In late 2017, it came to light that almost all computers world-wide share a common security flaw that leaves them vulnerable to being hacked. The discovery was made simultaneously by two separate teams of researchers who have attributed the vulnerability to the way computer chips (or CPUs) have been designed since the 1990s. While patches are available, they have been shown to reduce performance. For most users, this isn’t a problem but for businesses that rely on speed for their competitive advantage, there is a difficult choice to be made between patch and performance.
The Project Zero Team at Google, and Cryptography Research at Rambus, discovered three variants of the same flaw: variants one and two are referred to as Spectre and variant three as Meltdown. Meltdown affects only those laptops, computers and servers that have Intel chips; whereas, Spectre affects certain types of smartphone, tablet, computers and servers that are powered by Intel, ARM and AMD chips.
To increase computing speed, manufacturers designed CPUs to initiate certain tasks before they are asked to do so, this guesswork is called speculative execution. It works by the CPU sending two trolleys of data to the cache (a kind of loading bay) with one trolley branching off to carry out the present command and the other going to the speculative branch in anticipation of the next most likely command. If the user commands as expected, the guesswork pays off as some loading time has been saved, if the command is not as expected, the trolley disappears.
However, we now know that it is possible for the first data trolley to cross the boundary into the speculative branch and access the data in the speculative trolley before it disappears. In essence, this is a timing error. While this does not allow any potential hacker to choose what they see, it would only be a matter of time before a trolley filled with passwords, financial details or other sensitive information entered the speculative branch and the hacker’s view
Technology firm CERT told Winbuzzer that, in the long run, the only solution is to physically change the way CPUs are built. In the meantime, “there has never been a more coordinated and effective effort to squash such a widespread low-level flaw,” according to cybersecurity firm CYLANCE. These efforts have amounted to software patches. Whilst patches are effective on Meltdown, they are less so for Spectre which requires hardware change; moreover, software patches will likely lead to performance drops as the patch effectively isolates the speculative trolley from the other branch, thereby removing any benefit to be had from the chip’s guesswork.
Some researchers have measured the effect of this slowdown as being as high as 30%, but most, including Intel, show a reduction of between 2-14%. Intel believe that any impact will be “workload-dependent” and “should not be significant” for the average user. However, independent security analyst Graham Cluley told the BBC that users are likely to notice the drop in speed “if [they’re] doing something more intensive… like performing a large number of complex calculations, or processing large amounts of data.”
These words ought to concern financial traders and banks who rely on Automated Trading Platforms (ATP). These systems use algorithms to make decisions in milliseconds that a human would need minutes to make. By being quicker than the rest of the market, it allows them to execute more lucrative trades. Traders will probably think twice before installing patches that diminish or destroy this competitive advantage.
However, at the same time, these companies will not want their trades exposed to hackers. Meltdown and Spectre would theoretically allow would-be hackers to observe any data entering the speculative branch which may include the algorithm or trading parameters the ATP relies on or, if they are trading on behalf of a client, the personal information of any client. Therefore, any company considering whether to sacrifice security to maintain their competitive advantage will have to factor in regulatory requirements.
In a blog statement, the Information Commissioner’s Office Head of Technology Policy, Nigel Houlden said “failure to patch known vulnerabilities is a factor that the ICO takes into account when determining whether a breach of the seventh principle of the Data Protection Act is serious enough to warrant a civil monetary penalty.”
The Data Protection Act 1998, holds that appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data. In considering what is appropriate, ICO would have regard to the state of technological development and the cost of implementing any measures. The ICO are unlikely to be sympathetic if traders choose not to patch for a number of reasons:
- The ICO do not hesitate in penalising companies that hold extremely sensitive information on their customers; as evidenced by the fact that they have taken enforcement action against financial businesses more than any other category of business, second only to marketing.
- The measures taken by Data Controllers must ensure a level of security appropriate to the harm that might result from such unauthorised or unlawful processing and the nature of the data to be protected. The data held on a trader’s computer will often relate directly to individuals bank accounts; pension or saving fund details; tax information; and addresses. Whilst not all personal data, the unauthorised processing of this information could cause great harm.
- The GDPR regime imposes much higher costs on non-compliance therefore any company which is yet to take the appropriate technical steps and patch their software should beware that this competitive advantage may in future be a disadvantage.
Meltdown and Spectre are likely to remain front and centre until Intel, AMD and ARM figure out how to remake their CPUs so as to fix the flaw without compromising performance. In the meantime, companies reliant on ATP have to decide whether their competitive advantage is worth risking potential fines.