BlackBerry launches CHACE initiative to bridge gap between security tech in defence and consumers

David Kleidermacher, BlackBerry’s new Chief Security Officer who joined a few months ago with decades of experience in high assurance security for US defence and government agencies and flight control software for commercial airliners is pushing a new BlackBerry Centre for High Assurance Computing Excellence (CHACE). The initiative is all about expanding BlackBerry’s research and development (R&D) efforts alongside industry and academic research in the area of high assurance for vulnerability prevention, to drive worldwide innovation and improvement in computer security. CHACE would not be run from inside BlackBerry but would be an independent testing organisation supported by BlackBerry, academia, industry bodes, and perhaps other vendors if things go as per BlackBerry’s plans. The end-goal is that devices, applications, etc, would be certified for high assurance by CHACE as part of a service delivered by CHACE. [caption id=“attachment_2012377” align=“alignnone” width=“300”] Image: Reuters[/caption] In a press conference in San Francisco on the sidelines of the RSA Conference focused on security technology, Kleidermacher mentioned that the current inability to manage massive complexity in software combined with trends like IoT and the pervasiveness of cyber attackers, meant that the answer didn’t lie in just pushing businesses to patch faster, but in building products devoid of vulnerabilities from the ground up. He explained that while this was already happening in defence projects, for commercial jets, NASA’s space shuttle, etc, it had not been done at scale and was also very expensive, costing nearly a thousand US dollars per line of code to ensure high assurance, while in the general business space, it took mostly a few dollars to a maximum of a hundred dollars and where high assurance was therefore usually ignored in the quest to maintain lower cost. “As the number of connected devices multiplies, so do the threats to security and privacy,” said Bob Egan, CEO, Sepharim Research Group. “Organizations need to rethink the way they approach security and transition from a reactive posture to one that is proactive and promises the greatest defence against sophisticated cyber attackers.” BlackBerry’s answer is CHACE, which aims to reverse the current paradigm with the development of tools and techniques that deliver a far higher level of security protection than currently available and at a reasonable cost. CHACE will extend BlackBerry’s globally respected competencies in vulnerability prevention and enable the application of high assurance security research to real-world products and services. How would this work? One example that Kleidermacher gave was of the possibility of drug delivery for diabetes patients through wireless devices, which is the US FDA is currently dead against because there is no organisation that has set a standard against which prospective technology developers and healthcare providers can be benchmarked, and the FDA is loathe to go ahead without being 100 percent sure of the safety and fail-proof capability of such technology for humans. “Next-generation mHealth systems and Internet of Things devices, such as the artificial pancreas for people with diabetes, can dramatically improve quality of life. However, these wireless devices are inhibited from realizing their full potential by an insufficient assurance of security and privacy afforded by current commercial development practices,” said David Klonoff, M.D., President, Diabetes Technology Society and Clinical Professor of Medicine, University of California, San Francisco. “BlackBerry is assisting Diabetes Technology Society to foster the high assurance security processes and standards needed to turn promise into reality for patients with diabetes and other diseases.” Kleidermacher said that most of such high assurance vulnerability prevention research was in academia which found it difficult to build a business case and hence BlackBerry was kick-starting the effort to build CHACE as an independent testing organisation. BlackBerry claims a number of academic institutions have already expressed support for CHACE, according to excerpts from a BlackBerry press release below. However, Kleidermacher refused to name any vendors that were showing interest in the CHACE initiative. “Cybersecurity education and applied research is a priority at Cal Poly,” said Debra Larson, Ph.D., Dean, College of Engineering, Cal Poly San Luis Obispo. “The school’s new Cybersecurity Centre reflects our goal to be at the forefront of preparing the next generation of engineers to ensure the safety of cyberspace in our technologically interconnected world – as well as enhance the user experience of navigating that world. BlackBerry’s Centre for High Assurance Computing Excellence is creating exciting new opportunities for university and industry collaborations on this new frontier of innovation, economic activity and security.” “Given the challenges we face in a modern society that increasingly relies on computing, I believe that establishing a research centre focusing on high assurance software is timely and visionary,” said Tevfik Bultan, Professor, Department of Computer Science and Director, Computing Verification Lab (VLab), University of California, Santa Barbara. “I strongly support BlackBerry’s Centre for High Assurance Computing Excellence.” “I commend BlackBerry for its CHACE initiative, which gives participants the opportunity to collaborate on solutions that attack critical security challenges,” said Daniel Kroening, Professor of Computer Science, University of Oxford. “BlackBerry and the University of Waterloo enjoy a strong partnership that has served as the foundation for groundbreaking research,” said Dave Dietz, Director, Engineering Research, University of Waterloo. “The BlackBerry Centre for High Assurance Computing Excellence will be another avenue for us to collaborate on projects critical to secure computing and introduce new technologies to the world.”