
 
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...Education & Training Boards
 
The Internet of Things: the 4 security dimensions of smart devices
The Internet of Things: the 4 security dimensions of smart devicesThe Internet of Things: the 4 security dimensions of smart devices
The Internet of Things: the 4 security dimensions of smart devicesWavestone
 
SECURITY AND SAFETY OF THE POWER GRID AND ITS RELATED COMPUTER INF.docx
SECURITY AND SAFETY OF THE POWER GRID AND ITS RELATED COMPUTER INF.docxSECURITY AND SAFETY OF THE POWER GRID AND ITS RELATED COMPUTER INF.docx
SECURITY AND SAFETY OF THE POWER GRID AND ITS RELATED COMPUTER INF.docxbagotjesusa
 
Csp IoT dan hyde 18 p16 17
Csp IoT dan hyde 18 p16 17Csp IoT dan hyde 18 p16 17
Csp IoT dan hyde 18 p16 17dan hyde
 
eHealth - Medical Systems Interoperability & Mobile Health
eHealth - Medical Systems Interoperability & Mobile HealtheHealth - Medical Systems Interoperability & Mobile Health
eHealth - Medical Systems Interoperability & Mobile Healthulmedical
 
Multi factor authentication issa0415-x9
Multi factor authentication issa0415-x9Multi factor authentication issa0415-x9
Multi factor authentication issa0415-x9Clare Nelson, CISSP, CIPP-E
 
1212018 SafeAssign Originality Reporthttpswilmu.black.docx
1212018 SafeAssign Originality Reporthttpswilmu.black.docx1212018 SafeAssign Originality Reporthttpswilmu.black.docx
1212018 SafeAssign Originality Reporthttpswilmu.black.docxmoggdede
 
Capstone Team Report -The Vicious Circle of Smart Grid Security
Capstone Team Report -The Vicious Circle of Smart Grid SecurityCapstone Team Report -The Vicious Circle of Smart Grid Security
Capstone Team Report -The Vicious Circle of Smart Grid Securityreuben_mathew
 

More Related Content

Similar to Kill Switch Report

Mitigating the Risk of Counterfeit ICT in the DoD Supply Chain
Mitigating the Risk of Counterfeit ICT in the DoD Supply ChainMitigating the Risk of Counterfeit ICT in the DoD Supply Chain
Mitigating the Risk of Counterfeit ICT in the DoD Supply ChainKyrl Erickson
 
Written by Mark Stanislav and Tod Beardsley September 2015.docx
Written by Mark Stanislav and Tod Beardsley September 2015.docxWritten by Mark Stanislav and Tod Beardsley September 2015.docx
Written by Mark Stanislav and Tod Beardsley September 2015.docxjeffevans62972
 
Written by Mark Stanislav and Tod Beardsley September 2015.docx
Written by Mark Stanislav and Tod Beardsley September 2015.docxWritten by Mark Stanislav and Tod Beardsley September 2015.docx
Written by Mark Stanislav and Tod Beardsley September 2015.docxodiliagilby
 
Security In an IoT World
Security In an IoT WorldSecurity In an IoT World
Security In an IoT Worldsyrinxtech
 
Port security
Port securityPort security
Port securityborepatch
 
Acus intel medical_devices
Acus intel medical_devicesAcus intel medical_devices
Acus intel medical_devicesatlanticcouncil
 
The Healthcare Internet of Things: Rewards and Risks
The Healthcare Internet of Things: Rewards and RisksThe Healthcare Internet of Things: Rewards and Risks
The Healthcare Internet of Things: Rewards and Risksatlanticcouncil
 
Need for Improved Critical Industrial Infrastructure Protection
Need for Improved Critical Industrial Infrastructure ProtectionNeed for Improved Critical Industrial Infrastructure Protection
Need for Improved Critical Industrial Infrastructure ProtectionWilliam McBorrough
 
Building security into the internetofthings
Building security into the internetofthingsBuilding security into the internetofthings
Building security into the internetofthingsPrayukth K V
 
Cyber-insurance and liability caps proposed as incentives by Department of Co...
Cyber-insurance and liability caps proposed as incentives by Department of Co...Cyber-insurance and liability caps proposed as incentives by Department of Co...
Cyber-insurance and liability caps proposed as incentives by Department of Co...David Sweigert
 
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...Education & Training Boards
 
The Internet of Things: the 4 security dimensions of smart devices
The Internet of Things: the 4 security dimensions of smart devicesThe Internet of Things: the 4 security dimensions of smart devices
The Internet of Things: the 4 security dimensions of smart devicesWavestone
 
SECURITY AND SAFETY OF THE POWER GRID AND ITS RELATED COMPUTER INF.docx
SECURITY AND SAFETY OF THE POWER GRID AND ITS RELATED COMPUTER INF.docxSECURITY AND SAFETY OF THE POWER GRID AND ITS RELATED COMPUTER INF.docx
SECURITY AND SAFETY OF THE POWER GRID AND ITS RELATED COMPUTER INF.docxbagotjesusa
 
Csp IoT dan hyde 18 p16 17
Csp IoT dan hyde 18 p16 17Csp IoT dan hyde 18 p16 17
Csp IoT dan hyde 18 p16 17dan hyde
 
eHealth - Medical Systems Interoperability & Mobile Health
eHealth - Medical Systems Interoperability & Mobile HealtheHealth - Medical Systems Interoperability & Mobile Health
eHealth - Medical Systems Interoperability & Mobile Healthulmedical
 
1212018 SafeAssign Originality Reporthttpswilmu.black.docx
1212018 SafeAssign Originality Reporthttpswilmu.black.docx1212018 SafeAssign Originality Reporthttpswilmu.black.docx
1212018 SafeAssign Originality Reporthttpswilmu.black.docxmoggdede
 
Capstone Team Report -The Vicious Circle of Smart Grid Security
Capstone Team Report -The Vicious Circle of Smart Grid SecurityCapstone Team Report -The Vicious Circle of Smart Grid Security
Capstone Team Report -The Vicious Circle of Smart Grid Securityreuben_mathew
 

Similar to Kill Switch Report (20)

Mitigating the Risk of Counterfeit ICT in the DoD Supply Chain
Mitigating the Risk of Counterfeit ICT in the DoD Supply ChainMitigating the Risk of Counterfeit ICT in the DoD Supply Chain
Mitigating the Risk of Counterfeit ICT in the DoD Supply Chain
 
Substation Cyber Security
Substation Cyber SecuritySubstation Cyber Security
Substation Cyber Security
 
Written by Mark Stanislav and Tod Beardsley September 2015.docx
Written by Mark Stanislav and Tod Beardsley September 2015.docxWritten by Mark Stanislav and Tod Beardsley September 2015.docx
Written by Mark Stanislav and Tod Beardsley September 2015.docx
 
Written by Mark Stanislav and Tod Beardsley September 2015.docx
Written by Mark Stanislav and Tod Beardsley September 2015.docxWritten by Mark Stanislav and Tod Beardsley September 2015.docx
Written by Mark Stanislav and Tod Beardsley September 2015.docx
 
Security In an IoT World
Security In an IoT WorldSecurity In an IoT World
Security In an IoT World
 
Port security
Port securityPort security
Port security
 
Acus intel medical_devices
Acus intel medical_devicesAcus intel medical_devices
Acus intel medical_devices
 
The Healthcare Internet of Things: Rewards and Risks
The Healthcare Internet of Things: Rewards and RisksThe Healthcare Internet of Things: Rewards and Risks
The Healthcare Internet of Things: Rewards and Risks
 
Need for Improved Critical Industrial Infrastructure Protection
Need for Improved Critical Industrial Infrastructure ProtectionNeed for Improved Critical Industrial Infrastructure Protection
Need for Improved Critical Industrial Infrastructure Protection
 
Case study 11
Case study 11Case study 11
Case study 11
 
Building security into the internetofthings
Building security into the internetofthingsBuilding security into the internetofthings
Building security into the internetofthings
 
Cyber-insurance and liability caps proposed as incentives by Department of Co...
Cyber-insurance and liability caps proposed as incentives by Department of Co...Cyber-insurance and liability caps proposed as incentives by Department of Co...
Cyber-insurance and liability caps proposed as incentives by Department of Co...
 
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
 
The Internet of Things: the 4 security dimensions of smart devices
The Internet of Things: the 4 security dimensions of smart devicesThe Internet of Things: the 4 security dimensions of smart devices
The Internet of Things: the 4 security dimensions of smart devices
 
SECURITY AND SAFETY OF THE POWER GRID AND ITS RELATED COMPUTER INF.docx
SECURITY AND SAFETY OF THE POWER GRID AND ITS RELATED COMPUTER INF.docxSECURITY AND SAFETY OF THE POWER GRID AND ITS RELATED COMPUTER INF.docx
SECURITY AND SAFETY OF THE POWER GRID AND ITS RELATED COMPUTER INF.docx
 
Csp IoT dan hyde 18 p16 17
Csp IoT dan hyde 18 p16 17Csp IoT dan hyde 18 p16 17
Csp IoT dan hyde 18 p16 17
 
eHealth - Medical Systems Interoperability & Mobile Health
eHealth - Medical Systems Interoperability & Mobile HealtheHealth - Medical Systems Interoperability & Mobile Health
eHealth - Medical Systems Interoperability & Mobile Health
 
Multi factor authentication issa0415-x9
Multi factor authentication issa0415-x9Multi factor authentication issa0415-x9
Multi factor authentication issa0415-x9
 
1212018 SafeAssign Originality Reporthttpswilmu.black.docx
1212018 SafeAssign Originality Reporthttpswilmu.black.docx1212018 SafeAssign Originality Reporthttpswilmu.black.docx
1212018 SafeAssign Originality Reporthttpswilmu.black.docx
 
Capstone Team Report -The Vicious Circle of Smart Grid Security
Capstone Team Report -The Vicious Circle of Smart Grid SecurityCapstone Team Report -The Vicious Circle of Smart Grid Security
Capstone Team Report -The Vicious Circle of Smart Grid Security
 

Kill Switch Report

  • 1. To: Will Levi From: Ryan Andersen Re: Labeling “Kill Switches” Date: July 15, 2015 Will: You asked me to look into computer chip integrity and the possibility that “kill switches,” or hardware built into microprocessors that allow a remote user to access a device without the operator’s consent or knowledge, could present a national security concern and a liability for individual consumers. The Department of Defense drafted a report on the topic in response to Senate Report 113-85 and S. 1429, and identified issues like large volume of microprocessors it uses and the difficulty in detecting kill switches as areas of ongoing vulnerability. The Department devised several plans, however, to correct that vulnerability including the development of hardware able to detect kill switches and other microprocessor defects. Dr. Phillip M. Adams also wrote a memorandum on the issue, suggesting that the Consumer Products Safety Commission could use its regulatory power to require microprocessor manufactures to so label their products if they include a kill switch. It is unlikely, however, that such an action would fall within the Consumer Product Safety Commission’s scope of authority. You also asked me for recommendations for future actions. The Defense Department’s report indicates that its complex supply chain, the volume of microprocessors it regularly acquires, and the difficulty in detecting kill switches makes it somewhat vulnerable to an attack utilizing kill switches. Therefore, such a scenario should be included in national security contingency plans. It would also be prudent for the Department of Defense to coordinate with private entities to ensure the safety of critical infrastructure as it works to minimize the vulnerability to kill switches and regularly inform Congress of its progress in that direction. Discussion Kill switches pose a potential threat to both national and consumer security. Generally, they are difficult if not impossible to detect before they are activated. California is currently the only jurisdiction with law related to kill switches. That law requires smartphones to have a kill switch in order to shut down a device in the event it is stolen in order to protect the owners’ personal information. Consumer rights groups argue that engineering back-door access to a device
  • 2. could allow a hacker to use that same door to remotely shut down a device as well, thus allowing cybercriminals another avenue of action. This concern also applies to government agencies, particularly the Department of Defense. Because the vast majority of microprocessors are manufactured in Taiwan and China, there is concern that military or other critical components contain kill switches manufactured by the Chinese for the purpose of sabotage. While some military equipment uses custom-built electronics, the Department purchases a substantial amount of off-the-shelf equipment that could be vulnerable. In 2003, the Department of Defense began reviewing its acquisition process and developed protocols for future actions including protecting a domestic microprocessor manufacturing base, working with the National Security Agency to fully identify related vulnerabilities, and accrediting trusted providers. The Department is also developing hardware able to detect a kill switch. The sheer volume of microprocessors the Department regularly acquires, however, and the difficulty in detection makes the task of combating kill switches problematic. The Department’s report states that conventional methods of detection “will not uncover intentional and surreptitiously implanted flaws” within a microprocessor. Recommendations The difficulty in detection is one reason why labeling microprocessors if they contained kill switches would be ineffective. Without means of verifying compliance, a statute requiring manufactures to label their products would rely solely on manufacturers’ assertions that non- labeled microprocessors did not contain kill switches. This creates a regulatory environment where the regulators cannot verify compliance unless a kill switch is activated. Therefore, labeling could not prevent any harm a kill switch might inflict; regulators’ only actions would be in reaction. If, however, labeling microprocessors could be effective the Consumer Products Safety Commission does not possess the regulatory power to force microprocessor manufacturers to label kill switches. The Consumer Products Safety Commission derives its authority from 15 USCS § 2058. In order for something to fall within the Commission’s scope of authority, it must incur the “risk of injury.” This is defined as “a risk of death, personal injury, or serious or frequent illness.” While it is not inconceivable that a kill switch could, depending on the nature of the affected device, cause physical actions to occur, remotely accessing and shutting down most computer
  • 3. systems does not produce the risk of injury defined in 15 USCS § 2058. Therefore, the Consumer Products Safety Commission does not likely possess the regulatory authority to force manufacturers to label kill switches. Despite these challenges, there are proactive measures that can be taken in response to kill switches. Both consumers and the military should prepare for an event related to kill switches. One promising development is the Department of Defense’s ongoing development of hardware that will detect kill switches. The Department should be encouraged to share this technology with critical infrastructure when it becomes available, and continue to update Congress as to its progress on the issue.