RSA is one of the world’s top security conferences and BlackBerry is always a big part of the event. BlackBerry announced an exciting new initiative today at the RSA Conference in San Francisco. The BlackBerry Center for High Assurance Computing Excellence (CHACE) aims to reverse the current ‘fail-then-patch’ security model that has become so common today with tools and techniques that deliver a far greater level of security protection than currently available. CHACE broadens BlackBerry’s R&D efforts within the company to drive worldwide innovation and improvement in computer security.
Certicom Corporation, a subsidiary of BlackBerry Limited, also today announced a new managed public key infrastructure (M-PKI) certificate service for sensor networks and Internet of Things (IoT) applications.
We sat down with Dave Kleidermacher, Chief Security Officer at BlackBerry, to discuss the unveiling of CHACE and the new Certicom service for connected devices.
Dave, tell us what CHACE is and what it means for the future of secure computing.
DK: There’s a belief that the key to the world’s security issues is to patch faster, but this fails to address the root issue. Systems that require regular patching always contain vulnerabilities unknown to developers, and some of these vulnerabilities are in fact known by would-be attackers. CHACE is BlackBerry’s initiative to build systems that are clear of security flaws. CHACE will extend our state-of-the-art competencies in vulnerability prevention and enable the application of high assurance security research to real-world products and services.
How would you explain CHACE in simple terms?
DK: Fundamentally, CHACE is about finding and fixing security issues before they ever get into customer’s hands. In the past year alone, we’ve seen widespread issues like FREAK, Heartbleed and POODLE cause havoc across nearly all online technologies. We want to create automated scanning tools to find these issues quickly, efficiently and effectively across all of our products and services. We’re also working on groundbreaking new techniques to formally design secure systems and mathematically prove their security. This is something the tech industry desperately needs, and as the leaders in mobile and IoT security, it’s our job to push it forward.
Who will you collaborate with to raise the bar on security through CHACE?
DK: We’ll be collaborating with key academic institutions as well as industry groups that share BlackBerry’s commitment to high assurance practices. For example, CHACE will collaborate with the Diabetes Technology Society and other healthcare groups to address security and privacy concerns for next-generation wireless medical devices and applications.
What is high assurance computing and why does it matter?
DK: High assurance computing increases the security and reliability of systems. Raising the assurance of systems is the only way to get ahead of cyber attackers and to prevent breaches instead of simply reacting to them. High assurance becomes absolutely critical for the security, privacy and reliability required for IoT and other future technology.
How is BlackBerry positioned to lead this initiative?
DK: BlackBerry has a long history in high assurance techniques, including rigorous automated testing, deep vulnerability analysis, and formal methods to prove safety and security properties. Our expertise in this area has enabled the company’s products to achieve a wide range of quality, safety, and security certifications, such as:
• Approval of smartphone and Mobile Device Management (MDM) platform for use on U.S. Department of Defense classified networks
• Achievement of ASIL-D, the highest safety level under the ISO 26262 automotive electronics standard
• Compliance to IEC 62304 medical software standard and approval in life-critical medical devices
What is your first priority with CHACE?
DK: Our first priority is to collect current best practices and tools in the areas of static analysis, automated test generation, and model checking and release a first version CHACE high assurance toolset that will be used for the development of critical software components in upcoming products, such as next-generation mobile devices. Contributions to the toolset may come from active collaborations with universities, including Cal Poly San Luis Obispo and UC Santa Barbara in the U.S., the University of Oxford in the U.K. and the University of Waterloo in Canada.
Let’s switch gears to the Certicom news. Can you give us an overview of today’s announcement?
DK: The Certicom managed PKI certificate service helps device manufacturers and service providers secure their IoT networks and ecosystems, ensuring that the devices they connect are known and trusted. The service puts security certificates under Certicom’s management, meaning customers can focus more on their core business and less on security infrastructure and management.
Who will use the PKI certificate service?
DK: The PKI certificate service is available to device manufacturers and service providers, whether on the BlackBerry IoT Platform or as part of another connected device ecosystem or private network, with options for Elliptic Curve, hybrid, or legacy RSA-based device certificates. In fact, last week Certicom began issuing certificates for the smart meter initiative in the United Kingdom, a market with over 104 million smart meters and home energy management devices that conform to ZigBee® Smart Energy specifications. Certicom designed this new managed PKI certificate service to scale up to hundreds of millions of connected devices.
For more information about CHACE, visit www.BlackBerry.com/CHACE. To learn more about BlackBerry security, visit www.BlackBerry.com/Security. If your organization wants to join BlackBerry in the CHACE initiative, drop us a note at highassurance@BlackBerry.com
If you’re at the RSA Conference this week, stop by the BlackBerry booth #1038 in the South Expo Hall or the Secusmart booth #4020 in the North Expo Hall.