It’s been a month or so since Spectre and Meltdown first entered the public conversation. It seems we can’t stop talking about these potential security issues baked into the major microprocessor architectures that run, well, everything. Understandably, Intel CEO Brian Krzanich and Advanced Micro Devices CEO Lisa Su have both had to address the problems in their earnings reports. The ARM army has been less visible in recent days though ARM’s CEO Simon Segars answered to Spectre at CES.
I hope this conversation continues both in public and private. As The Economist wrote, the tech industry in general has some “soul searching” to do. My claim here is that this is not just a bug that needs to be fixed, like the infamous Intel Pentium math flaw in the 1990s. To fully appreciate this story, you need to apply legendary Intel CEO Andy Grove’s concept of the Strategic Inflection Point (SIP), a tool articulated in the book he wrote after the Pentium crisis, “Only the Paranoid Survive.” In short, we are discovering the degree to which our 21st century world sits atop 20th century thinking about the nature of technology.
The issues of the moment are not “bugs” like the Pentium flaw, in which the chip was not performing to its actual design. These current chips are apparently operating according to their designs. Journalist Don Clark, himself a veteran of covering the original Pentium flaw, recently did a decent job of untangling these issues in the New York Times. These are not “bugs” in the technical sense of the term. These are more accurately thought of as legacy design techniques that were innovations when they debuted 20 or so years ago. But, they are now artifacts of a very different technology environment before the threat landscape became so sophisticated as it is today.
That environmental change creates a SIP by Grove’s logic. Drawing on Michael Porter, Grove argued that a 10x change in any one of five strategic forces could drive a SIP – and could be overlooked if the other four forces were relatively stable. Those five forces include new delivery methods for the product or service, plus four measures of the “power, vigor and competence” of: existing competitors, suppliers, customers, and potential competitors.
This last category is relevant to understanding the 20th century legacy in processor architectures. According to Grove, potential competitors include those that aren’t in the market yet but if they entered would pose a new kind of threat because they could be “bigger, more competent, better funded and more aggressive than the existing competitors.” When techniques like speculative execution, one of the culprits in the current round of issues, debuted to accelerate performance, security threats were very different and security was largely viewed as a software problem; thus, making faster chips enhanced security by accelerating virus detectors and the like. As the threat landscape evolved, additional security hooks got bolted onto the core, but the core techniques remained.
However, if the security and integrity of computing writ large is at issue, then we need to expand the range of “potential competitors” to include what we now know to be state-sanctioned actors and globally organized crime. These actors can certainly be “bigger, more competent, better funded and more aggressive” than the basement hackers of the 20th century. To say it differently, does anyone doubt that we have witnessed a 10x change relative to the 1990s in the “power, vigor and competence” of those attempting to subvert our reliance on digital technology? And if these issues are really about the foundations of the computing environment we all rely on, then this SIP is not just about chip companies but every cloud provider, device maker and would-be Internet of Things service provider.
So, many more people need to be party to this conversation than Intel, AMD or ARM suppliers. Grove advocated a period of experimentation to see what really works in this new environment. For chip companies, perhaps that means security-first design approaches. But, this 10x change in new forms of competition affects more than these chip companies no matter how important their architectures might be.
This SIP is affecting lots of players and, well, only the paranoid survive.