Hackers are Taking Advantage of Gaps in U.S. Cybersecurity Policy

When you press the power button on your computer, it turns on because a specialized code called firmware turns this stimulus into a signal the computer can understand. Firmware is constantly at work because it is the link between a device’s software and every piece of a device’s hardware, including its camera, microphone, keyboard, and cooling systems.

Firmware is necessary not just for personal devices like phones and gaming consoles, but for systems that ensure the supply of clean water and reliable electricity to homes across the country. It’s easy to take firmware functions for granted, but hackers can take advantage of vulnerabilities in firmware to take control of a device, steal data, or disable the device entirely.

This can be infuriating if it’s your phone, but catastrophic if the device is a switch controlling the flow of electricity around the country. The federal government has published best practices for protecting firmware, but its framework grows increasingly outdated and lacks any compliance incentives. This must change.

Firmware-based cyberattacks have increased dramatically in recent years. Russian hackers, for example, used firmware vulnerabilities to disable internet access across Europe at the start of the 2022 invasion of Ukraine. An earlier Microsoft report revealed that 83 percent of surveyed companies have suffered a firmware-related cyberattack.

Hackers can corrupt firmware at any point along its supply chain. They can corrupt the initial build if companies writing the code lack robust security controls. After the devices are purchased and in use, hackers can hijack the over-the-air patches intended to update or upgrade the firmware.

What’s more, these attacks can be hard to detect until it’s too late. Because firmware operates at a separate level from software, virus scanners are unlikely to detect firmware problems. And if malware is discovered, getting rid of it can be difficult. Even a full hard drive reboot, which deletes all data and files stored on a device, is unlikely to fix the problem. One Chinese firmware attack survived multiple updates and reboots because the malware continuously scanned for updates and copied itself into the new files.

Nevertheless, policymakers in Washington have not been sufficiently focused on firmware security. In the summer of 2022 Congress passed the CHIPS and Science Act, an expansive law promoting the development of advanced technology in the United States. The law mentioned “firmware” only once in 394 pages. Similarly, in April 2023, the federal government published guidelines urging manufacturers to build systems that are “secure-by-design” and “secure-by-default,” meaning they should be ready from day one to protect themselves against malicious threats. The October update to these guidelines mention firmware in passing just once. How secure can a device be if a vital part of its code is left out of the security equation?

Before the recent rise in firmware attacks, the National Institute of Standards and Technology (NIST) at the U.S. Department of Commerce had created a framework, NIST 800-193, to provide standards and best practices for firmware security. It serves as a helpful document that encourages manufacturers to protect firmware and detect malware, but it falls short in a number of key areas. It does not, for example, provide standards for how to provide timely firmware updates and patches. The framework predates secure-by-design concepts, so it does not address them. Nor does NIST 800-193 discuss how to employ Software Bills of Materials, a tool that can identify known vulnerabilities and indicators of risks in code.

Remedying these problems is straightforward: the White House should direct NIST – and Congress should provide any necessary funding – to rewrite NIST 800-193.

But updating this guidance will have limited impact as long as adherence is optional and inconsistent. Implementing rigorous security standards requires additional time and money, and until market forces or regulations demand compliance some firms will likely still avoid taking the necessary steps. And so, as we outline in a new memo on firmware security, the federal government needs to encourage private companies to comply with the security framework. To that end, the federal government should only purchase technology that is compliant with NIST 800-193. The White House should then work with Congress to develop financial incentives such as carefully targeted tax breaks for companies responsible for critically important infrastructure to voluntarily purchase only products adhering to NIST firmware standards.

These actions can drive demand for secure devices, encouraging manufacturers to take firmware security seriously. Swift action must be taken if devices embedded across U.S. critical infrastructure and Americans’ personal devices are to ever be truly secure.

Rear Adm. (Ret.) Mark Montgomery is a senior director at the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies. He directs CSC 2.0, which works to implement the recommendations of the Cyberspace Solarium Commission, where he previously served as executive director. Michael Sugden is a research analyst and editorial associate with the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD).