Wave Systems Corp. (fka WAVXQ)

[New Wave]

Notes form the NSA conference:

After several days of traveling I finally had time to prepare the following notes. Enjoy.

After years of TC exposure only at Wave SHMs, my exposure to a much wider assemblage of resources at the 2nd annual NSA conference was both educational and enlightening. Prior to the conference I really didn’t expect more than the usual vague statements from the US and UK governments regarding deployment plans for the millions of TPMs installed throughout their networks. Commitments from these big influencers has for years been critical for the launch of a broader TPM centric trust matrix. In conversations with various officials from government and systems integrators I was very pleased to learn that there is indeed a serious plan to move forward to deploy TPMs across the DoD and among a handful of systems integrators during the first half of 2012.

Of course these plans still need to be executed, but there was a palpable sense of urgency that didn’t exist at last year’s conference from what I’ve read. In order to appreciate the significance of the government’s change in sentiment since last year’s conference I highly recommend reading the following article written last week by General Keith Alexander, head of the US Cyber Command: http://www.washingtontimes.com/news/2011/sep/13/computer-based-attacks-emerge-as-threat-of-future-/print/

The evolutionary progress of trusted computing since this time last year is evidenced by the growth of this conference. Attendance went from the upper 400s to around 700, and the number of exhibitors doubled to 56. Then there are also two major players in trusted computing, Google and VMware, who are not even members of the TCG, demonstrating how the movement has seeded wider growth in the market.

The dominant theme at the conference was about the growing incidence of daily cyber attacks on government and industry, as well as the greater threat of a cyber induced national catastrophe. Emphasis was also placed on the ease with which criminals and foreign actors can penetrate existing software based cyber defense systems and how effectively these vulnerabilities could be amended if TPMs were rightfully deployed across networks. TPMs, by the way, were the darling of the conference, and the daily mantra was “turn on your TPMs.”

So why don’t the government and systems integrators just go out and turn on their TPMs already? First, the management technology they’ve decided upon was only recently made available, and this will soon move to the pilot stage for proof of concept for Cyber Command. The government is also working with the major PC OEMs to implement a process whereby they can initialize legacy TPMs in older machines (newer PCs are being delivered w/ TPMs turned on) without any physical touch aside from PCs needing to be powered up overnight. This feature should soon be ready. Finally, before TPMs are activated the BIOS in each machine will need to be refreshed with tools provided by the PC OEMs. I heard two estimates on timing for implementation with DoD: 6 months and mid-2012. Then we’ll finally begin the process across government and industry to close the doors on the outlaws of trust.

I asked a representative from a large aerospace and systems integrator how serious they were about fully deploying TPMs across their networks and whether they had been motivated by the Lockheed incident. He said they were absolutely going to deploy, and then with a smile he said, “Lockheed wasn’t the only one, but that’s all I’m going to say.” He wasn’t clear on the timing for deployment but mentioned that they and other systems integrators had completed their own pilots and were now working together in an advanced pilot to develop a comprehensive integration plan for existing infrastructure. They’re also being pushed by the government to be ready to provide installation services ahead of government deployment, so it’s possible we could see some of them deploy across their own networks first. One of the track sessions featured a panel of Northrop Grumman, Boeing, Raytheon and Wave (SKS) discussing the critical need for DIB companies to secure their supply chains with TC.

PwC made an excellent presentation on the benefits of enterprises using TPMs to secure X.509 certificates and PKI for their networks. The presentation was made by an individual from their business division rather than IT, and this indicates they’re now more comfortable with public promotion of the technology. Business representatives are making similar presentations throughout the year at other venues such as the February RSA conference. On deployment, PwC is expected to have this completed in the first half of next year, after which their consulting division will be better positioned to recommend TC solutions to clients, although I believe they’ve already done some work with government agencies like Britain’s CESG. I didn’t specifically ask, but I suspect their own deployment timing is being coordinated with overall government plans to go live in 2012. On enterprise management, several at Wave expressed the opinion PwC would eventually use ERAS.

I spoke with Brian Berger about the possibility of Microsoft planning to offer TPM management software to support the client side BIOs integrity and boot measurement features included with Windows 8. He said there was currently no evidence of this and that Microsoft has been encouraging other ISVs to provide these tools. He agreed that it could be politically difficult for Microsoft to control both the OS and end-to-end trust. In a related discussion Steven said it would be a matter of time before the larger security vendors like McAfee and Semantec would enter this market, much as they have done with SEDs.

SEDs are expected to be mandated by the government in time for the 2nd buy cycle in next year’s budget which would be in the spring. In the meantime incremental SED deployments are occurring.

In closing, the endless wait for large scale TPM deployments should be over in the first half of 2012, but more important, our nation’s cybersecurity will finally have a credible defense.