Research and analysis

CHERI adoption and diffusion research

Published 15 May 2024

This was published under the 2022 to 2024 Sunak Conservative government

Executive Summary

This research aims to help the Department for Science Innovation and Technology (DSIT) understand the potential market for Capability Hardware Enhanced RISC Instructions (CHERI) technology and how the Department can encourage and support the adoption and diffusion of the technology in semiconductors.

CHERI is a new technology which embeds security by design and aims to significantly strengthen systems security through the use of memory safe pointer architecture and secure compartmentalisation of memory.

The technology has been developed in the UK with support from the UK government through the Digital Security by Design (DSbD) programme, which has funded the development of a hardware prototype; enabled researchers and businesses to use the hardware and develop the software ecosystem; and demonstrate CHERI working in specific sectors and contexts.

The Current Potential Market for CHERI

This research has not been designed to provide a formal assessment of the size and scope of the semiconductor market, or the market for CHERI, in the UK. However, a key aim for the research was to understand the key parts of the semiconductor supply chain where CHERI would need to be adopted. The semiconductor supply chain is long, global and complex and some parts of the process are more relevant for CHERI adoption than others.

The key market segments for CHERI adoption within the semiconductor supply chain are chip designers and systems manufacturers. Software engineering is also important, as program code needs to be rewritten for the CHERI architecture to ensure the benefits of CHERI are fully realised.

The semiconductor supply chain has high levels of regional specialisation, and the UK is strong in chip design. A number of systems manufacturers have offices in the UK even if they are not headquartered here.

We identified 394 firms in the current potential UK CHERI market through an iterative process of searching in business databases such as Fame, reviewing the outputs and adapting our search terms based on the details of the businesses that we found. These firms cover the semiconductor sector and key demand sectors who would benefit from adopting CHERI, and include multinationals and SMEs. These firms have a combined GVA (Gross Value Added) of £196.5 billion. Please note that this is not an estimate of the number of semiconductor firms active in the UK and should not be used as such.

Other key global markets for the semiconductor industry include the USA; China; Taiwan; Japan; South Korea; Southeast Asia; India and Europe.

We have identified several key sectors who would benefit from CHERI adoption including telecoms, automotive, defence, Information Technology (IT), finance, health and utilities. We have prepared case studies for the first four (others faced similar challenges, benefits and enablers for adoption).

Awareness of CHERI

Awareness of CHERI has been largely driven by the DSbD programme and other government funded competitions. This has helped to develop an ecosystem of academics and people in industry who have experience of using CHERI. This core ecosystem is mostly based in the UK and includes 136 companies and an estimated 875 people, not including people within government. This estimate of the number of people is based on survey results of DSbD participants in 2022 which showed around 7 people were involved per firm.[footnote 1] This is likely to be a low-end estimate of people who are aware of and actively engaging with CHERI currently as we are aware that some firms who are very active in the DSbD ecosystem have many more than 7 people involved in their DSbD project teams.

The UK is a key centre for chip design Intellectual Property (IP). Arm is a key player,[footnote 2] but there are other significant designers based here. The US and elsewhere in Europe are also regions for chip design and there is evidence of awareness of CHERI in these regions due to Morello Board distribution and government activities to promote CHERI such as visits by senior UKRI staff to Japan. Early development of CHERI was funded by DARPA (Defense Advanced Research Projects Agency) which has also helped to enable awareness of the technology in the US.

While the initial prototype of the technology (the Morello Board) was developed by Arm, there is growing awareness of CHERI among the RISC-V open-source ecosystem and a growing appetite to develop CHERI technology for this chip architecture.

People who are aware of CHERI are typically technical, research and cyber security officers. There is less awareness of CHERI among marketing and senior decision makers in large companies. This is where effort should be focused as many of the significant barriers to CHERI adoption are not technical, they are economic, and would be expected to accumulate over time. This audience could respond to a presentation of CHERI as an investment with a positive ROI through increased efficiency and capability, rather than an ongoing security cost.

Recommendations: Raising awareness of CHERI

Based on our research, the sector most likely to adopt CHERI first is embedded systems and the Internet of Things (IoT). Other sectors such as telecoms infrastructure, automotive and defence are also possible future markets for CHERI but the adoption cycles in these sectors are longer.

These are the sectors to target and build awareness in. Some recommended activities, which build on the outputs of the DSbD programme, include:

  • Sensible (not fearmongering) presentation of increasing hostility of online environment to senior decision-makers in companies significant to CHERI adoption (such as systems manufacturers).
  • Briefings from the National Cyber Security Centre (NCSC), intelligence services etc.
  • Helping CEOs to understand the risks to their businesses from insecure hardware, whether to their customers or their own activities, using case studies and real-world examples[footnote 3].
  • Sharing existing and future outputs of the Technology Access Programme (TAP), Discribe Hub and demonstrator projects.

Potential future adoption of CHERI

We explored the barriers and enablers to adoption in 5 potential adoption sectors.

Mobile devices: Low likelihood of adoption in the near term

The mobile phone and tablet market is highly concentrated, with a small number of dominant operating systems and a single dominant chip architecture provided by Arm. The chips are feature-rich and highly optimised for power with low energy consumption, and the design phase for each new iteration is long and expensive.

CHERI technology would have to compete for physical space on chips with other features with higher consumer demand. Extensive and mature software ecosystems would also need updating to make use of CHERI, which is a significant cost and barrier to adoption. Given this, there is relatively little incentive for private companies to push for the adoption of a security feature like CHERI into a chip design.

Key firms: Arm (Semiconductors), Google, Apple, Microsoft (Operating Systems). All of these companies have awareness of CHERI.

Telecoms Infrastructure: Some strong benefits of adoption, but also some challenges

This is a highly capital-intensive sector, with a large estate made up of expensive equipment. Firms need to gain positive Return on Investment (ROI) from technology investments which means there are slow lead times for adopting new hardware-based technologies.

The costs for CHERI adoption would come from re-compiling code, but this would involve less effort than using Rust (a memory-safe programming language).

CHERI adoption could reduce the lifetime equipment cost by reducing the costs of maintenance to offset the initial cost of adoption.

A more holistic conversation about the benefits of CHERI is needed to spur adoption, moving beyond consideration of the technical benefits alone to consider the long-term economic benefits and the potential to differentiate from the competition on security.

Key firms: Vodafone, Ericsson, Nokia.

IOT/Embedded Systems: Economics of adoption for embedded systems are advantageous for CHERI adoption

This sector is more likely to adopt CHERI over the next few years as individual processors are simpler and cheaper, the cost of design is lower, and there are open-source technologies and designs which can be used as a basis for experimentation and innovation.

The product range is diverse and, in many cases, does not carry the burden of a mature ecosystem with a codebase that would need updating. The best situation would be for an entirely novel product which can start from scratch and develop all code natively for CHERI.​

In some areas (such as industrial process controls), the security/safety case might be strong enough for CHERI to be worth the investment despite the adoption cost, particularly if CHERI can be shown to reduce the overall cost of ownership of a device (e.g. if a product has a long lifetime, reducing the cost of maintenance through patching is significant; if the risk and cost associated with a successful attack is great, the adoption case is stronger).

Conversely, there are high-volume markets such as consumer IoT where although margins may be low, costs may be recoupable through volume sales.

DSbD has spurred innovation and business interest (Microsoft, Codasip, lowRISC, SCI Semiconductor etc). There is growing interest from RISC-V community which also supports adoption in this sector.

Key firms: Amazon, Microsoft, Sony, Bosch, IBM, Renishaw

Defence: Evidence of interest from the sector and possible routes to wider adoption through Government procurement levers

The Defence and Security Accelerator Catapult (DASA)/Defence Science and Technology Laboratory (DSTL) have already funded projects through a specific competition focusing on using CHERI in Defence. There is interest and awareness in the sector.

The Government Secure by Design procurement approach offers an opportunity to use CHERI for specifying and executing best practice in systems security.

There are sensitivities around sharing information about technology used in national defence, so sharing lessons and information on benefits of uses may be more complex in this environment.

Key firms: BAE, Qinetiq, Thales UK

Automotive: Some likelihood of adoption with some challenges to overcome

There is a strong case for cyber security to prevent vehicles being disabled or controlled by an attacker and increasing complexity and connectivity of vehicles through electrification.

There is interest from sector and high level of involvement in existing DSbD network and ecosystem.

Historically there are long adoption cycles for new technology in automotive, but these are getting shorter. However, the sector still has complex supply chains with a variety of suppliers.

Other barriers to adoption include the complex legal and regulatory environments with variation between different markets and jurisdictions. There is also a complex support ecosystem, with lots of standards and legacy software to update.

Key firms: BorgWarner, Jaguar Land Rover, Volkswagen.​

Recommendations: Support adoption of CHERI

Further funding

To be targeted at:

  • Continuing to build the software ecosystem by funding development of software development tools and operating systems[footnote 4].
  • Maintaining and developing the existing skills base by providing further opportunities for businesses to use the technology (as with the DSbD Technology Access Programme), for researchers to investigate novel tools and uses (building on DSbD software ecosystem projects), and networking and presentation opportunities for business and academia to share promising developments.
  • Supporting development of microprocessors at the microcontroller or mid-range application core level.
  • Developing the compartmentalisation capabilities to explore how these could improve performance.
  • Developing use cases to better understand and demonstrate the economic as well as security value of CHERI. In Chapter 5 of the main report, we provide case studies of routes to adoption for the following key sectors:
    • Telecommunications (mobile devices and telecoms infrastructure)
    • IT (IoT and embedded systems)
    • Automotive
    • Defence Selected use cases could build on these and the DSbD technology demonstrator projects.

Regulations, standards and procurement

  • Ensure Government departments are aware of CHERI as a technology – lead from departments such as Defence which can provide use cases / demonstrations (via DASA/DSTL funding competition)
  • Ensure suppliers are aware also: adopt “memory safety” as a recommendation or requirement in procurement, alongside clear guidance on which approaches meet this standard.

1. Introduction

Purpose of this research

The aim of this research is to help the Department for Science Innovation and Technology (DSIT) understand the potential market for Capability Hardware Enhanced RISC Instructions (CHERI) technology and how the Department can encourage and support the adoption and diffusion of the technology in semiconductors.

Seven specific research questions were set out in the specification from DSIT. These are covered in full in the technical report and summarised in Table 1 below.

Methodology

Our overall research design and strategy combines “top-down” and “bottom-up” exploratory analysis:

  • We have mapped the CHERI technology market, using published data and statistics, and expert consultations, to estimate its scale and composition (“top-down” approach).
  • In parallel, we have drawn up a database of firms in the market segments and established contact details to approach these companies for the primary research – this is done as part of the “bottom-up” pillar. This also helps to underpin the top-down element with firm level statistics.

Our rationale is to maximise robustness by combining two approaches with known strengths and weaknesses. The bottom-up approach focuses on known companies and lets us plan representative primary research; the top-down approach uses statistics to find “hidden” economic activity and market demand, providing a framework to weight the survey responses to reflect the market, and mitigate the risk of survey non-response.

We have used a mixed methods approach, with elements of quantitative estimation, desk research and primary data collection (surveys and interviews). The table below shows the methods we have used to address each of the research questions (RQ) in turn.

Table 1: Research questions and methods

Research aims Data review Literature review Top-down mapping Interviews Survey
1. Assess size and scope of potential market for CHERI Y Y Y   Y
2. Assess the number of semiconductor supply chain firms that could implement CHERI technology Y   Y   Y
3. Overview of market for CHERI over next ten years Y   Y Y Y
4. Understand characteristics of firms in this potential market   Y Y Y Y
5. Awareness of CHERI in the semiconductor supply chain   Y   Y Y
6. Current/projected CHERI demand in the semiconductor supply chain Y   Y Y  
7. Recommendations for barriers/enablers to adoption   Y   Y  

Report Structure

We have structured the report as a series of thematic chapters that are linked to the groups of research questions. The remainder of this report is structured as follows:

Chapter 2 provides some background about CHERI; its expected benefits and current status. It also provides background on the semiconductor supply chain as the aim of this project is to understand adoption of CHERI from a hardware point of view.

Chapter 3 examines current awareness of CHERI and explores barriers and enablers or drivers of that awareness (RQ5).

Chapter 4 looks at the size and scope of the market for CHERI, both in the UK and worldwide (RQ1), including the elements of the supply chain that are most relevant to CHERI (RQ2) and the characteristics of the companies within this market (RQ4).

Chapter 5 looks at the potential market and where CHERI might be in terms of adoption in around ten years (RQ3 and 6). It also addresses barriers and enablers or drivers to adoption.

Chapter 6 presents our final conclusions and recommendations (RQ7).

2. Background

2.1 Introduction

This chapter lays the groundwork for the research and findings in the following chapters. The chapter provides a comprehensive overview of CHERI technology, including its current level of implementation and some competing technologies. It presents a detailed supply chain diagram for the global semiconductor industry. Lastly, the chapter identifies key demand sectors for CHERI adoption.

2.2 Summary

  • CHERI is a new technology which embeds security by design and aims to significantly strengthen systems security through the use of memory safe pointer architecture and secure compartmentalisation of memory.

  • The technology has been developed in the UK with support from the UK government through the Digital Security by Design (DSbD) programme, which has funded the development of a hardware prototype; enabled researchers and businesses to use the hardware and develop the software ecosystem; and demonstrate CHERI working in specific sectors and contexts.

  • There are several CHERI products in development including the Arm Morello board, CHERIoT (developed by Microsoft for RISC-V) and the LowRISC Sonata and Symphony boards. Codasip have announced a first commercial CHERI enabled chip, but most of the other implementations are pre-market.

  • CHERI is a deep, system level fix and adoption will require changes in both hardware and software. Therefore, it is important to understand the semiconductor supply chain and drivers for the adoption of technologies that improve cyber security.

  • Important demand sectors to consider include automotive, utilities, telecommunications and embedded systems. These are aligned with national research priorities and also have some elements of cyber-physical risk.

2.3 What is CHERI?

CHERI is a fundamental redesign of microprocessor architecture, based on research from the University of Cambridge, that eliminates many common memory security vulnerabilities.[footnote 5]

2.3.1 Benefits of CHERI

The key benefits of CHERI compared to traditional hardware architecture have been identified by the University of Cambridge and SRI international[footnote 6] [footnote 7], and are as follows:

  • The CHERI architecture guards against accidental or malicious manipulation of the contents of memory, removing a core source of vulnerabilities.
  • CHERI can be applied to legacy C or C++ programs with minimal changes, making the transition to CHERI technology seamless.
  • As CHERI is applied to existing languages that lack memory safety like C and C++, it has the potential to address memory safety issues without the overhead of software runtime checks.
  • It provides the ability to create distinct compartments within one process which can be used to strengthen a system against attack and can also lead to performance benefits.

The main focus of research so far has been on the memory safety benefits of CHERI. Memory safety aspects of CHERI are at a higher technological readiness level (TRL) than compartmentalisation. Therefore, less effort is currently required to take advantage of the memory safety benefits than compartmentalisation.

CHERI prevents unauthorised or out of bounds memory access; it has been shown to prevent attacks using memory access in CHERI’s implementation of Linux/BSD and can also prevent damage from poorly written code. It is a systematic fix that addresses up to 70% of currently known common vulnerabilities[footnote 8].

Preliminary discussions with the DSbD advisory group revealed that research in compartmentalisation is not as advanced as research on the memory safety advantages of CHERI. Despite this, stakeholders mentioned that compartmentalisation holds promise for enhancing performance, boosting productivity, and conserving energy, potentially paving the way for innovative business practices and capabilities. Furthermore, stakeholders also opined that the combined benefits of memory safety and compartmentalisation would extend beyond merely bolstering security.[footnote 9]

2.4 Current implementations of CHERI

University of Cambridge and SRI initially received funding to develop CHERI from DARPA (the US Defense Advanced Research Projects Agency). UK Research and Innovation (UKRI) also recognised the potential of CHERI and, in 2019, funded the DSbD programme through the Industrial Strategy Challenge Fund (ISCF) to explore its practical applications.[footnote 10]

2.4.1 Digital Security by Design (DSbD)

The DSbD Challenge was announced in January 2019 as a targeted investment within the government’s ISCF. It funds a programme of research which is intended to radically update the foundation of the insecure digital computing infrastructure that underpins the entire economy.

In doing so, it aims to overcome market failures in hardware security, as well as technological challenges. Problems with hardware security have been documented since the 1970s. Market forces alone do not seem strong enough to encourage firms to invest towards solving these issues, because:

  • Hardware manufacturers will not produce something for which software does not yet exist as there would be no market for it.
  • Software developers will not write code for hardware that does not yet exist.
  • Consumers have not been demanding more secure technology as they are largely unaware of the inherent risks.

The programme has funded three activities which are summarised below:

  • Enable (industry and academia-led): A prototype implementation of a secure hardware platform with CHERI architecture (the Morello Board).

  • Use (industry and academic projects funded).
    • Collaborative Research and Development (R&D), to develop the software and secure-by-design applications required to enable market use.
    • Establish a national resource to upskill developers and users, enabling early adoption of the technology through business outreach.
    • Create a community to investigate barriers to adoption and encourage businesses and society to move beyond management of risk.
  • Demonstrate Impact: Business-led ‘demonstrators’ to develop and showcase specific uses of the new technology. There are seven demonstrators in e-commerce, automotive, utilities, embedded systems.

The programme was initially funded from 2020 to 2024, and extended to 2025. The programme team are looking for opportunities to continue the progress made in the last few years.

DSbD Programme achievements to date: The technology platform prototype design has been completed (ENABLE) and formally validated (USE), and has now been delivered in silicon in the form of the Morello Board. The primary vision set out in the business case – for the Challenge to overcome existing market failures and provide a new and secure computer hardware approach – is on course to be delivered if it can be proven in major industrial markets (DEMONSTRATE).

This initial success gives the programme scope to support the move towards adoption. Key takeaways on progress towards adoption are as follows:

  • DSbD has good links with Government through the Programme Board and advisory group, and the technology features in recent strategy reports such as the National Cyber Strategy and National Semiconductor Strategy. This suggests that DSbD is on the UK research agenda.
  • Capacity and capability building: DSbD projects have developed new skills and capacity in R&D. Academic projects have had only small impacts on researcher skills so far, but have built DSbD into Masters courses and PhDs, which can promote future knowledge transfer.
  • Collaboration between academia and industry is built into all workstreams, resulting in multi- and inter-disciplinary publications, and a mixture of academic- and industry-led investigation of the technology.
  • Industrial engagement has worked well to build an ecosystem for early adoption and testing but so far has focused on small businesses. There has been less interest in some parts of the programme from large companies (e.g. the Technology Access Programme and some of the demonstrators), although these are represented on the Advisory Group and have provided support for some individual projects.

DSbD has attracted investment from government and the private sector, including contributions from Google and Microsoft. Private investment is tracking above its 2023 target of £50m.[footnote 11] Further detail about how the programme is raising awareness of CHERI and supporting adoption is covered in section 3.3.1 of this report.

2.4.2 Other implementations of CHERI

Outside of the DSbD programme, some other organisations have designed other CHERI enabled hardware:

  • CHERIoT is a small version of CHERI for IoT devices based on RISC-V architecture. Work to adapt CHERI to smaller embedded systems was led by Microsoft through their involvement in the DSbD programme.

  • LowRISC is leading the Sunburst demonstrator project which aims to distribute Sonata Boards for use in embedded systems. These are low-cost evaluation boards with similar capabilities and capacity to the CHERIoT boards. They are also developing a higher cost board (the Symphony Board), which is more similar to Morello.

  • Codasip, a European company developing processor solutions using RISC-V, have released a fully commercial implementation of CHERI using its 700 processor family. This is a significant development as, unlike the other implementations, it has not resulted from a DSbD funded project. The decision to bring a CHERI processor to market has been taken independently for commercial reasons; (primarily to be the first mover in the market for memory-safe hardware).

Table 2: Summary of Current CHERI implementations

Features Morello [footnote 12] CHERIoT [footnote 13] Symphony [footnote 14] Sonata Codasip 700 family
Summary The Technology Prototype Platform of the DSbD programme Small, low power version for embedded devices Evaluation platform allowing for full analysis of CHERI enhancements in a wider system Low-cost evaluation board for investigating CHERI security enhancements First commercial implementation of CHERI
Lead team/example projects Arm, most of the DSbD funded projects Microsoft lowSRIC lowRISC Codasip
Architecture Arm RISC-V RISC-V RISC-V RISC-V
Advantages Has been distributed among DSBD and DASA-CHERI communities Potential for deployment in cyber-physical systems that are hard to protect at a deep level More fully featured than CHERIoT and Sonata, though less than Morello As for CHERIoT: a low-cost option (around £300-£400) deployable in cyber-physical systems Commercial design which demonstrates there is a market for adoption
Disadvantages The costs of commercial development are likely to require offsetting by significant market demand. Expensive (around US$10,000 per board) Lightweight version – a microcontroller rather than a fully-featured multi-tasking application core processor like Morello High-cost option (similar price to Morello) Lightweight version – does not have full CHERI functionality As announced, less powerful than the Arm Morello design

2.4.3 Other memory safety technologies

There are some alternative approaches to memory safety aside from CHERI.

Other approaches to memory safety are possible. One would be to rewrite code on existing hardware in a potentially memory-safe language such as Rust. This would offer equivalent protection if implemented perfectly, but errors in the code could leave vulnerabilities that could be exploited if discovered. Also, the effort of entirely rewriting existing code would inevitably be greater than modifying existing code to run on a CHERI processor, although for entirely novel products where there is no existing code base, a language-based solution would make sense.

Another approach in hardware would be probabilistic methods which attempt to detect memory safety violations in real time, such as Arm’s Memory Tagging Extension (MTE), available in its latest processors. These significantly increase the likelihood of detecting memory safety violations but does not guarantee that they cannot occur as CHERI does. CHERI has a higher adoption cost than MTE.

Other examples mentioned in stakeholder interviews include Arm’s TrustZone and SiFive’s WorldGuard (for RISC-V). These can isolate security-critical components in a system through hardware, such as system boot-up, cryptography, payment processing, or digital rights management. They are less sophisticated than CHERI in terms of the protection through isolation that it offers; CHERI’s compartmentalisation features allows for software to be written in such a way as to securely isolate any area of a program, and also offers potential improvements in performance.[footnote 15]

2.5 Supply chain for CHERI implementation

As CHERI is a hardware-based technology, the research aims to understand more about the semiconductor supply chain for the adoption of new hardware-based technologies.

Figure 1 below sets out the different stages of the global semiconductor supply chain and highlights the role of each supply chain segment. It also shows the value added at each stage.

It is important to note that the final product from the global semiconductor value chain, when supplied to systems manufacturers, contributes additional value to their respective sectoral supply chains.

Figure 1: Semiconductor Supply Chain – Production and Immediate

Source: Adapted from BCG/SIA (2021), Accenture/GSA (2020), Visual Capitalist (2021)

The section below describes these different segments in more detail.

2.5.1 Design (Fabless firms[footnote 16])

These firms design (but do not typically manufacture) the integrated circuits and chips which perform the critical tasks that make electronic devices work, e.g. computing, storage, connectivity to networks, and power management. Design includes electronic design automation (EDA) software, reusable architectural building blocks (“IP cores”), and in some cases also outsourced chip design services provided by specialised technology suppliers. It is a knowledge and skill intensive part of the supply chain and accounts for 65% of total industry R&D and 54% of value added[footnote 17].

The US is a key region for EDA, but the UK is a key region for IP. This is largely due to organisations like Arm, Codasip, MIPS, and SiFive.[footnote 18]

Key UK companies: Arm; Imagination Technologies; EnSilica

Key global companies: Codasip; Qualcomm; Broadcom

2.5.2 Fabrication (Front-end manufacturing)

Manufacture (“fabrication”) of silicon chips takes place in highly specialised manufacturing facilities called “fabs” or “foundries”, where nanometre-scale integrated circuits are printed on to silicon wafers.[footnote 19] Semiconductors are produced at different node sizes (measured in nanometres) with more advanced chips corresponding to smaller node sizes. The most cutting-edge chips are currently less than 10nm.

Around 75% of fabrication capacity is based in China and East Asia.[footnote 20] All advanced logic chips at 10nm node capacity or smaller are produced in Taiwan and South Korea.

Key UK companies: Clas-SiC Wafer Fab; PragmatIC; IQE

Key global companies: TSMC; SK Hynix; Sensata Technologies

2.5.3 Equipment and tooling

Fabs rely on specialist and sophisticated manufacturing equipment. The largest manufacturers for this type of equipment are Applied Materials; Lam Research, and KLA in the USA, ASML in Europe and Tokyo Electron in Japan. These companies tend to focus on very specific pieces of machinery: for example, ASML has a monopoly on the equipment for extreme ultraviolet (EUV) lithography[footnote 21] which is required for the production of the most advanced node sizes.

Key UK companies: Oxford Instruments; Infinitesima

Key global companies: Coherent; Applied Materials; KLA Corporation

2.5.4 Fabrication (Back-end manufacturing)

This includes the process carried out by firms that specialise in the outsourced assembly of semiconductor wafers and chip components, which are produced by front-end manufacturers. This includes the following processes:

  • Packaging involves enclosing semiconductor chips in protective and functional encasements.
  • Testing is a process to ensure functionality and performance of the chip/processor to certify reliability and quality.
  • Assembly refers to integration of various components of a semiconductor chip.

As per Figure 1, it accounts for 6% of the value added in the supply chain. Key regions include Taiwan, the USA, China, Malaysia, and Singapore.[footnote 22]

Key UK companies: Clas-SiC Wafer Fab; INEX Microtechnology

Key global companies: Tokyo Electron; ASML; Lam Research

2.5.5 Integrated Device Manufacturers

Integrated Device Manufacturers (IDMs) are large companies which design, manufacture and sell semiconductors. They also function as systems manufacturers by incorporating these fabricated chips into their own product line. IDMs have their own branded chips, designs them in-house and own fabrication plants to produce chips.

The US and Southeast Asia are key regions for IDMs as companies like Samsung and Intel are headquartered here.

Key UK companies: N/A

Key global companies: Samsung; Intel; Volkswagen

2.5.6 Systems Manufacturers

System manufacturers are organisations that acquire packaged chips and integrate/facilitate their integration into hardware. Systems manufacturers typically buy the chips designed and manufactured by third-party companies and incorporate them into their product, which is then sold to consumers. For example, Dell sources chips from companies like Intel and integrates it into their laptops. The systems manufacturers include the following sub-categories:

  • System integrators are third-party entities adept at amalgamating component subsystems and ensuring their cohesive functionality.

  • Electronic components manufacturers are firms engaged in the production and supply of diverse electronic parts utilised across a wide range of applications. They typically manufacture components that are supplied to final product manufacturers for integration into their end products.

  • Original equipment manufacturers (OEMs) are firms that produce the final product, typically integrating components sourced from external manufacturers into their comprehensive end product designed for the consumer. Examples include car manufacturers, consumer electronics manufacturers. Some OEMs are also IDMs as they design chips in house and have their own fabs.

  • Engineering services encompass sector-specific traditional services, including engineering consultancy for product development and integration, as well as simulation and testing facilities.

  • IT hardware manufacturers produce IT components such as motherboards, CPUs (Central Processing Units), memory drives, etc. They cater to OEMs and also engage in the production of end-user IT products.

Key companies: See Table 13 for key examples.

2.5.7 Software

Companies that adopt CHERI hardware will need to re-compile and port their software code in order to use it. This is necessary in order to make existing software work on the new processor; one of the reasons is that some memory operations that are technically valid C or C++ code, and are used on current processors, are forbidden on CHERI because they would expose or compromise memory that is being safeguarded by CHERI’s memory safety technology (“capabilities”). Such code would need to be rewritten. Once code has been successfully ported to the new processor, there is additionally the potential to rewrite elements of the code to make best use of CHERI’s compartmentalisation feature, to improve security or performance.

The DSbD programme has funded a number of software projects to develop toolkits for the use of CHERI and investigate specific use cases, and there is an active, largely UK-based ecosystem around developing software for CHERI. There are also a large number of GitHub repositories for how to write code for CHERI.

The amount of work necessary to write code for CHERI varies from use case to use case. It will always need to be recompiled, and elements will usually need to be rewritten if they attempt to use memory operations forbidden under CHERI. Some ecosystems would require much more software to be checked for compatibility. For example, a mobile phone includes a set of complex, multi-purpose chips and a fully-featured operating system which needs to accommodate a whole ecosystem of apps, and so a large player in this sector such as Google or Apple would require many thousands, if not millions of engineering hours to re-compile code for CHERI and make best use of the technology. This is therefore a potential barrier to widespread adoption; although less than the effort required to re-implement from scratch in a memory-safe language such as Rust. Simpler processors with more specialised functions, such as smaller chips used in industrial control processes or Internet of Things devices, would require relatively less effort, and entirely new hardware with no code base to update would not face this barrier to adoption.

Key UK companies: N/A

Key global companies: Keysight Technologies; Altair; Ansys; Cadence Design Systems

2.6 Demand sectors

In addition to understanding the supply side for hardware technologies, we need to understand which demand sectors are likely to be relevant to CHERI adoption and how much of the semiconductor market these account for.

The table below outlines the main demand sectors for semiconductors. This is important to consider for CHERI adoption as these have different security priorities; key suppliers and adoption cycles for new technologies.

Table 3 Semiconductor Applications by Market Size[footnote 23]

Application Total semiconductor sales 2020 (in US$ billion) Total semiconductor sales 2022 (in US$ billion)
Smartphones 117 (25%) 104 (19%)
Consumer electronics 50 (11%) 60 (11%)
Personal computing 100 (21%) 89 (17%)
Automotive 40 (8%) 79 (15%)
Industrial electronics 51(11%) 74 (14%)
Servers, data centres and storage 76 (16%) 78 (15%)
Wired/wireless infrastructure 38 (8%) 50 (9%)
Total 472 534

Source: Statista[footnote 24]

The table below highlights the sectors chosen for the demonstrator projects funded by DSbD and the sectors of relevance:

Table 4: DSbD demonstrator projects by sector

Demonstrator Sector focus
Soteria E-commerce
DEFGRID Utilities (Gas network)
AutoCHERI and ResAuto Automotive
MoatE Edge Computing
High Security Communications Infrastructure using peer to peer Mesh VPN Digital Computing Infrastructure
Sunburst Project Embedded Devices[footnote 25]

Source: DSbD Tech

Familiarisation interviews (mostly with DSbD Advisory Group members) highlighted automotive; utilities; infrastructure and IoT/embedded/remote systems as areas for CHERI deployment. Interviewees thought these sectors were significant as they are areas where a cyber security breach could lead to real-world physical harms, which overlaps with the sectors above. Risks in sectors such as E-commerce include theft; loss of data; compromised privacy. Interviewees also highlighted defence as an area of interest and DASA Catapult has launched a separate competition to explore CHERI within defence and security and awarded funding to 15 projects.[footnote 26] There is also alignment to other national priorities for research and innovation for sectors identified by stakeholders.

3. Current awareness of CHERI

3.1 Introduction

The chapter addresses RQ5 about the current levels of awareness of CHERI in the semiconductor supply chain. Evidence is drawn from interviews and surveys. It also considers some of the barriers to awareness and factors that will enable these barriers to be overcome and help drive the adoption of CHERI.

3.2 Summary

  • Activities that have driven awareness of CHERI to date include the DSbD programme, Morello Board distribution and the DASA CHERI for Defence competition. This has developed an ecosystem of around 875 people in 136 organisations who are aware of and have had some exposure to CHERI technology.

  • The technology has been referenced in papers produced by the UK government[footnote 27]; US government and key organisations including Arm[footnote 28], Google[footnote 29] and Microsoft[footnote 30]. This demonstrates awareness of the technology by these organisations and suggests they are raising awareness among the audience for these papers. This audience is mostly technical people interested in cyber security research.

  • Materials produced so far to raise awareness of CHERI have focused on technical aspects. As a result (and as suggested by interviews), there may be a lack of awareness about CHERI among senior decision makers in key companies. Engaging this audience would require more focus on the business case for adoption.

  • There are limitations to surveys used to assess wider awareness of CHERI, as these have relied on promotion through organisations involved in the CHERI ecosystem, potentially giving an inflated view of awareness (although this can be mitigated by asking participants in the ecosystem what the level of awareness among their own contacts is). One survey from 2022 suggested 9% of respondents were familiar with CHERI and just over a quarter had at least heard of it.[footnote 31]

  • Our survey of senior decision makers and technical experts in companies in the semiconductor supply chain; software companies; and those in key demand sectors for semiconductor applications, showed 11 out of 14 respondents had heard of CHERI, or were familiar with it.

3.3 Current drivers of awareness of CHERI

This section looks at current awareness of CHERI within companies, within the UK and across the world, as well as what has helped to drive awareness of the technology. It has focused on awareness of the technology of companies who would need to adopt it, i.e.

  • Companies in the semiconductor supply chain, especially those involved as relevant for CHERI adoption as identified in Chapter 3 (chip design and software); and
  • Organisations in key potential demand sectors for CHERI.

Key drivers of awareness to date have included the DSbD programme and other activities funded by the UK government.

3.3.1 The DSbD ecosystem

A key driver to date has been the DSbD programme, funded through UKRI. This section provides some high-level detail about the types of organisations involved in the different workstreams of the DSbD programme to give better insights on the types of people who have worked on the development of CHERI and are aware of the technology.

The diagram below summarises the overall structure of the programme.

Figure 2: DSbD activities and awareness raising

The Advisory Group, TAP and Discribe Hub are particularly important for raising awareness of CHERI.

1. Advisory Group

Government agencies involved in the Advisory Group have also helped to spread awareness of CHERI technology. The programme is referenced in the National Semiconductor Strategy[footnote 32]. For example, some have been involved in overseas visits to promote the DSbD programme and CHERI technology in Japan, the US and other countries. They have also raised awareness within the UK. For example, Advisory Board members play an ambassadorial role within UK semiconductor supply chain firms and have presented at CyberUK 2023[footnote 33].

2. Discribe Hub

The Economic and Social Research Council (ESRC) has funded the academic led Discribe hub as part of the DSbD programme. This is a social science led research programme exploring barriers and enablers to adoption of CHERI and digital security in general. It aims to explore the social aspects of digital security, including how people understand and quantify the risks from cyber threats.

  • As of March 2024, 19 papers have been published as a result of the Discribe hub:[footnote 34]
  • The Discribe Hub organise All Hands events twice a year for people involved in the programme to attend and share information. This has helped to develop the ecosystem and networks of organisations and people involved in the programme.
  • The most recent All Hands event (March 2024) included panels about using the technology in the automotive industry and some considerations around this; promoting and announcing the Sonata Boards were now available and a panel session with representatives from DSIT, DSTL and the NCSC, so there were some important lessons on considerations for future adoption which are covered in more detail in Chapter 5 of this report.

3. Technology Access Programme

The Technology Access Programme (TAP) is led by the Digital Catapult and is responsible for providing interested companies and universities with access to CHERI technology and guidance, so that they can experiment with its features. So far it has distributed nearly 40 Morello development boards, mostly to SMEs (Small and Medium Sized Enterprises). There have been four cohorts of board recipients and there are plans for at least one more. Cohorts attend events organised by the Digital Catapult at the beginning and end of their projects (around 6 months). SMEs receive some funding for their projects as well as support.

Morello is quite complex to implement for smaller organisations. There has been interest in CHERIoT and Sonata as lower cost options that would be simpler to adopt and beneficial for technologies such as IoT, embedded systems and remote systems. Digital Catapult feel there is significant interest in this to want to distribute CHERIoT boards in a future cohort. The Sunburst project is also looking to distribute the lowRISC Sonata boards (a research and development platform prototype similar to CHERIoT).

Interviewees were broadly positive about the Technology Access Programme and felt it had been successful in engaging with businesses and raising awareness of the technology especially among software companies. They made the following observations about how the TAP could be improved:

  • The TAP programme has not engaged as effectively with and raised awareness of CHERI among the types of large companies who could move the dial on adoption – the incentives are too small to be attractive to them. Other parts of the programme (e.g. the Advisory Group) have been more successful in engaging with this audience.
  • Some of the guidance materials provided to TAP board recipients are very technical and more work is needed to make it more user friendly.

TAP projects and funded demonstrators from the wider programme have been successful in proving the technology works and providing use cases for specific sectors. They have been less successful in making a business case for CHERI adoption in relevant industries and demonstrating a return on investment. More work is needed to explore this aspect and share information about it.

4. Funded projects

The table below summarises the different funding competitions and who they have engaged:

Funding competitions Funded by Projects led by Number of projects funded
Academic Proof, System Software Impact Research EPSRC (Engineering and Physical Sciences Research Council) Academic 9
Development of the Digital Security by Design Software Ecosystem (De Minimis Projects) Innovate UK SMEs 10
Software ecosystem development Innovate UK & EPSRC Academics & Industry 10
Demonstrators Innovate UK Industry 7

Source: Information provided by UKRI

The funded projects have all been awarded through competitions which have raised awareness of the technology through putting out information in application guidance and holding events about the competitions.

The projects allow access to a Morello board which means that award recipients have the opportunity to develop skills and knowledge of CHERI technology, raising awareness among the people at the organisations involved.

Funding projects attend the ‘All Hands’ events organised by the Discribe hub and share learnings from their projects and develop networks with other organisations who are also in the ecosystem.

The projects have produced outputs such as publications in academic journals which have also raised awareness with academic audiences.

Key takeaway about the DSbD programme and raising awareness: The DSbD programme has developed an ecosystem of organisations who are aware of CHERI which includes 31 UK universities and around 94 companies with a presence in the UK. Funded projects have increased awareness by allowing organisations to access the technology to experiment with use cases specific to their businesses and develop skills in using CHERI. While the programme funded the development of the Morello prototype based on Arm architecture, growing the ecosystem has also led to the development of other hardware solutions (Microsoft CHERIoT and the LowRISC Sonata and Symphony boards), based on RISC-V open-source architecture. Some of the barriers to adoption may be easier to overcome in RISC-V than for Arm (see sections 5.4.1 and 5.4.2 for further details)

The rest of this section summarises activity outside the DSbD programme.

3.3.2 Unfunded board distribution from UKRI

UKRI have also distributed around 30 Morello boards to academic and business organisations in the UK and internationally without funded projects. The table below shows where boards have been distributed.

Table 5: International distribution of Morello Boards through UKRI for unfunded projects

Country Organisations which have received at least one board from UKRI
UK 23
USA 10
Germany 5
Netherlands 2
Sweden 2
Canada 1
Denmark 1

Source: Information provided by UKRI, February 2024

This includes some large multinationals such as Rolls Royce, Siemens and Boeing.

Codasip also became involved in CHERI through this route. As covered in Chapter 2, Codasip have announced the first commercial implementation of CHERI based on the RISC-V architecture. Interviews revealed that they are also developing their own ecosystem of business focused on CHERI for RISC-V, but we are not aware of specific firms involved, although there is likely to be an overlap with the DSbD ecosystem. This is being formalised through the CHERI Alliance Community Interest Company (CIC) which is being established to promote CHERI as an efficient standard for addressing memory safety issues and will further increase awareness of the technology.

Key takeaways about UKRI board distribution and raising awareness: While many of the boards have been distributed within the UK, a number have been given to organisations based overseas which has helped promote awareness internationally, further developing the ecosystem of organisations and individuals with some experience of using CHERI.

This has also led to the first commercial implementation of CHERI by Codasip. Codasip have now announced the CHERI Alliance which will further raise awareness of the technology, especially in RISC-V architecture. The CHERI Alliance would be a useful point of contact for DSIT to find out where demand is sectoral and what steps are being taken towards standardisation of requirements for memory safety, which could be adopted in government standards and regulations.

3.3.3 DASA/DSTL CHERI for Defence

In addition, the DASA CHERI for Defence competition has funded 15 projects. Many of these are led by organisations who are also involved in DSbD funded projects, but four organisations had not previously been involved in the programme.

UK Government has recently adopted a “Secure by Design” approach to the procurement and delivery of digital services. The implications for suppliers to the Ministry of Defence have been set out in an “Industry Security Notice” from July 2023, and the principles and activities of the approach were published in early 2024. The policy does not mandate use of CHERI or any other memory safety approach (and the “Secure by Design” nomenclature is not directly related to the “Digital Security by Design” programme). However, the framework’s core principles include elements which could be met by a CHERI solution (e.g. “source secure technology products”, “minimise the attack surface”, and “defend in depth”), and CHERI could be used as an element of providing secure hardware to the industry.

Key takeaways about the CHERI for Defence competition and raising awareness: This programme has mostly engaged with companies who were already aware of CHERI, but has brought in a small number of organisations who are new to the ecosystem. It is the first sector specific competition and has increased awareness among companies involved in providing defence systems, which the DSbD programme had not targeted specifically. This is likely to provide some interesting use cases which may help to promote further awareness if results are allowed to be published, and if a CHERI solution is used to meet the requirements of the “Secure by Design” government procurement approach this would help spread awareness.

3.3.4 Known levels of awareness (the CHERI ecosystem)

Based on the activities above we are able to provide an estimate of the lower end of organisations and people who are aware of CHERI based on those involved in the DSbD ecosystem, unfunded board recipients and DASA competition:

Table 6: DSbD Ecosystem Summary

Type of organisation Number of organisations Involved in more than one funded project Estimated number of people involved in DSbD funded projects
Academic 31 10 217
Businesses 94 25 658
Public Sector* 11 0 N/A
Total 136 35 875

Source: Information provided by UKRI and Digital Catapult. Includes unfunded board recipients and DASA competition awardees.
*Public Sector Organisations are mostly involved through the DSbD Advisory Group rather than funded projects

Figure 3:Profile of businesses in DSbD Ecosystem

Source: Data provided by UKRI about DSbD participants

The estimate of the number of people involved is based on results of a previous survey of DSbD funding award recipients suggests that around seven people per organisation have worked on funded projects on average.[footnote 35] There is considerable variation in this estimate – for example in Arm more than 100 engineers have worked on the Morello Board. Some of the SMEs who have accessed the boards through the TAP, only have one to three members of staff in total. Using this average as an estimate just under 900 people are in the current DSbD ecosystem and therefore aware of/have experience of using CHERI. Around 76% of these are currently working in industry.

3.4 Other factors that have enabled awareness of CHERI

The previous section covers the awareness of CHERI that has been enabled by programmes funded by the UK government to develop the technology. In addition, there is evidence of policy papers from government and corporations which reference the technology. This suggests an awareness of CHERI by those writing these papers. They are also sharing information about and raising awareness of the technology with their intended audience.

3.4.1 DARPA-funded CHERI research

Prior to the DSbD programme, Cambridge University and SRI international received funding from DARPA (Defense Advanced Research Projects Agency) in the US. This demonstrates some early awareness of CHERI by the US government. More recently they have published papers which reference the technology:

  • The US Cyber Security and Infrastructure Security Agency (CISA) recently published an article titled ‘The Urgent Need for Memory Safety in Software Products’. The article emphasises the ‘Secure by Design’ best practice guidance, which is influenced by work in the UK and EU (European Union) to build cyber security measures into the design and production of technology products. Memory safety has been highlighted as a key area of concern and CHERI is recognised as a potential solution to address this.[footnote 36]

  • ‘Back to the Building Blocks: A path toward secure and measurable software’ report by the White House[footnote 37] conducted an extensive investigation into memory safety vulnerabilities. The study also explored secure programming languages and hardware architecture to increase resilience of future cyberspace. Notably, the paper cited CHERI as a potential technology for enhancing memory safety.

Key takeaway about DARPA funded CHERI research: The US government has funded the early development of the technology. Recent interest in promoting memory safety has led to the technology being referenced in papers produced by CISA and the White House. If the language around memory safety can be standardised internationally, and CHERI promoted as a best-in-class hardware solution for memory safety, it will become easier for CHERI to be referenced in internationally agreed standards, and for governments and companies around the world to procure CHERI as part of a requirement for memory safety.

3.4.2 Corporate papers, press releases and policies referencing CHERI or DSbD

The projects funded through DSbD have led to a number of mostly academic publications about CHERI, but of greater interest in understanding awareness for adoption is the number of corporate publications and government publications which reference CHERI. Here is a summary of significant items we are aware of:

  • In 2022, a representative of Arm referenced CHERI at the IEEE Institute of Electrical and Electronics Engineers Hot Chips Symposium[footnote 38]

  • Codasip producing the first commercially available CHERI design through their 700-processor series.[footnote 39]

  • In March 2024, Google released a White Paper about memory safety which references CHERI.[footnote 40]

  • Microsoft Research has also published a blog post about their work on CHERIoT.[footnote 41]

Key takeaway about corporate publications referencing CHERI: A few organisations are publishing documents on CHERI, although we can’t assess how many people have read these. These are mostly reports produced by significant multinational companies in CHERI relevant to their sectors.

3.5 Assessment of wider awareness of CHERI

To assess wider awareness of CHERI outside the ecosystem above, we undertook a survey and interviews. This section presents results from our primary research and includes information from other sources used to triangulate our findings.

3.5.1 RSM Survey

We surveyed companies identified in the bottom-up analysis outlined in Chapter 3. This targeted senior decision makers and technical experts with roles such as CEO, CTO, CISO, Chief Security Architect, and IT Manager, among other roles relevant to CHERI. The companies surveyed spanned the semiconductor supply chain, software firms, and key sectors for CHERI applications including telecoms, automotive, utilities, and defence (as identified by the familiarisation interviews). To ensure maximum response from people with familiarity with the technology, our approach prioritised senior executives in small to medium-sized firms and technical roles in larger companies, resulting in a comprehensive contact list for all companies in the dataset.

The survey was open for four weeks and promoted by contacts in the DSbD advisory group, DSIT, the NCSC, the Internet of Things Security Foundation (IOTSF) and our advisors. Our bottom-up analysis identified further companies in these groups and contact details for relevant personnel were sourced through RocketReach[footnote 42].

The survey included a question about awareness of CHERI and other memory security technologies:

Table 7: Awareness of memory security technologies (N = 22)[footnote 43]

Security Technologies I have not heard of this I have heard of this but have not used it My organisation has access to this technology, but I am not familiar with it personally My organisation has access to this technology, and I have used it Total Respondents
CHERI 3 (21%) 4 (29%) 2 (14%) 5 (36%) 14
TrustZone 4 (29%) 1 (7%) 2 (14%) 6 (43%) 13
Root of Trust 3 (21%) 1 (7%) 3 (21%) 7 (50%) 14
Open Titan 5 (36%) 5 (36%) 1 (7%) 2 (14%) 13
Rust or other memory safe languages 2 (14%) 3 (21%) 2 (14%) 5 (36%) 12
WorldGuard 8 (57%) 3 (21%) 1 (7%) 1 (7%) 13
MTE 8 (57%) 3 (21%) 1 (7%) 1 (7%) 13
Other 3 (21%) 1 (7%) 1 (7%) 3 (21%) 07

Source: RSM Survey February-March 2024

Only a small proportion of respondents (around a fifth) said they had not heard of CHERI. Many respondents also had experience of other memory safety technologies, especially Root of Trust, TrustZone and Rust.

Figure 4: Awareness of CHERI

Source: RSM Survey February-March 2024

We also asked about the relevance to the business of the technologies identified above. Respondents thought all the examples listed were important to some degree.

Figure 5: Relevance of security technologies (N = 22)

Source: RSM Survey February-March 2024

Many of the respondents to the survey were chief security or technology officers, so they saw action to protect memory safety as important and their view of a technology’s importance was guided by how familiar they were with it. Respondents had similar levels of awareness and experience of CHERI and Rust and therefore had similar views of the relevance of these technologies. Most of the interviewees who were aware of CHERI thought that it offered better protections and opportunities to improve security than Rust.

Limitations

Overall, only 22 valid responses were received for the survey as a whole. The survey was promoted by DSIT, the NCSC and the DSbD Advisory Group so there is some risk that responses for this question about awareness are not representative of the market as a whole as those publicising it are more likely to be networking with firms who are aware of the technology. These limitations mean the survey may not be representative of awareness of CHERI in the wider target market.

To compare and verify our results, we identified a previous survey[footnote 44] asked about awareness of CHERI among UK organisations. The survey was live from July to December 2022 and received 76 responses. It was promoted through the Chartered Institute of Information Security, DSbD mailing list, in-person security events and the DSIT (then the Department for Digital, Culture Media and Sport or DCMS) cyber security newsletter.

This survey had good coverage from a range of different sizes of organisations and sectors: 64% of respondents were from large organisations with over 500 employees and sectors covered include Finance and Insurance; Public Administration; Health and Social Work and Education, so there is a slightly different mix of sectors captured. There is no information about whether these were UK or multinational companies.

Just over half of the respondents to this - 51% - were in cyber security or wider IT roles, with a further 28% coming from senior managers. From this survey 9% were familiar with CHERI and 26% had at least heard of it. This is also based on a small sample size and was promoted through similar channels, so is likely to have similar limitations. But there is potentially some indication of awareness of CHERI beyond the DSbD Ecosystem.

Key takeaways about surveys of awareness of CHERI: Because of the limitations of both surveys (a low number of responses and some degree of promotion through the existing ecosystem) it is not possible to use either survey to accurately assess wider awareness of CHERI across businesses in the semiconductor supply chain as a whole.

3.5.2 Evidence from interviews

Interviews with DSbD members have confirmed awareness of CHERI with key semiconductor supply chain companies identified in our market research, especially among the parts of the supply chain relevant to CHERI adoption.

We interviewed representatives from 18 companies. While many interviewees were involved in the wider CHERI ecosystem at least six were not. Two interviewees said they were unfamiliar with CHERI before being approached for an interview (one came through contact via the survey; the other as approached by an advisor). The survey respondent was an organisational resilience and training consultant based in India. The other was a multinational automotive company with a presence in the UK.

Individual awareness

We also asked about the type of person within companies who was aware of CHERI. Four interviewees felt that there was good awareness among technical experts and cyber security officers, but that some awareness raising was needed among senior decision makers at large companies in the semiconductor supply chain.

A key challenge for engaging with senior decision makers was the view that security is a cost, and it is difficult to value the economic benefits of improving security. Some recommendations for improving awareness with this audience included sharing more learnings and information about the economic costs and benefits of adopting CHERI. Some of this material is being produced by the existing DSbD programme (especially case studies of the TAP and outputs of the Discribe Hub). Recommendations for targeting sectors and raising awareness are covered in more detail in Chapter 6.

3.6 Summary of Barriers and Enablers to Awareness of CHERI

Based on interviews, surveys and other data outlined above, the table below outlines barriers and enablers to CHERI awareness:

Table 8: Enablers and Barriers to CHERI awareness

Facilitators of CHERI awareness How this is enabling or driving awareness Barriers or features hindering awareness and how these could be addressed
The DSbD programme Enabling awareness by funding projects and providing access to the technology has developed an ecosystem of people and organisations who are aware of the technology. The Discribe Hub and TAP have been particularly important in spreading awareness of the technology. Some of the guidance material for how to get started using CHERI requires very good technical expertise and experience. This material could be more user-friendly to a less specialist audience. Some of this is due to the overall readiness for adoption of the technology and improving this would help to address this barrier.
Learnings from DSbD funded projects including demonstrators The funded projects and demonstrators have helped to prove the technology is effective in providing improved security and sharing learnings to make the technological case for adoption Further work is needed to explore the costs and benefits of adopting CHERI, such as how much effort is required for porting to CHERI and the benefits of the improved security it provides. There is work underway on this, including a cost benefit simulator and case studies of TAP projects.
Policy papers by UK and US government These enable awareness of the DSbD programme and CHERI technology. Within the UK, key examples are the National Semiconductor Strategy. These currently raise awareness but do not mandate the use of CHERI. Chapter 6 of this report discusses issues around regulation; standards and government procurement guidance in promoting awareness and adoption of CHERI. The language of memory safety is critical: if it can be internationally agreed what constitutes memory safety and which approaches provide it, then CHERI can be more easily promoted as a best-in-class hardware-based solution.
Papers by companies such as Arm, Google and Microsoft also promote awareness of CHERI Interviewees highlighted some of these papers to us in the course of our conversation, demonstrating a degree of awareness of what their own and other organisations were doing around CHERI adoption or where they thought adoption would be beneficial. The current audience for these papers is mostly people interested in cyber security, technology and research and usually shared on company blogs, which may have a limited reach to a technical audience who are looking specifically for information about CHERI. Table 13 of this report highlights important companies to engage with on CHERI adoption which will enable a more targeted approach.
The CHERI Alliance will raise awareness within the RISC-V ecosystem The CHERI Alliance aims to promote CHERI as an efficient standard for addressing memory safety issues, which will help to raise awareness of the technology. This has only recently been announced, so it is too early to say yet how many people and organisations are engaging with it.

4. The current potential market for CHERI

4.1 Introduction

This chapter addresses research questions about the potential CHERI marketplace as it currently appears; its key sectors and firms, and how it relates to the established semiconductor supply chain. It answers the following research questions:

  • RQ1: What is the size and scope of the potential market for CHERI technology?

  • RQ2: How many semiconductor supply chain firms are -
    a. based in the UK that could potentially implement CHERI technology within semiconductors?
    b. not based in the UK that could potentially implement CHERI technology within semiconductors?
    c. The extent to which these maps onto the existing semiconductor supply chain or whether there is a distinction between the two?

  • RQ4: What are the characteristics of the companies within this potential market, including their position within the semiconductor supply chain, their number of employees, their revenue, their geographical location and other demographics?

Further, the chapter also identifies the most influential organisations within this potential market when it comes to diffusion of CHERI technology.

4.2 Summary

The scope of the market and its global supply chain (RQ1, 2)

  • Key semiconductor market segments relevant to CHERI adoption are identified as Design (supply side), Integrated Device Manufacturing (IDM) (demand and supply side), and systems manufacturing (demand side). Software Development also features as a sector that could provide solutions to businesses and consumers using CHERI technology. Semiconductor manufacturing is identified as less critical, since the decision to adopt CHERI is unlikely to be made in this segment.

  • Globally, the US, Japan, Taiwan, South Korea, China, India, Southeast Asia (Philippines, Malaysia, Vietnam and Singapore), and Europe (Germany, Netherlands, Austria and Turkey) are identified as key countries and regions for parts of the semiconductor supply chain. These countries have headquarters of major semiconductor firms, including Samsung, TSMC, NXP, SK Hynix, Tokyo Electron, SiFive, Intel, and Codasip. They play different roles in the market:

    a. The USA is an extremely important market player, dominating chip and CPU design and with strong presence in chip manufacture, systems manufacture and IDMs.

    b. Despite their significant role in the global semiconductor market, the potential influence of Taiwan and China on CHERI adoption is limited as their strengths lie more in wafer fabrication (front-end) and semiconductor packaging (back-end) than in design and EDA segments. South Korea is also an important country for manufacture, but is also where Samsung is headquartered, and Samsung is an important firm for CHERI adoption.

    c. India and Southeast Asia are well-positioned to adopt CHERI, having rapidly growing semiconductor industries, lower cost of skilled talent, and inward investment from multinationals in sectors that can integrate CHERI in design and manufacturing.

    d. Japan is of key importance to the UK as it has distinct, yet complementary strengths backed up by the 2023 UK-Japan semiconductor partnership.

Quantitative research on the UK CHERI market (RQ2, 4)

  • We have identified 394 companies that are directly relevant for CHERI adoption and diffusion in the UK through searches in financial databases, industry reports, etc as part of bottom-up research, and 17 industrial sectors of relevance through top-down analysis.

Bottom-up research on UK semiconductor supply chain firms

  • Of the 394 firms, 29% (114) are supply-side, mainly semiconductor (99) and IT equipment manufacturers (15) and 71% (280) are demand-side, including systems manufacturers and further downstream potential adopters of CHERI.

  • 60% (238) of CHERI-relevant firms in the UK are headquartered and operate in the UK. These firms are primarily involved in semiconductor design (13%), software development (5%), and front and back-end manufacturing (6%). There are no integrated systems manufacturers headquartered in the UK.

  • Multi-National Companies (MNCs) operating in the UK but headquartered abroad comprise of 39% (155) of the identified UK CHERI market. These firms are primarily involved in semiconductor design (10%), software development (4%), and front and back-end manufacturing (15%). There are 5 MNC IDMs operating as subsidiaries in the UK.

  • DSbD participants make up 19% (76) of the total companies identified in the current UK CHERI market. This includes Arm, the market-leading chip design company who were funded to create the DSbD platform prototype (Morello).

  • Based on interviews and reviews of the DSbD programme’s progress, automotive, defence, information technology, and telecommunications have emerged as key user sectors with the highest likelihood of CHERI adoption in the near future. This is driven by the escalating need for robust system security arising from increased automation, digitalisation, the rise of Artificial Intelligence (AI), and the demand for resilient infrastructure. These are all considered critical national infrastructure and are therefore strategically important.

Top-down analysis of key industrial sectors and their sizes

  • The top-down analysis identified 17 SIC[footnote 45] (Standard Industrial Classification codes 2007) industry segments in the UK that have the highest proportion of semiconductor designers and manufacturers, and immediate users such as systems manufacturers. In 2021, these SICs generated a turnover of approximately £94 billion and employed a workforce of around 288,000 employees.

  • The Gross Value Added by these 17 industry segments in 2021 is estimated to be around £25 billion. The most significant contributors to this GVA are aerospace manufacture (28%), motor vehicles (24%), and electronic measuring and testing equipment (15%).

Bottom-up analysis of individual companies by size

  • Findings from the bottom-up approach indicate that out of firms that had turnover data, 93% (258) of the current CHERI market had turnovers under £5 billion, with 30% (82) SMEs with turnovers below £50 million. Five demand-side companies, namely Jaguar Land Rover, BAE Systems, Amazon, BT Group, and Vodafone, have turnovers exceeding £20 billion.

Geographical locations of companies (bottom-up)

  • A spatial distribution of geographical location of companies revealed a clustered presence of CHERI relevant firms in London, Cambridgeshire, Oxfordshire, Bristol, Berkshire (Reading) and West Midlands, in line with the National Semiconductor Strategy[footnote 46].

Most influential firms by sector

  • Arm, Codasip, Qualcomm and Intel are identified as the most influential potential drivers of CHERI adoption based on our identification framework with multiple parameters such as Financial indicators, Location, Reach, and Activities in the UK. Intel has their own chip architecture which is dominant in data centres (x86). Consultation suggests Intel have their own security solutions (Software Guard Extensions or SGX)[footnote 47].

4.3 Methodology used to measure the current size and scope of potential market for CHERI

The research specification for this work asked for the size and scope of the potential market for CHERI technology, and whether this maps onto the existing semiconductor supply chain (which was described in section 2.5).

4.3.1 Defining the scope of the market and its global supply chain

Market definition: In the context of this study, the CHERI market is identified as the complete set of companies that have the potential to integrate CHERI into their goods and services.

The scope of this market was determined through insights from familiarisation interviews with stakeholders in the DSbD programme and in Government, qualitative interviews with companies, and literature reviews.

It also benefited from the iterative nature of the quantitative “top-down” and the “bottom-up” research on specific companies in the UK which we carried out (see below); as we learned more about the characteristics of companies that CHERI could potentially impact, we refined our search terms and modified the scope accordingly.

As suggested in Chapter 2, we find that the market encompasses firms involved in the design and production of the CHERI chip, as well as system manufacturers who would embed the CHERI chip into their products, and software / cyber security companies that could provide solutions to businesses and consumers using CHERI technology.

4.3.2 Quantitative research on the UK CHERI market

To measure the size of the semiconductor and CHERI market in the UK specifically, a combination of bottom-up and top-down approaches were employed.

The bottom-up approach examines company-level information (from FAME[footnote 48], Tracker[footnote 49] and individual company websites) to identify individual firms, sited in the UK, that form part of the potential supply chain for CHERI processors or are end-users of semiconductors, with the greatest likelihood of adopting CHERI in the near future. Apart from the core and immediate semiconductor use sectors, the bottom-up approach includes additional downstream end-user sectors such as automotive, telecommunications, and defence, among others.

This was done to ensure a more complete understanding of the potential reach and growth opportunities for the CHERI technology. The bottom-up approach gives very good clarity on the specific companies, and types of company, that are relevant; however, it is likely to be an underestimate of the market as it will omit new firms and those with limited public information. Despite efforts to address gaps in the company dataset, it is still probable that gaps exist due to limited coverage of foreign subsidiaries and inconsistent financial data in financial databases. Moreover, the financial (Turnover and employee count) and economic indicators (GVA) are not entire related to CHERI and represent the size of the sector-wise potential market that CHERI can potentially impact.

The top-down approach extends this analysis by examining data on entire industries with the potential to adopt CHERI. This approach measures published statistics at the 5-digit SIC 2007 level. This identifies SIC (2007) industry segments that contain the highest proportion of firms from the core semiconductor design and manufacturing sectors and immediate user sectors such as systems manufacturers (including Original Equipment Manufacturers (OEMs), electronic component manufacturers, among others) (see Figure 1). It does not consider segments involved in software development and end use of semiconductors.

Detailed national statistics are regularly published by the Office for National Statistics (ONS) at the SIC level, and as a result the top-down approach has detailed economic information on the current size (GVA) and footprint (Turnover and Employment) of the of the semiconductor production and immediate use market. However, it is likely to be an overestimate as despite best efforts, not all the companies in each broad industrial sector will be fully relevant to CHERI.

Broadly, the top-down approach measures the production and immediate use segments of the semiconductor supply chain mentioned in chapter 2, and the bottom-up approach identifies many – but not all – of the individual companies by extending the supply chain to include software designers and end-users. This is defined as the CHERI potential market.[footnote 50] Both top-down and bottom-up analyses offer useful insights, but neither is a precise answer to the question of CHERI market size.

4.3.3 Presenting the findings

In the first half of this chapter, we set out the key market segments relevant to CHERI adoption, and the global locations and companies where this activity takes place.

In the second half, we quantify, as far as possible, the scale and market specialisation of the market activity which takes place in the UK, including geographical clusters and specific companies with high potential influence on CHERI adoption.

4.4 Key segments in the potential market for CHERI

Carrying out this supply chain mapping exercise has provided valuable insights into the scope of each supply chain segment on CHERI adoption. The details of these findings are provided below.

  • Design (Fabless) firms: Design companies play a direct role in adoption of CHERI as they are responsible for conceptualising chip designs and make the executive decision on selecting appropriate security architecture to solve problems. This makes them highly relevant for CHERI adoption and a key decision-maker regarding the use of security architecture; unless their customers request a specific architecture, rather than specifying a design requirement to be solved cost-effectively, the designers will select the specific features to be used in the chip.

  • Software companies serve as vital counterparts to fabless firms, playing a pivotal role in designing the software to automate chip design and make systems work. The customised software unlocks full potential of the features within these chips. The implementation of CHERI in a chip necessitates the modification of software such as Electronic Design Automation (EDA)[footnote 51] tools, Operating System (OS) extensions, and other adaptations of mainstream software stacks like C/C++. These extensions enable the complete utilisation of CHERI’s features. This interplay is particularly significant in the context of CHERI as successful adoption and diffusion hinges on the collaborative efforts of software and design firms. EDA and software firms are deemed of “moderate” relevance to CHERI due to their enduring alliances with design companies. If a design company chooses CHERI as their preferred security architecture for a chip, it is likely to have consulted its software partners and secured their backing and resources. Furthermore, the DSbD programme has had a strong focus on stimulating a synergy between software and hardware firms to guarantee a functional ecosystem.

  • Systems manufacturers (all entities): Systems manufacturers are strategically positioned to play an influential role for CHERI adoption and diffusion. While system manufacturers may not directly be part of designing and manufacturing of CHERI chips, they can exert substantial indirect influence on the type of security architecture the fabless company incorporates through the orders they place and the requirements they make of the designers. If the systems manufacturers demand/recommend the use of CHERI in their hardware, they will communicate this to the design firms who will then be motivated to include it. This ‘push factor’ can be driven by regulations (national or global), demand for cyber security, increased awareness or necessitation of security from emerging technologies like autonomous vehicles, and AI. It follows that government has a potential role to play in advertising the benefits of CHERI or designing the regulatory structure to encourage or require its use, to strengthen the demand coming from systems manufacturers to the point where the design firms feel able to invest in the necessary innovation.

  • Integrated Device Manufacturers (IDMs): IDMs combine the “design” and “systems manufacturer” stages above. This gives them control over intellectual property and allows for a faster time-to-market. IDMs adoption of CHERI is cost-effective as it eliminates third-party involvement, thereby circumventing interoperability and compatibility issues. The chips, designed and manufactured by IDMs, are optimally tailored for their products, further enhancing the efficiency of the adoption process. They are therefore highly relevant in adoption and diffusion of CHERI as they could overcome the coordination problem between design and manufacture within a single company. IDMs also have a direct gateway to end users, making them a key player in the diffusion of technology. However, they may still suffer from coordination problems if, for example, decisions on design and technology investment take place in different company divisions, and central management does not provide the strategic lead to direct them to move together.

  • Manufacturing (front- and back-end) is crucial for the overall semiconductor industry and a lot of the value in the supply chain is captured here. Insights from interviews and literature review clearly indicate that, in the context of the adoption of CHERI, manufacturers are not as relevant, as the technology does not require significant changes to current manufacturing processes or inputs (equipment and materials). As a result, the manufacturers will not be the companies pushing for CHERI’s adoption. They will manufacture semiconductors according to the designs they are provided with, making no design decisions, and operate strictly based on orders and designs received.

4.5 Potential Global Market for CHERI (RQ2)

This section explores the international potential for CHERI adoption and identifies the key countries with significant potential to influence CHERI diffusion. As system security becomes increasingly non-negotiable in various sectors, the demand for security technology like CHERI is likely to grow[footnote 52]. The global market for CHERI is vast, encompassing key countries with the requisite skills, capabilities, resources, and significant market share in the semiconductor industry. These regions also have a strong presence in sectors where CHERI is particularly relevant.

We have carried out extensive market research, divided into two main components: a literature review and familiarisation interviews.

The literature review involved investigating a wide array of sources, including industry reports, market forecasts, academic papers, and other relevant publications, allowing us to gain a deep understanding of the current market landscape across various countries. Notable literature sources include (non-exhaustive list):

  • Globality and Complexity of the Semiconductor Ecosystem (Accenture, 2020)
  • Strengthening the Global Semiconductor Value Chain (BCG and SIA, 2021)
  • Mapping the semiconductor supply chain: The critical role of the Indo-Pacific Region (CSIS, 2023)
  • Global Semiconductor & Electronic Parts Manufacturing (IBISWorld, 2024)

The familiarisation interviews involved speaking with industry experts, giving us first-hand insights into the market and the current trends globally.

4.5.1 Key international markets

United States
The U.S. dominates the semiconductor design sector, holding over 40% of the global market share in integrated circuit design, inclusive of EDA, semiconductor IP, and design services revenue. As per Georgetown’s Centre for Security and Emerging Technologies[footnote 53], U.S. firms held more than 50% of the 2019 core IP market share. The extent of this market domination also stems from the US federal governments R&D expenditure on semiconductors, accounting for 59% of the governments total R&D expenditure.

Additionally, from the demand perspective, the U.S. accounts for 25% of global semiconductor consumption.[footnote 54] This substantial share can be attributed to the presence of numerous tech giants within the country, including but not limited to Apple, Meta (formerly Facebook), Microsoft and Nvidia. These companies are at the forefront of technological innovation, driving the demand for semiconductors and hardware security, which are integral components of the products and services they offer. Semiconductors serve as the building blocks of modern electronics, including computers, smartphones, and other digital devices that these companies specialise in.

Moreover, these tech giants are heavily invested in the development and implementation of emerging technologies such as AI. AI requires a high level of computational power, which in turn necessitates the use of advanced chips. As a result, the demand for semiconductors within the AI sector in the US is particularly high.

There is a large scope for CHERI adoption in the US, given its market dominance in the supply of semiconductors as well as the demand. Given this, it is encouraging that large US based companies such as Microsoft and Google are actively involved in the existing CHERI ecosystem (they both have members in the DSbD Advisory Group and are involved in at least one funded project each). However, interviews suggest awareness is greater among senior technical and cyber security staff and more awareness is needed for senior C-suite executives for CHERI to be adopted more widely. A recent White House paper on Memory Safety[footnote 55] specifically namechecks CHERI which suggests evidence of awareness of the technology among significant US companies and government agencies (initial research on CHERI was funded by DARPA). While this is a positive development for CHERI adoption, consultees felt the US Government is unlikely to provide strong regulation to make CHERI mandatory as they do not usually intervene in the market to enforce specific security technologies.

China
China’s semiconductor industry has seen remarkable growth, expanding from approximately 1,300 registered semiconductor companies in 2011 to 22,800 by 2020.[footnote 56] This surge has been fuelled by significant government funding and incentives for chipmakers. Despite a high concentration of fabrication plants, China plays a crucial role in meeting global chip demand, driven by rapid technological innovations.

Like the US, China accounts for 25% of global semiconductor consumption, owing to its leadership in electronic goods manufacturing.[footnote 57] These are focused not on finished goods, but on components to be supplied to OEMs for incorporation into their final products. Demand for chips from these companies may provide some drive for adoption of CHERI, but the overall focus of the semiconductor industry in China is manufacture rather than design, meaning there is likely to be limited supply side drive for adoption.

Taiwan
Taiwan, primarily through the Taiwan Semiconductor Manufacturing Company (TSMC), holds a significant position in the global semiconductor supply chain, particularly excelling in the foundry market. In 2022, Taiwan’s foundry market produced 60% of the world’s semiconductor chips, generating a revenue of US$40.2 billion.[footnote 58] TSMC alone contributed to 54% of the global foundry revenue in 2020.[footnote 59]

TSMC, along with South Korea’s Samsung, are the only two global entities capable of manufacturing the most advanced 5-nanometer semiconductors[footnote 60]. This capability has enabled Taiwan to secure a high market share and provide high-yield, stable professional IC chip services. Taiwan also houses the Industrial Technology Research Institute (ITRI), a leading research institute known for its research in emerging technology including but not limited to semiconductors and 6G.

Taiwan’s great market strength is in chip manufacture rather than design. It is therefore less significant for CHERI adoption than other markets with concentrations of chip design or systems manufacture, where the decisions to adopt CHERI would most likely be made. However, if a full-featured CHERI-capable processor is ever to be made in volume Taiwan would be a key location.

Japan
Despite a decline from 51% of global semiconductor sales in 1988 to 10% in 2019, Japan is revitalising its position with extensive support and the creation of a “Hokkaido Valley” similar to Silicon Valley.[footnote 61] The country maintains a robust presence in advanced equipment, wafers, and other semiconductor materials, bolstered by major companies like Tokyo Electron, Nikon, Canon, and Sumco.

In May 2023, DSIT announced a UK-Japan semiconductor partnership to fortify complex and fragmented supply chains. The two nations, possessing different but complementary strengths in the semiconductor sector, are collaborating on R&D, sharing expertise, and developing areas of mutual strength including chip design, fabrication, advanced packaging, and compound semiconductors.[footnote 62]

Furthermore, Japan’s technological advancement and rapid progress in smart cities, automation, and IoT, coupled with the joint partnership, positions it favourably for the diffusion of CHERI. There is potential for Japan to collaborate with the UK to integrate this technology into their digital products and infrastructure.

South Korea
South Korea is a significant end producer of semiconductors, including the world’s most advanced 5-nanometer nodes. It houses 37% of the global production capacity for semiconductors smaller than ten nanometres, showcasing its technologically advanced foundries.[footnote 63] There is a significant demand for semiconductor equipment in the country, with South Korean companies purchasing $22 billion of semiconductor equipment in 2022 and accounting for 20% of the global market.[footnote 64]

Samsung Electronics and SK Hynix, the two largest South Korean manufacturers leading in memory chip production, hold 19.3% of the global semiconductor market share.[footnote 65] Samsung is also the world’s largest IDM, with a semiconductor revenue of US$50.6 billion.[footnote 66]

While there is significant chip production in South Korea, Samsung as an IDM would be the most significant company to consider for CHERI adoption. Samsung’s adoption of CHERI could diffuse the technology worldwide and integrate it into their own products. Furthermore, South Korea’s advanced manufacturing capabilities position it well for the production of complex CHERI chips.

Southeast Asia
Southeast Asia, with strong government support and a favourable business environment, has become a significant region in the global semiconductor ecosystem. The region accounts for US$200 billion in chip exports, with Malaysia contributing 40% of the total and 6% of its GDP (Gross Domestic Product).[footnote 67] Other key contributors include Thailand and the Philippines, which rely heavily on semiconductor production for a sizeable part of their GDP and exports. The region has also seen the emergence of a vibrant tech hub, with a focus on e-commerce, fintech, and e-sports.[footnote 68]

Increasing political tensions with China, particularly over weak patent protection and ongoing trade wars, have prompted many companies to establish cost-effective facilities in Malaysia, Vietnam, and other low-cost manufacturing nations.[footnote 69] Technological advancements and support from countries like the USA present a unique opportunity in Southeast Asia to meet the growing demand for semiconductors and manufacture advanced chips. Furthermore, the emergence of a global technology hub, especially in Singapore and Malaysia, could potentially facilitate the adoption of CHERI.

India
India, a key player in semiconductor consumption, is projected to cross US$80 billion by 2026.[footnote 70] Amid political tensions with China, India has actively bolstered its manufacturing capabilities.

The country’s strength lies in its talent pool, housing 20% of global chip design talent.[footnote 71] Major semiconductor manufacturers, including Intel, AMD, and Qualcomm, have established their largest R&D centres in India, capitalising on local engineering talent.[footnote 72] Furthermore, the government’s push to boost domestic manufacturing through incentive-based policies enhances India’s attractiveness for foreign semiconductor companies.

As one of the largest and fastest-growing economies with a burgeoning market for digital products, India has the potential to significantly impact the adoption and diffusion of CHERI in the near future. If multinational corporations leverage their resources in India, the implementation of CHERI could be made cost-effective due to the relatively lower labour cost for highly skilled talent.

Europe
The European region, accounting for about 10% of the global semiconductor market, has set a target to increase its share from 9% to 30% by 2030.[footnote 73] Germany, leading in semiconductor production, along with the Netherlands, Austria, and Turkey, are key players in Europe’s semiconductor industry.[footnote 74]

Europe’s strengths lie in industrial equipment and IP licensing, with a focus on semiconductors and chips for OEMs and systems manufacturers, particularly in the automotive and power industries. The region also boasts a historically strong academic field and research institutes like Fraunhofer HHI, which are well-positioned to drive digital advances.

Given Europe’s large presence of systems manufacturers in automotive, healthcare, and e-commerce companies, and accounting for 20% of the world’s semiconductor consumption[footnote 75], the region provides a pathway for the diffusion of CHERI technology in demand-side sectors.

4.6 Quantitative research on the UK CHERI market (RQ2, 4)

4.6.1 UK semiconductor supply chain firms (bottom-up analysis)

A total of 394 companies with premises in the UK were identified by the bottom-up exercise. Table 9 presents a sectoral analysis of the companies in the potential market for CHERI adoption. It categorises the market into MNCs, small-to-medium sized enterprises (SMEs)[footnote 76], and UK and non-UK based companies.

In this analysis, ‘UK-based companies’ are those founded or headquartered in the UK, with the UK as their primary operational region. ‘Non-UK-based companies’ are foreign companies with UK subsidiaries. The data for non-UK companies is sourced from UK financial databases, thus the characteristics analysed pertain to their UK subsidiaries with operations that take place in, and provide economic benefit to, the UK.

Additionally, the table provides the GVA of each sector and the total number of UK SICs that these companies span across, offering a thorough understanding of the market diversity.

In the CHERI context, the market mapping column in Table 9 below classifies sectors as supply or demand side.

  1. Supply-side sectors produce CHERI hardware and include design, manufacturing, services, and software (EDA) firms.

  2. Demand-side sectors include systems manufacturers, who are the immediate users of products manufactured by the supply-side, as well as end users (further downstream) that purchase electronic components from systems manufacturers to integrate it within their product.

Some sectors, like IT, house both supply and demand-side firms. For example, Apple designs its own chips (supply-side), but also produces devices which also use chips designed by other companies (demand-side). For the purposes of the table below we have listed these sectors twice, as a demand sector and supply sector to avoid ambiguities and overlapping from an industry classification point of view.

Table 9: Overview of the UK CHERI market by sector[footnote 77]

Sector Total companies Headquartered in the UK Headquartered outside the UK Total MNCs Total SMEs Total Primary SICs GVA (in £ million) Market mapping segment
Automotive 36 (9%) 14 22 32 5 18 36,823 Demand
Aviation & Aerospace 27 (7%) 13 14 21 4 12 9,889 Demand
Critical National Infrastructure 29 (7%) 26 3 10 1 11 11,053 Demand
Defence & Security 23 (6%) 18 5 19 4 21 19,706 Demand
Electronics Manufacturing 19 (5%) 5 14 17 2 15 7,539 Demand
Healthcare 27 (7%) 12 15 23 7 10 5,719 Demand
Information Technology 1 78 (20%) 59 19 33 55 26 4,403 Demand
Information Technology 2 15 (4%) 10 5 5 9 8 39,147 Supply
Semiconductor 99 (25%) 53 46 73 40 39 12,996 Supply
Design 37 (9%) 24 13 27 18 20    
Manufacturing 48 (12%) 23 25 37 16 25    
Software 5 (1%) 1 4 4 1 4    
Services 9 (2%) 5 4 5 5 7    
Telecommunications 40 (10%) 28 12 27 5 7 49,234 Demand
TOTAL 393[footnote 78] 238 155 333 172 - 196,509 -

Source: RSM’s analysis of FAME, Tracker, Literature, Company Website, and LinkedIn data

The key takeaways from Table 9 are as follows:

  • Together, the IT, telecommunications, defence, and automotive sectors generate a GVA of £149 billion, accounting for 76% of the total GVA of the firms identified in the potential CHERI market. The semiconductor sector, a key supply sector, contributes 7% to the total GVA. This highlights the diversity and breadth of the further downstream user sectors that CHERI could impact.

  • The GVA generated by demand side sectors, comprising of immediate users and further downstream users, accounts for 74% of the total GVA of sectors in CHERI market. This indicates that the users of chips and processors generate a large proportion of GVA, and their adoption of CHERI will lead to larger economic impact and facilitate diffusion of the technology. However, this is not possible unless the supply sectors produce the chip.

  • The IT demand sector has the high proportion of companies based in the UK (76%) and SMEs (71%), followed by the semiconductor sector, which is a supply sector, with 54% (53) of the companies based in the UK and 40% (40) SMEs.

  • The Critical National Infrastructure sector predominantly comprises UK-based companies, accounting for 90% of the total. The presence of only one SME and only 10 MNCs out of 29 companies, suggests that the sector is primarily composed of large energy/utility companies and grid operators that only operate nationally.

  • The Automotive and Electronics Manufacturing are demand sectors with the highest proportion of MNCs at 89% (32 & 17 respectively). This is followed by the Healthcare and Defence & Security sectors, with MNC proportions of 85% (23) and 83% (19) respectively. This indicates that adoption of CHERI by these companies will lead a substantial diffusion at an international level.

  • CHERI relevant firms in Semiconductor sector span across 39 UK SICs, indicating a lack of semiconductor specific SICs in the UK.

It should be noted that the GVA figures in Table 9 cannot be attributed solely to the potential economic impact of CHERI, as they largely represent non-CHERI related activities. These figures are only relevant as a baseline and provide an approximate footprint of the extent to which CHERI could create relevant economic impacts at some point in the future. The GVA figure from bottom-up approach incorporates not only systems manufacturers (core immediate users), but further downstream sectors (end users) including automotive manufacturers that use electronic components produced by systems manufacturers. When considering these expanded user sectors, the GVA that CHERI can impact amounts to approximately £196 billion in 2021[footnote 79].

Importance of UK market segments to CHERI adoption

Research Question 2 deals with the relationship between the semiconductor supply chain and the potential market for CHERI. Table 10, outlining the potential market size by semiconductor supply chain segment, offers an enhanced perspective on this. It classifies each supply chain segment’s relevance to CHERI as “high”, “moderate”, or “low” in the following way:

  1. “High” relevance indicates that the segment is crucial for implementation of CHERI in a chip or an end product.

  2. “Moderate” relevance refers to the segments that support the highly relevant segments in implementation and adoption of CHERI.

  3. “Low” relevance suggests that the segment is important for the production of semiconductors however, they do not play a significant role in adoption and diffusion of CHERI.

Table 10: Overview of the CHERI market by supply chain segment

Semiconductor Supply Chain Segments Market mapping segment Total companies Based in the UK Based outside the UK Total MNCs Total SMEs Total Primary SICs Relevance to CHERI
Back-end manufacturing Supply 5 1 4 4 1 5 Low
Design Supply 46 30 16 32 22 23 High
Equipment manufacturing Supply 11 7 3 7 6 9 Low
Front-end manufacturing Supply 34 14 20 28 9 17 Low
IDMs Supply 5 0 5 5 0 5 High
Software Supply 17 11 6 6 11 11 Moderate
Systems manufacturer Demand 276 175 101 178 84 73 High
Total   394 238 153 260 133    

Source: RSM’s analysis of FAME, Tracker, Literature, Company Website, and LinkedIn data

The Systems Manufacturers segment, with 276 companies, is the largest. Of these, 63% (175) are UK-based and 65% (178) are MNCs. This segment’s size is due to its broad scope (as evident from 73 SICs the segment covers), encompassing companies from various sectors, unlike other segments which are specific to semiconductors.

The Semiconductor Design segment, most relevant to CHERI, consists of 46 companies, with 65% (30) headquartered in the UK and 70% (32) being MNCs. On the contrary, the Integrated Device Manufacturers (IDMs) segment includes only 5 companies, all of which are foreign multinationals, with none based in the UK. The limited number of IDMs is due to the scarcity of companies globally that handle both semiconductor design and front- and back-end manufacturing in-house.

Due to the presence of a high proportion of multinationals in the supply chain (66%), the scope of the supply chain is global in context of the UK, as chip components can travel upwards of 25,000 miles across multiple regions between design and final product integration.[footnote 80]

4.6.2 Top-down analysis of key industrial sectors and their sizes

The top-down analysis presents a more holistic picture of the industrial sectors in the UK economy that are relevant to CHERI. Table 11 presents the top 17 UK SICs encompassing the highest proportion of semiconductor designer, manufacturers, and immediate use firms, inclusive of systems manufacturers. Given the absence of a specific SIC for semiconductors in the UK and the significant representation of systems manufacturers in the demand side, this table provides a sectoral view of the UK semiconductor market. It includes 2021 SIC level GVA estimates and Turnovers derived from the ONS Annual Business Survey (ABS) data. 2021 Employment statistics are sourced from ONS BRES (Business Register and Employment Survey). The table below also includes the proportions of the SICs relevant to the overall semiconductor market, which was derived by examining individual firms within the SICs, based on their trade descriptions.

Table 11: Financial indicators of 17 UK SICs

SIC Sectors SIC Description Proportion relevant ABS GVA 2021 (in £ million) ABS Turnover 2021 (in £ million) BRES Employment 2021
30300 Manufacture of air and spacecraft and related machinery 54% 7,150 19,951 76,359
29100 Manufacture of motor vehicles 53% 6,219 43,426 70,020
26511 Manufacture of electronic measuring, testing etc. equipment, not for industrial process control 70% 3,956 8,004 40,883
27110 Manufacture of electric motors, generators, transformers 67% 930 2,872 9,924
27120 Manufacture of electricity distribution and control apparatus 55% 884 2,311 11,770
27400 Manufacture of electric lighting equipment 60% 844 1,699 10,276
26301 Manufacture of telegraph and telephone apparatus and equipment 68% 762 1,733 7,450
27900 Manufacture of other electrical equipment 65% 757 1,755 9,165
26110 Manufacture of electronic components 69% 722 1,906 13,028
26200 Manufacture of computers and peripheral equipment 77% 674 2,539 6,325
26600 Manufacture of irradiation, electromedical and electrotherapeutic equipment 64% 609 1,800 5,447
27510 Manufacture of electric domestic appliances 72% 533 1,593 5,430
26512 Manufacture of electronic industrial process control equipment 71% 501 1,013 5,175
26120 Manufacture of loaded electronic boards 69% 461 1,083 7,381
26400 Manufacture of consumer electronics 21% 331 662 4,020
29310 Manufacture of electrical and electronic equipment for motor vehicles and their engines 49% 303 808 3,160
27200 Manufacture of batteries and accumulators 95% 151 599 1,490
Total   N/A 25,787 93,754 287,703

Source: RSM’s analysis of FAME data

In 2021, the collective GVA by the 17 broader semiconductor supply chain sectors amounted to £25 billion. This figure addresses the potential market size within the UK that could be targeted by semiconductors and CHERI. The sectors above also recorded a notable market presence in 2021, evidenced by a combined turnover of approximately £94 billion and a workforce of approximately 288,000 employees.

A significant portion (82%) of the measured GVA is generated by five SIC sectors in the table above including manufacturers of electronic components (3%), printed circuit boards (2%), testing equipment (15%), automotive (24%), and air and spacecraft related machinery (28%). Together, these five sectors account for 78% of the total turnover and 72% of the total workforce employed by the 17 shortlisted sectors.

Broad sectors such as manufacture of electronic components and testing equipment that supply their products to several further downstream sectors such as telecommunications, defence, healthcare, and automotive, among others. Their significant contribution to the GVA, turnover, and employment highlights the wide reach and distribution of semiconductor supply chain firms in the UK that both manufacture and use semiconductors as an integral part.

4.6.3 Bottom-up analysis of individual companies by size

Within the industrial sectors and market segments that have been identified as key for CHERI adoption and diffusion, a potentially impactful element is the absolute size of the companies involved. The bottom-up analysis of company financial data provides insights into the scale and ability to drive CHERI adoption within the UK. For instance, a large multinational corporation, endowed with substantial capital and resources (including skills, talent, equipment, etc.), is well-positioned to invest in emerging technologies. Such corporations typically allocate a relatively larger budget for R&D compared to smaller firms, thus placing them in a favourable position to diffuse CHERI technology within the market.

Table 12 presents findings from the company-level analysis detailing financial characteristics of individual companies comprising the current and potential market for CHERI. It includes both UK based companies and multinationals with subsidiaries in the UK. It should be noted that the turnover and employment figures represent the total revenue from all activities of a company, not exclusively from semiconductors or hardware chips.

Table 12: Financial characteristics of companies in the UK CHERI market

Sector Market mapping segment Total Companies Min Turnover* Mean Turnover* Max Turnover* Min Employees Mean Employees Max Employees
Automotive Demand 36 4 2,776 22,809 2 6,622 160,000
Critical National Infrastructure Demand 29 70 2,770 16,032 3 4,477 87,000
Information Technology Demand (78) & Supply (15) 93 1 2,612 50,896 1 988 22,213
Telecommunications Demand 40 19 2,201 40,140 2 6,619 98,103
Defence & Security Demand 23 15 1,516 21,400 29 8,065 84,000
Aviation & Aerospace Demand 27 14 1,162 13,520 9 2,950 41,800
Electronics Manufacturing Demand 19 5 755 4,395 62 2,357 10,000
Healthcare Demand 27 0.2 431 4,309 4 1,342 19,094
Semiconductor Supply 99 0.1 369 5,100 2 455 20,800
Design   37 0.1 649 5,100 5 323 6,428
Manufacturing   48 1 280 3,450 2 635 20,800
Software   5 33 112 200 10 248 555
Services   9 13 63 124 5 75 344

Source: RSM’s analysis of FAME and Tracker data
‘*‘Turnover figures are in £ million

The automotive, CNI, IT, and telecommunications demand sectors are top performers, with high mean revenue in the UK. The IT and telecommunications sectors show a high variability in revenue indicating a significant disparity in company sizes within these sectors in the CHERI market.

It was also found that foreign semiconductor multinationals with subsidiaries in the UK operate on a smaller scale compared to their foreign counterparts. As covered in Section 2.5.1, the UK’s regional specialism within the global semiconductor supply chain is in chip design and IP and very little manufacturing of semiconductors occurs here. This is consistent with the results from bottom-up analysis, indicating that the activity of foreign multinationals that takes place in the UK is mostly in design and IP with low average turnover and employee count. This indicates that the overall UK semiconductor market is smaller compared to other economies like USA and Taiwan, limiting the scale of operations. This suggests that foreign firms face different market dynamics in the UK. The semiconductor sectors, which are supply sectors, are characterised by low average turnover and employee count, suggesting the presence of high-growth specialist firms.

Figure 6 presents the distribution of the demand-side and supply-side firms based on their turnovers. As expected, the demand-side firms outnumber supply-side firms and are more broadly distributed. This indicates the potential for a greater enabling and catalytic impact[footnote 81] from the implementation of CHERI, beyond just the direct and indirect impacts generated by its core supply chain[footnote 82].

Most (97%) of the supply-side firms have turnovers less than £5 billion, and a significant proportion (45%) can be classified as SMEs[footnote 83], with turnovers below £50 million. The two outliers with turnovers between £5 billion and £20 billion are large-scale integrated device manufacturers that undertake design, front-end manufacturing and back-end manufacturing of chips.

91% of firms on the demand side have turnovers below £5 billion, while 24% can be classified as SMEs. There are five firms that stand out with turnovers exceeding £20 billion. These firms are Jaguar Land Rover (automotive), BAE Systems (defence & security), Amazon (IT and E-commerce), BT Group (telecommunications) and Vodafone (telecommunications).

Figure 6: Turnover distribution by demand and supply sector

Source: RSM’s analysis of FAME and Tracker data

Figure 7 presents a more granular view of the turnover distribution of the semiconductor relevant firms based on their position in the Semiconductor/CHERI supply chain in the UK. As can be seen, 70% of the firms are systems manufacturers, out of which 42% can be classified as SMEs. This is followed by Semiconductor Design and Software firms that make up 16% of the total firms identified. 75% of Design and Software firms can be classified as SMEs. Together, Front-end, Back-end, Equipment, and Integrated Device Manufacturers account for 14% of the total firms identified. This reaffirms the conclusions drawn in the National Semiconductor Strategy[footnote 84], which highlights the UK’s strength in design while acknowledging its limitations in manufacturing.

Figure 7: Turnover distribution by supply chain segments

Source: RSM’s analysis of FAME and Tracker data

4.6.4 Geographical locations of companies (bottom-up)

In addition to financial characteristics, a company’s geographical location offers crucial insights into the following factors that have the potential to influence adoption of CHERI:

  • Collaborative potential: The geographical location of a company can significantly influence its collaborative potential. Being located in a region with a high concentration of similar businesses or industries can foster partnerships, joint ventures, and other collaborative efforts.[footnote 85] These collaborations can accelerate the adoption of CHERI by sharing resources, knowledge, and expertise.

  • Access to technology: The availability and accessibility of technology vary greatly from one location to another. Companies located in technology and semiconductor clusters are more likely to have access to the latest tools, software, and infrastructure needed to implement and support CHERI.

  • Regulatory incentives: Regulations and policies that can impact the adoption of CHERI vary across regions. Companies in regions with supportive regulatory environments could facilitate a more effective adoption.

  • Availability of skilled talent: Adoption of CHERI requires a workforce with the right skills and expertise. Companies located in areas with high emigration rate of skilled workers[footnote 86] and a rich talent pool from top universities and research institutions, may find it easier to recruit the necessary talent for CHERI adoption.

For instance, companies situated in semiconductor clusters or tech hubs may have easier access to cutting-edge technologies and skilled workforce, thereby fostering faster technology adoption.

Figure 8 presents a county-level geographic distribution of companies in the bottom-up dataset. It reveals London as the epicentre, hosting 75 companies including direct semiconductor companies (design, manufacturing, and software) and systems manufacturers. Cambridgeshire follows with 44 companies. The data underscores the significance of the ‘Golden Triangle’, with Oxfordshire also housing 15 CHERI relevant companies. This spatial distribution aligns with literature identifying clusters in Cambridge, West Midlands, Bristol, Berkshire (Reading), and Oxford, particularly in the semiconductor, IT and automotive sectors.

Figure 8: Geographical location of UK companies and foreign subsidiaries in the UK

Source: RSM’s analysis of company location

4.6.5 Most influential firms by sector (RQ4c)

This section identifies the most influential firms by sector within the potential market of CHERI adoption and diffusion. These were pinpointed using an identification framework grounded on the following factors:

  1. Economic & Financial Indicators: Strong economic & financial parameters like high turnover and employment indicate a firm’s capability to conduct R&D activities and adopt emerging technologies like CHERI.

  2. Geographical Location: Office location plays a pivotal role in CHERI adoption as it impacts the ability to collaborate, access resources, and recruit skilled talent.

  3. Company’s Activity in the UK: This reflects the nature of work carried out by the firms in the UK. Firms engaged in activities directly relevant to CHERI adoption, such as systems integration, design, and product manufacturing, are of particular interest compared to those involved in indirect activities like sales, distribution, and support services.

  4. Reach: This refers to the extent of a company’s global presence, determined by whether they are an MNC and the countries they operate in or serve. Reach is crucial as it facilitates the worldwide diffusion of CHERI.

Organisations deemed as highly influential are often large, vertically integrated multinational corporations. These corporations play a pivotal role in setting new technology standards, ensuring interoperability and compatibility. Their significant influence also enables them to aid policymaking through government collaboration. The adoption of emerging technologies like CHERI by such organisations plays a vital role effectively catalysing further adoption and diffusion. This is driven by various factors such as keeping pace with industry trends, complying with standards, or the sheer influence of these market leaders.

Table 13 presents an overview of the key companies from each sector in the potential market for CHERI including both direct semiconductor companies and systems manufacturers (users of CHERI). The findings indicate that large multinationals with substantial operations in the UK are the primary influencers in the diffusion of CHERI. These companies, spanning various sectors, engage in diverse activities in the UK that are crucial to CHERI, such as R&D, manufacturing, infrastructure deployment, and other technical services. Their significant presence and scope of operations in the UK position them well for collaboration with governmental bodies, umbrella organisations, and other multinational corporations, fostering the adoption of CHERI.

Table 13: Influential companies in the CHERI market

Companies Supply chain segment Activities in the UK Location UK Turnover (in £ million) Employees in the UK Based in UK
Automotive            
BorgWarner Systems manufacturer Sales, manufacturing, Support services Bradford 170 360 No
Jaguar Land Rover Systems manufacturer Design, R&D, Manufacturing Coventry 22,809 38,379 Yes
Volkswagen IDM Manufacturing, Design, Sales, Support services Milton Keynes 9,373 954 No
Aviation & Aerospace            
Airbus Systems manufacturer Design, Manufacturing, R&D Bristol 4,116 7,097 No
Rolls-Royce Systems manufacturer Manufacturing, Design, R&D, Sales London 13,520 41,800 Yes
Leonardo Helicopter Systems manufacturer R&D, Manufacturing, Supporting UK MoD Yeovil 2,110 7452 No
Critical National Infrastructure            
British Gas Systems manufacturer Energy supply, Energy infrastructure, Energy related services, Support Windsor 16,032 6,086 Yes
Shell Systems manufacturer Logistics, Petrochemicals, R&D, Infrastructure London 319,000 87,000 Yes
National Highways Systems manufacturer Support services, Transport infrastructure, R&D Birmingham 70 6,648 Yes
Defence & Security            
BAE Systems Systems manufacturer Design, Manufacturing, R&D London 21,400 84,000 Yes
QinetiQ Systems manufacturer R&D, Design, Testing facilities, Communication systems, Defence equipment engineering Farnborough 1,610 8,268 Yes
Thales UK Systems manufacturer Design, Manufacturing, Sales London 1,120 5,017 No
Electronics Manufacturing            
Bosch Systems manufacturer R&D, Sales, Support services, Repair London 430 589 No
IBM Systems manufacturer R&D, Manufacturing, Sales Portsmouth 3,123 7,660 No
Renishaw Systems manufacturer R&D, Manufacturing, Sales, Support, Distribution Gloucester 689 5,136 Yes
Healthcare            
Becton Dickinson Systems manufacturer Innovation, R&D, Sales Wokingham 489 1,503 No
Medtronic Systems manufacturer Research, Design, Manufacturing, IP Watford 692 888 No
Smith & Nephew Systems manufacturer R&D, Sales, Manufacturing Watford 4,309 19,094 Yes
Information Technology (IT)            
Amazon Systems manufacturer R&D, E-commerce, Cloud services, Sales, Logistics, Support Manchester 50,896 8,679 No
Microsoft Systems manufacturer R&D, Software development, Sales, Collaboration through programmes Reading 6,284 4955 No
Sony Systems manufacturer R&D, Sales, Support Surrey 3,435 2,730 No
Semiconductor            
Arm Design Design, IP, R&D, Sales Cambridge 2,170 5,901 Yes
Qualcomm Design R&D, Design, IP, Sales Cambridge 2,360 757 No
Intel IDM Design, R&D, IP, Sales Swindon 5,100 588 No
Sensata Technologies Front-end manufacturing Manufacturing, Sales, Support services Swindon 3,329 20,800 No
Keysight Technologies Software EDA tools, R&D, Semiconductor specific software development, Sales Reading 151 555 No
Telecommunications            
Vodafone Systems manufacturer R&D, Telecoms infrastructure, Retail, Technical support Berkshire 40,140 98103 Yes
Ericsson Systems manufacturer R&D, Design, Network services, Telecoms activities Manchester 665 1,417 No
Nokia Systems manufacturer R&D, Sales, Technical support Bristol 441 891 No

Source: RSM’s analysis of FAME, Tracker, Literature, Company Website, and LinkedIn data

5. Projected market for CHERI

5.1 Introduction

This chapter addresses RQs 3 and 6:

  • RQ3: What might the potential CHERI market look like in terms of its size and scope, in accordance with the parameters set out above, over the next ten years?

  • RQ6: What is the current and projected demand for CHERI technology across semiconductor designers, manufacturers and system manufacturers in this potential market including:

    a. Barriers and enablers to this demand.
    b. Any preparations that have been undertaken/need to be undertaken in anticipation of this potential demand
    c. How demand (and its barriers and enablers) differs by sector, company size and location.

To address these, we have taken two main sources of evidence:

  1. Review of published evidence on the UK economic footprint of key sectors critical to CHERI adoption, and their prospects for the next ten years, supported by an in-house model projecting relevant sector trends where good external evidence is not available.

  2. Qualitative interviews with companies across the supply chain, plus industry representative bodies, and stakeholders within the DSbD programme and Central Government.

We have used this information to provide:

  1. An overview of the scale and growth prospects of the potential market for CHERI in the UK, with economic forecasts for key sectors critical to CHERI adoption.

  2. The barriers and enablers, across the whole economy, to adoption of CHERI in the market.

  3. Case studies of critical sectors which have emerged from the research as particularly impactful, or which have the clearest path to market, setting out the specific barriers and enablers, and the time to market.

However, the research has not been designed to provide a formal assessment of the size and scope of the semiconductor market, or the market for CHERI, in the UK, nor an estimate of the number of semiconductor firms currently active in the UK market.

5.2 Summary

  • The DSbD programme has been successful in providing a working CHERI technology platform prototype based on a high-powered general purpose Arm processor. It has also catalysed development of CHERI for smaller, more specialised microcontrollers.

  • With the exception of the Codasip processor, these developments are still prototypes that would need further development and investment to be ready for the marketplace.

  • The barriers to adoption of CHERI at this point are largely economic – ultimately, whether there any customers who value the benefits of increased security enough to pay for the adoption costs: of developing a new commercial processor, and adapting the existing hardware and software ecosystem to support it in their sector.

  • We find that for the market with the greatest volume of sales of high-powered processors, and influence on chip innovation – mobile devices – it appears that the cost of adoption is still considered too high for a customer to place an order with Arm to take the next step up from Morello and create a fully optimised commercial grade processor incorporating CHERI.

  • There are however routes to market through simpler processors for embedded systems. An open-source microcontroller design has emerged from the DSbD programme (Microsoft’s CHERIoT), and a processor is now commercially available through Codasip. For a “greenfield” application without a sizable code base to update, this route may be cost-effective and enable innovation through increased security.

  • The most likely first adopter of these simpler processors would be IoT or embedded technology. The UK defence establishment is also investigating CHERI and has structures in place to adopt it – albeit at low volume - independently of the global marketplace. The automotive and telecoms infrastructure sectors offer strong security and safety cases for CHERI adoption, although the complex global supply chain is a barrier.

  • The outlook for the key CHERI sectors and semiconductor market segments in the UK shows some strengths:

    a. IoT/embedded technologies and telecoms are growth sectors in the UK. IoT benefits from world-leading activity in standards setting and consumer safety regulation which provides confidence for innovating firms. Telecoms requires significant inputs from global supply chains; however, supply chain resilience is a key goal of UK government policy in future telecoms, so this is an area under active investigation.

    b. Defence expenditure is determined by Government policy; recent announcements have suggested that an increase as a share of UK GDP is being sought, and the new “Secure by Design” procurement policy provides an avenue for requiring or recommending CHERI in new technology designs.

    c. While manufacture of chips is not a UK strength, chip design/IP, systems R&D and integration, software and cyber security services are UK growth sectors. If CHERI sees global adoption, the UK will be well placed to provide design inputs, and consultancy, based on the ecosystem of CHERI R&D that DSbD has supported, and the expertise that this has built in R&D and support services.

To understand general economic trends such as GVA and employment in the sectors where CHERI adoption may be possible within ten years, we constructed a baseline projection of the key sectors who may benefit most from CHERI adoption. The primary aim of the baseline projection is to present an indicative measure of the size of the potential market within which CHERI could play a role in the coming years till 2035, i.e. they provide an estimate of the GVA of CHERI-relevant sectors, and an indication of whether these sectors are expected to grow or shrink over the next ten years.

The scope of these market segments is defined using the ‘105 SIC’ industry classification from the ONS Supply-Use Tables. Where these overarching sectors are not clearly defined, individual SICs with relevant descriptions, identified previously as part of the market research (see Chapter 3), are added together. Table 14 gives a detailed description of the SICs included in each of the overarching sectors and the reason for their inclusion in the sector scope.

Table 14: Sector definitions

Sector/SIC Reason for inclusion
Automotive Modern vehicles are increasingly reliant on computer systems and semiconductors for functions ranging from engine control to infotainment systems. Implementing CHERI could enhance the safety and reliability of these systems.[footnote 87]
C29: Manufacture of motor vehicles, trailers, and semi-trailers Includes companies that manufacture motor vehicles. Companies from this sector were identified as part of market research.
C45: Wholesale and retail trade and repair of motor vehicles and motorcycles Includes companies that trade and repair motor vehicles. Companies from this sector were identified as part of market research.
Information Technology (IT) IT systems are ubiquitous and often deal with sensitive data. These systems also rely heavily on semiconductors. CHERI could provide enhanced security, protecting systems from memory-based attacks.[footnote 88]
62: Computer programming, consultancy, and related activities Includes companies that provide computer programming, software development and publishing services. Companies from this sector were identified as part of market research.
63: Information service activities Includes companies that provide information technology services using infrastructure heavily reliant on semiconductors. Companies from this sector were identified as part of market research.
Telecoms Telecommunications use network equipment and end-user devices which heavily rely on semiconductors. The application of CHERI could improve the security of these networks, protecting them from potential cyber-attacks.
J61: Telecommunications Includes companies that deploy, maintain, and manage wired and wireless telecommunication networks and provide telecommunications services. Companies from this sector were identified as part of market research.
Defence Semiconductors are used in various defence equipment like radars and missile guidance systems, CHERI can enhance the safety of these defence systems which are vital for national security.[footnote 89]
O84: Public administration and defence. Compulsory social security Includes companies that provide defence equipment, systems, and services, where CHERI can enhance safety.
Other  
Healthcare: C21: Manufacture of pharmaceuticals, Q86: Human health activities Semiconductors play a pivotal role in the operation of a wide array of medical devices and equipment, ranging from sophisticated surgical robots to fundamental blood pressure monitors. It also offers protection from threats originating from memory-based vulnerabilities.[footnote 90] Companies from these sectors were identified as part of market research.
Critical National Infrastructure: D351: Electricity generation, transmission, and distribution, D352_3: Manufacture and distribution of gas and fuels Semiconductors play an important role in various electricity and gas control and monitoring systems, where CHERI can enhance safety. Companies from these sectors were identified as part of market research.
Miscellaneous: C303: Manufacture of air and spacecraft and related machinery, C3316: Repair and maintenance of aircraft and spacecraft, J59&J60: Sound recording, Music publishing, and Broadcasting activities Includes companies that manufacture, repair and maintain air and spacecraft related machinery, heavily reliant on semiconductors. Also include companies that provide sound recording, music publishing, and broadcasting activities using infrastructure which is heavily reliant on semiconductors. Companies from these sectors were identified as part of market research.

Trend projection approach: We have constructed our sector level real GVA estimates based on historical sectoral real GVA data from 2010 to 2022. We used this data to understand, on average, how the sectors have grown in response to UK’s real GDP growth over the same period. Based on this, we measured the average the historical responsiveness of the four CHERI relevant sectors and the ‘Other’ sector, to UK’s real GDP growth. Thereafter, we used these average historical relationships, assuming historical growths by sector and scaling to reflect the overall growth rate in the economy, to project sectoral real GVA up to 2035, based on long term real GDP forecasts published by the Office for Budget Responsibility (OBR). Where available, we incorporate sector-specific forecasts to improve our approach.

To provide additional context from similar work and to observe if similar trends are being seen, we compare our sectoral real GVA projections with NFER’s employment forecasts for sectors deemed relevant to CHERI. In October 2022, as part of the ‘Skills Imperative 2035’ programme, the National Foundation for Educational Research (NFER), generated long term sectoral employment forecasts in the UK. This was done in partnership with The Institute for Employment Research (IER) at the University of Warwick and Cambridge Econometrics (CE).

Data sources: Historical data on UK’s real GDP and sector-wise historical real GVA estimates are sourced from the wider Office for National Statistics (ONS) databases, including Supply Use (SU) Tables, and Input Output (IO) Tables. We base our sectoral real GVA projections on the long-term real GDP forecasts from the Office for Budget Responsibility (OBR).

Figure 9 and Figure 10 below set out our baseline projections for GVA growth by sector (it does not attempt to include any additional GVA growth as a result of adoption of CHERI in the sectors of interest). Thereafter, Table 15 lists factors that impacted the historic growth of the CHERI relevant sectors from 2010 to 2022. Following the presentation of the GVA projections by RSM, an attempt is made to isolate the expenditure incurred by the relevant sectors on semiconductors. For this, the intermediate expenditure incurred by the four CHERI-relevant sectors on electronic components is used as a proxy to provide the best possible ‘upper bound’ estimate. This is presented in Table 16.

Figure 9: Baseline GVA growth rate by sector, 2011-2035

Source: RSM analysis of data from ONS and OBR

Figure 9 presents the growth of sectoral real GVA from 2010 to 2035. The red line marks the transition point between historical growth rates between 2010 and 2022; and our projected growth rates from 2022 to 2035.

Figure 10: GVA level growth 2010 to 2035

[Insert Figure 10 here]

Source: RSM analysis of data from ONS and OBR

Figure 10 presents the sectoral real GVA levels from 2010 to 2035. The red line marks the transition point between historical data from 2010 to 2022 and our projections from 2022 to 2035. The chart has two vertical axes. the left shows sectoral real GVA over the years, and the right shows the UK’s real GDP for the same period.

5.3.1 Growth drivers and blockers

A non-exhaustive list of factors that both positively and adversely impacted the growth of the key sectors between 2010 and 2022 is set out below.

Table 15: Growth Drivers and Blockers

Determinants Driver Blocker Likelihood of impact continuing to 2035
Technological advancements Driving growth across multiple sectors (e.g., development of electric vehicles in automotive, 5G and Full Fibre connections in telecoms, AI in IT) Development of new technology outpacing regulation, security considerations and supply Likely to have significant impacts to 2035
Government policies and support programmes Government policies and programmes can be major drivers in promoting the adoption and deployment of new technologies. The UK’s exit from the EU has created uncertainty around trade regulations and supply chain logistics for several sectors including telecoms, automotive, and IT.[footnote 91] Likely to some impacts to 2035. The national semiconductor strategy, cyber security strategy and integrated review are likely to be significant. For CHERI, the current DSbD programme ends in 2025, though the programme team is investigating follow-on options.
Growing security threat and awareness of threat (driven by AI) Increased emphasis on security especially for environments where safety and resilience is important. Security techniques and technologies keeping pace with an evolving threat environment. Likely to have an impact to 2035.
COVID 19 Pandemic In the IT and telecoms sector, the pandemic accelerated the adoption of digital technologies. In the defence sector, the pandemic accelerated digitisation with a few companies claiming to have completed a year’s worth of transformation in mere weeks.[footnote 92] The COVID19 has had a profound impact on most sectors in the UK through lockdowns and less cashflow, companies shutting down or being taken over. Globally, it led to supply chain disruptions and increased cyber security risks.[footnote 93] Unlikely to have significant impacts going forward.
Semiconductor Supply Chain Complexities There are regional specialisms for different parts of the supply chain (e.g. the UK is a specialist in in chip design IP) The pandemic and other factors led to a shortage of semiconductors in 2021, mostly affecting the automotive industry. This highlights vulnerabilities in the UK semiconductor supply chain, which largely relies on Asia as a hub of semiconductor manufacturing.[footnote 94] High margin, high-cost chips took precedence ahead of low-cost chips following the pandemic in 2020 and 2021, so lower cost chips were more severely affected by shortages. The semiconductor supply chain is global yet regionally focused, and the pandemic revealed it to be somewhat fragile. While the pandemic impacts specifically are not a concern looking forward, other pandemics; conflicts and natural disasters may cause future shortages.
Geopolitical tensions and conflict   Conflicts and geo-political tensions could lead to further semiconductor shortages due to shortages of raw materials used in semiconductor production or production of other technologies (e.g., critical minerals used in batteries sourced from areas such as Congo) Likely to continue

We have taken four key sectors for CHERI adoption identified in previous chapters – automotive, IT, defence, and telecoms – and researched their current size within the UK economy, their expected growth over the next 10 years, and (as a proxy for semiconductor use) estimated their business expenditure on electronic components (EEC). Table 16 below summarises these, alongside an “Other” category containing all other industries with significant expenditure on semiconductors such as CNI and healthcare, audio and video broadcasting, amongst others.

Table 16: Current and projected GVA and expenditure on electronic products

Sector Description 2021 values (£ million) 2022 values (£ million) Projected values (2035) Growth to 2035
Automotive        
GVA (/£m) 35,952 36,189 37,670 4.09%
Expenditure on electronic components (/£m) 1,308 - 1,371 4.81%
Expenditure as proportion of GVA 3.63% - 3.63% -
IT        
GVA (/£m) 63,087 71,565 118,421 65.47%
Expenditure on electronic components (/£m) 1,224 - 2,298 87.75%
Expenditure as proportion of GVA 1.94% - 1.94% -
Telecoms        
GVA (/£m) 35,583 33,249 54,519 63.97%
Expenditure on electronic components (/£m) 2,604 - 3,989 53.19%
Expenditure as proportion of GVA 7.32% - 7.32% -
Defence        
GVA (/£m) 21,878 23,922 27,838 16.37%
Expenditure on electronic components (/£m) 4,109 - 5,229 27.26%
Expenditure as proportion of GVA 18.78% - 18.78% -
Other        
GVA (/£m) 163,497 170,893 211,250 23.62%
Expenditure on electronic components (/£m) 17,292 - 22,343 29.21%
Expenditure as proportion of GVA 10.58% - 10.58% -
Total expenditure on electronic components (/£m) 26,537 - 35,230 32.76%
Total GVA 319,997 335,818 449,698 40.53%

Source: RSM analysis of ONS and OBR data, Supply Use Tables, Input-Output Tables, and MOD annual accounts.

5.3.2 Key takeaways from GVA projections on the growth potential of possible sectors for CHERI adoption:

  • The automotive sector is expected to show the least amount of growth both in terms of GVA between 2022 and 2035 (4.09%), and EEC between 2021 and 2035 (4.78%);

  • Amongst the four key sectors analysed in detail, EEC as a proportion of GVA is the greatest in defence (18.78%), followed by telecoms (7.32%), and automotive (3.63%), and IT (1.94%);

  • The defence sector is heavily reliant on advanced electronic components for a wide range of applications, from communication systems to weaponry and surveillance equipment. The high-tech nature of defence equipment often requires significant investment in electronic components, leading to a high EEC/GVA ratio (a proxy measure of the importance of expenditure on semiconductors for the sector).[footnote 95]

  • The telecom sector is at the heart of the digital economy, providing the infrastructure for communication and data transmission. This sector requires substantial investment in electronic components for network equipment, data centres, and user devices, leading to a high EEC/GVA ratio.[footnote 96]

  • The automotive sector, despite its increasing reliance on electronics, has a lower EEC/GVA ratio (3.63%). This is likely because the cost of electronic components is spread over a large number of vehicles, or that other costs (like materials, labour, and marketing) make up a larger proportion of the value added in this sector.[footnote 97]

  • The IT sector, despite having the highest growth in GVA and expenditure on electronic components, spends a relatively smaller proportion of its GVA on electronic components (1.94%). This is indicative of the IT sector’s ability to generate a high value with a relatively lower investment in electronic components, possibly due to factors like high value-added services, high labour productivity, efficient use of resources.

5.4 Sector level case studies of adoption

This section explores CHERI adoption at a sector level, presented as case studies. These have been developed from interviews, published reports, and presentations at the DSbD All Hands event on 13th March 2024. Each case study includes:

  • A summary of the baseline projection;
  • Why CHERI adoption would be beneficial in this sector;
  • Possible routes to adoption and factors that would support adoption;
  • Sector-specific challenges for adoption;
  • Other sectors that may have similar drivers and barriers to adoption.

Other sectors were identified in the desk research and interviews. These included finance, health and critical national infrastructure such as energy and water transmission., and they are included in the “other” category in Table 14 and Table 16. We have chosen to focus on the four sectors below as the information from conversations and events was richer for these sectors. They also represent good examples of barriers, enablers and routes to adoption that could apply to other technologies. For example, there are similar issues for utilities as there are for telecoms infrastructure (in terms of responsibility for having a large estate of equipment to access, maintain and update). Energy transmission grids need embedded systems for process control, so this case study is also relevant. Health and automotive have very stringent safety standards.

5.4.1 Telecommunications

This case study considers mobile devices and telecoms infrastructure separately as there are different routes to adoption, challenges and barriers for CHERI.

Historical trends
The telecoms sector displays highly volatile GVA fluctuations between 2010 and 2022 during which time, the sector grew by 300%. In terms of GVA, the sector recorded a rapid growth from £8.1 billion in 2010, peaking at almost £50 billion in 2020. Between 2021 and 2022 Telecoms GVA fell by 6.6% followed by a further decline of 13.2% from 2021 to 2022, when it recorded a GVA of £33.2 billion.[footnote 98]

The rapid growth in the telecoms sector between 2010 and 2020 can be attributed largely to a rapid advancement in technology with the introduction of 4G in 2012 and 5G in 2016[footnote 99] [footnote 100]. During this time, IoT devices in the UK have also grown from 13 million in 2006 to 150 million in 2024.[footnote 101] The government has also actively sought to advance 5G networks and use cases through programmes such as 5GTT and 5GIR, among others[footnote 102].

The decline in telecoms GVA between 2020 and 2022 can in part be attributed to the banning of high-risk vendors such as Huawei, which hindered the deployment of new networks and the development of edge use cases.[footnote 103] The impact of remote working due to COVID-19 is unclear; this should have stimulated demand for telecoms services, but this will have been withdrawn to some extent as the pandemic subsided.

UK GVA projection
RSM’s sectoral GVA projections indicate that the current level GVA of the Telecoms sector of £33.3 billion is expected to increase by 64% by 2035 to £54.5 billion in real terms. Expenditure on electronic components in the telecoms sector is expected to increase by just over 51% from £2.6 billion in 2022 to £4.0 billion in 2035.

The GVA projection anticipates that the telecoms sector will consistently outpace the UK’s GDP growth, reaching a peak of 4.84% and 4.93% respectively in 2026, and settling at 4.27% and 4.35% by 2035. NFER’s employment forecast also projects that growth would surpasses the UK’s employment growth, but at a significantly higher rate, exceeding 7%.

Explaining the projections
According to RSM’s sectoral GVA findings, the telecoms sector is expected to grow throughout the period from 2023 to 2035. The GVA has a continuous growing trend with slight fluctuations starting at £33.4 billion in 2023 and peaking at £54.5 billion in 2035.

Potential for adoption in mobile devices
The mobile device market has grown considerably in the past few years. As per a market report by Deloitte, over 90% of mobile users own a smartphone in the UK in 2023, with over 25 percent of the phones being sold back into the marketplace.[footnote 104] The number of active mobile subscriptions was over 83 million by March 2022.[footnote 105] The market for smartphone hardware products reached approximately £1.9 billion in 2020.[footnote 106]

Looking ahead, it is predicted that 95% of the UK population will be smartphone users by 2025[footnote 107], with the telecommunications industry projected to invest $342 billion in their networks in 2027 alone.[footnote 108]

Timelines for adopting new technology are quite quick. Interviewees estimate it would take 5-6 years for a new technology such as CHERI to be adopted into mobile phones. This is driven by factors such as how frequently end users update or upgrade technology - 38% of UK users change mobile phones every two years, and 31% change them every three years.[footnote 109]

On a global scale, the number of mobile devices operating worldwide stood at almost 15 billion in 2021 and is expected to reach 18.22 billion by 2025.[footnote 110] The global smartphone market size was valued at US$457.18 billion in 2021 and is projected to grow to US$792.51 billion by 2029.[footnote 111]

The business case for the DSbD programme set out a primary vision to develop a new and secure computer hardware approach, “overcoming existing market failures and radically updating the foundation of the insecure digital computing infrastructure that currently underpins the entire economy”. A specific goal was to prove the technology “in at least two major industrial markets”.

A key indicator for the eventual success of the programme will be the market share of operating systems which support new technology (through some combination of a CHERI-capable processor and an operating system which enables its use). Arm have been significantly involved in the programme as the developers of the technology platform prototype. Their Morello Board platform is based on the Arm Cortex-A processor, a complex, fully featured processor which has a dominant position in the marketplace for smartphones, tablets, and other mobile devices. Because the number of operating systems with significant penetration in this market is low, the actual number of companies that would need to adopt the technology to build market share is very small. The key players are:

  • Microsoft’s Windows ecosystem
  • Apple iOS
  • Google’s Android operating system (and Linux)

The market positions of these major operating systems have remained relatively constant since 2017. The concentrated nature of this market means that gaining commitment to adoption of CHERI from any two of them would open up a market share of roughly 60%. This has been seen as the most impactful route to market for CHERI since the genesis of the DSbD programme.

This market concentration has an impact on the economics of Arm’s activities as well. The amount of research and development time and effort required to develop, optimise, and test a processor as complicated as those in the Cortex-A class is enormous (of the order of 200-300 engineer years, or hundreds of millions of dollars of investment). The mobile device market is one of the very few high-volume, high-penetration ecosystems that drives the creation of new processors, and where customer demand for new features is sufficient to cover the expense of design and testing. However, an innovation such as CHERI would need to be designed in alongside other new features, in an environment where minimising the size of the chip as much as possible is economically advantageous. The CHERI circuitry would be competing for space on the chip against other features for which there would be more established customer demand, such as efficiency (balancing battery life against computing power), display quality, cameras and image processing, mobile gaming power, networking and AI processing[footnote 112].

An additional barrier to adoption is the scale and complexity of the existing software ecosystem on each mobile platform. The operating system would need to be rewritten to support and enable CHERI features in a way which was backwards-compatible with all the software publicly available on the various “app stores” associated with each operating system, across all the mobile devices which would use the new processor. The operating systems are mature and feature-rich, and the amount of software redevelopment work would be considerable[footnote 113].

The position for CHERI is therefore that it is unlikely that there will be demand from the three major ecosystems for CHERI to be integrated into the next iteration of Arm’s processors, and without that there is no economic incentive for Arm to do so unilaterally. This was a consensus view among interviewees, and research from the Discribe Hub+ in 2021 suggested that hardware security tends to only be prioritised as a result of compliance or regulatory needs, rather than pursued as an independent end-goal. This could change through regulatory pressure, or if the actual and/or perceived security threat of mobile use becomes more prominent (for example, through a serious and well-publicised breach of mobile phone security).

Potential for adoption in telecoms infrastructure
The sector is highly capital-intensive, which has several implications:

  • Telecoms firms need to gain positive ROI from their technology investments, which can take many years. There is therefore a built-in lead time of at least five years for replacing hardware, and the “technology road map” for the firm is likely to be planned over the next five to six years. This inhibits rapid innovation.

  • However, the presence of a great deal of expensive equipment on telecoms sites, and the innate focus on connectivity in the sector, raises the security requirements. Memory safety technology in hardware would be highly beneficial, as the sort of memory errors that it prevents (such as buffer overflows) can be exploited to allow people access to internal networks and compromise the “estate” of the telecom’s provider and potentially their customers as well.

  • CHERI would not be needed in all parts of telecoms infrastructure but would be beneficial for safety critical functions. There is a clear understanding of what these safety critical functions are for telecoms, which is not the case for some other sectors.

  • Implementing memory safety in hardware makes sense because of the focus on expensive devices with an established code base and support ecosystem. While there would be an initial cost to edit and recompile software for CHERI-capable hardware, this would almost certainly be less than the effort to rewrite software from scratch in a memory safe language such as Rust[footnote 114]. Updating code to take advantage of other evolving technologies (quantum computing, AI etc) would also be an opportunity to build in CHERI simultaneously.

Telecoms interviewees that are familiar with CHERI consider the technology to potentially be highly beneficial – a “game changer”, according to one interviewee. However, there are supply chain issues. Adoption of the hardware would require mass production of CHERI processors. The sector has a mixed supply chain, with a very small number of large-scale suppliers of the most complex equipment, plus smaller suppliers of individual components, systems and services. These would all need to be convinced to include CHERI in their technology roadmaps.

The telecoms industry does not have particularly high margins[footnote 115] and so there is a limit to the willingness of companies to pay a premium for improved security – “we cannot provide security in a business that doesn’t make money”. The marketplace for consumer telecoms services is highly competitive, and so passing costs onto the customer base is challenging.

The key economic argument for adopting CHERI would be reducing the total lifetime cost of equipment, by reducing the costs of maintenance to offset the initial cost of adoption.

  • The initial adoption costs come from rewriting and validating the software environment, as well as the cost of the hardware itself.
  • Cost reduction would come through the reduction of maintenance through continual patching of software to address vulnerabilities that are discovered during use. This involves the entire supply chain; telecoms firms have contracts with suppliers for them to keep rebuilding code to address reliability.

Senior leaders in telecoms firms will inevitably be aware of cyber security issues and have a strong focus on these, due to the need to protect their capital investments from intrusion and safeguard the security and privacy of their customers. Awareness of CHERI itself is much lower according to interviewees.

  • There is therefore a need for a more holistic conversation about the benefits of CHERI to spur adoption, moving beyond consideration of the technical benefits alone to consider the long-term economic benefits and the potential to differentiate from the competition on security.

5.4.2 IT

Historical trends
The IT sector’s GVA figures from 2010 to 2022 show a general upward trend, with some fluctuations. Starting at £42.6 billion in 2010, it peaked at £71.5 billion in 2022. While this can be attributed to several factors such as emergence and boom in AI and a general advancement in digital technologies such as IoT. Specifically, it should be noted that the highest growth in the IT sector was recorded in 2021 (6.89%) and 2022 (13.44%). These high growth rates are indicative of the acceleration in the digitisation of the several sectors owing to the COVID-19 pandemic.[footnote 116]

UK GVA projection
RSM’s sectoral GVA projection predicts a higher growth rate for IT compared to the UK GDP, which aligns with the employment forecast’s prediction of growth rates exceeding 7%.

Our GVA projection anticipates that the IT sector will consistently outpace the UK’s GDP growth, reaching a peak of 4.84% and 4.93% respectively in 2026, and settling at 4.27% and 4.35% by 2035. NFER’s employment forecast also projects that growth would surpass the UK’s employment growth, but at a significantly higher rate, exceeding 7%.

Explaining the projections
As per RSM’s sectoral GVA projection, the IT sector is expected to grow in tandem with UK GDP throughout the period from 2023 to 2035. The GVA has a continuous growing trend with slight fluctuations starting at £71.8 billion in 2023 and peaking at £118.5 billion in 2035.

Emerging technologies such as IoT and Digital Twins could be perceived as significant growth drivers for the IT sector moving forward.[footnote 117] These emerging technologies have the potential to enable predictive maintenance, speed development, increase efficiency, reduce costs, and mitigate risk.[footnote 118] The adoption of Digital Twins is expected to expand, with a projected average increase of 36% over the upcoming five years.[footnote 119] IoT is also expected to grow in market volume of $48.70 (£38.6) billion in the UK, by 2028, representing a CAGR of 11.8% between 2024 and 2028.[footnote 120] Apart from this, AI is a growth driver that affects both the IT and the telecoms sector significantly. The changes to code to make use of these technologies may enable adoption of CHERI (if people are re-compiling code to make best use of AI for example, they could also integrate CHERI at the same time.

Key market segments for CHERI adoption
As this is a very broad sector, encompassing a wide range of applications, we have narrowed our focus to IoT and embedded systems.

Potential for adoption in IoT and embedded systems
According to DSbD publications and our interviews, many of the sectors that would benefit from CHERI adoption would not require an expensive, full-featured, general purpose CPU, but rather a smaller, cheaper class of processor that is specialised for a few specific tasks. These would include cyber-physical systems, embedded systems, automotive (dealt with separately below), industrial process control, and smart consumer devices including smart home monitoring, energy and metering.

The economics of adoption for these sectors are relatively advantageous:

  • The individual processors are simpler and cheaper, the cost of design is lower, and there are open-source technologies and designs which can be used as a basis for experimentation and innovation. CHERIoT/Sonata Boards have a much lower unit cost than Morello and Symphony (around £300-400 compared to £10,000) which makes it a more attractive market for hobbyists as well as for use in commercially available embedded systems products.

  • The product range is diverse and, in many cases, does not carry the burden of a mature ecosystem with a codebase that would need updating. Adoption would require re-compiling several thousands of lines of code for some embedded systems applications, rather than billions of lines of code which would be required for systems such as Windows or Linux for mobile device operating systems and the apps that run on them. The best situation would be for an entirely novel product which can start from scratch and develop all code natively for CHERI.

  • In some areas (such as industrial process control or automotive), the security/safety case might be strong enough for CHERI to be worth the investment despite the adoption cost, particularly if CHERI can be shown to reduce the overall cost of ownership of a device (e.g. if a product has a long lifetime, reducing the cost of maintenance through patching is significant; if the risk and cost associated with a successful attack is great, the adoption case is stronger)[footnote 121].

  • Conversely, there are high-volume markets such as consumer IoT where although margins may be low, costs may be recoupable through volume sales.

  • The time to market for simpler consumer IoT devices may only be 2-3 years; longer for embedded devices in the industrial context.

It is in these sectors in which CHERI innovation over the course of the DSbD programme has moved closest to market adoption, through developments based on the RISC-V open-source processor architecture:

  • The CHERIoT programme – a CHERI enabled small lightweight processor which has been developed by Microsoft as a DSbD demonstrator, but which is being donated into open source. This is currently being investigated for potential use in automotive, smart energy, and smart home monitoring.

  • The Sunburst demonstrator project, led by lowRISC, and its implementation of “Sonata” and “Symphony” development boards. “Sonata” is aimed at embedded systems; the higher-cost “Symphony” board is intended to be fuller-featured.

  • Perhaps most significantly, Codasip’s commercial implementation of a RISC-V based CHERI processor. Codasip’s potential customer list is commercially sensitive, but its website suggests a range of potential sectors of interest: AI, automotive, cameras and sensors, consumer and industrial IoT, wearables, and edge computing.

An example of a sector which combines high volume, a strong security requirement, and a case for government intervention in the national interest would be smart energy management.

  • The National Grid would benefit if it could balance energy demand at times of high usage by reducing power transmission to specific classes of device where safe to do so; for example, powering down freezers or diverting energy from renewable energy installations and home batteries for short periods of time during demand spikes.

  • This would have benefits across a number of Government policy areas including Net Zero, energy security, cost of living etc.

  • It would however require a large number of home and industrial devices to be able to communicate with the grid on demand, which would greatly increase the number of potential points of entry for an attacker. Securing these devices with CHERI would help to mitigate this threat.

5.4.3 Automotive

Historical trends
The automotive sector in the UK has experienced a series of fluctuations from 2010 to 2022. The sector started with a GVA of £41 billion in 2010 and reached its peak in 2015 with a GVA of £51 billion. This can in part be attributed to the growth in electric vehicles since 2010[footnote 122]. There has been a steady decline in automotive GVA from 2015 to 2022, with four consecutive years of negative growth between 2018 and 2021. This can in most part be attributed to the COVID-19 pandemic,[footnote 123] followed by the global semiconductor shortage.[footnote 124] 2022 saw a positive automotive sector GVA growth of 0.66% and a GVA of £36 billion.

UK GVA projection
In 2021, the Society of Motor Manufacturers and Traders (SMMT) published a robust forecast of the existing and new car market till 2035.[footnote 125] The report used the number of new cars and existing ‘passenger and registered cars’ as a proxy to measure the current and forecast domestic demand for cars in the UK. It based its forecast of the current and new car market on several factors including:

  • Transition of the UK car market from internal combustion to zero emission till 2035;
  • Likely government fiscal support in terms of reduced VAT;
  • Likely infrastructure readiness including car charging points; and
  • Likely supply of internal combustion and electric cars in the future.

The Automotive sector GVA estimates are based on the SMMT forecast of the quantity of passenger and registered cars in the UK till 2035. Based on the SMMT report forecasts, the Automotive market is expected to recover gradually and peak in 2028 with a GVA of £37.7 billion. This, it forecasts, would mainly be accounted for by an increase in demand for electric cars, subject to government fiscal incentives and a supportive infrastructure. The report further forecasts that the demand would slightly fall from 2028 to 2030, resulting in a fall in forecast GVA to £37.4 billion. This is because consumers would be unwilling to switch technology from internal combustion to electric vehicles, the impact of which would be felt closer to the ‘end of sale year’[footnote 126] of 2030. Post 2030, the report predicts the demand to grow steadily till 2035, based on which the Automotive sector GVA is predicted to grow to £37.7 billion in 2035.

Using this forecast, the automotive sector is projected to grow slowly compared to the other sectors of interest. The GVA estimate predicts a peak growth rate of 1.16% in 2024, which is consistent with the modest growth rate of 1.87% predicted in the employment forecast.

Potential for adoption in the automotive industry
The automotive sector is interesting for potential CHERI adoption as there are features of the marketplace that are beneficial, and others that hinder adoption:

  • Vehicles can be dangerous to users and bystanders. There is a very strong case for adoption of some form of cyber security, due to the safety risks if a vehicle’s systems were to be compromised. Development in the industry is driven by agreed standards; in terms of functional safety, ISO26262, and for cyber security, ISO21434.

  • There is some potential for the government to influence the development of cyber security requirements and standards to include memory safety; however, many of the key standards involved are international so the UK would not be able to act unilaterally.

  • The AutoCHERI demonstrator, funded by DSbD, is developing a Telematics Control Unit using Morello to investigate security / safety / performance trade-offs and the impact of CHERI. However, even if a security/safety case can be proven, the sector has historically long lead times for innovation (say 5-8 years) because of the complexity of vehicle designs and the need to recoup investment in R&D and factory setup through sales of vehicles in volume over a number of years. Every new vehicle a manufacturer releases is a competitor to the company’s existing product line and reduces the ROI from its existing products.

  • This slow rate of adoption has consequences for the sorts of businesses that are able to participate in the sector. We have heard testimonies from the sector about companies that have developed new technology, signed agreements for them to be included in new vehicles, and ceased trading before the vehicles went on sale because they were unable to recoup enough value from their innovations to remain solvent. This leads to the sector being dominated by larger companies, or those with significant access to capital, and risk-aversion in innovation.

  • The electrification of vehicles has several consequences. One is that lead times are beginning to fall as mechanical systems become electronic and can sometimes be updated remotely without replacing parts. Electrification of vehicles relies on a lot more digitalisation of on-board architectures, leading to a requirement for more microprocessors per vehicle, connectivity between internal processors and the outside world, and increased potential for attack.

  • There is also external infrastructure (charging points) which are another potential area which could be compromised by an attacker. These could be a standalone technology area where Government could set memory safety requirements.

  • Safety-related issues carry liability which needs to be managed. There is a threat of external legal action if safety is compromised which affects how companies manage their procurement and contracting.

  • The industry has a very complex global supply chain. Modern motor vehicles, equipped with over 125 Electronic Control Units (ECUs)[footnote 127] , are now equipped with advanced connectivity features such as infotainment systems, GPS navigation, hands-free communication, smartphone integration, and automated functionalities.[footnote 128] Systems integrators have to specify requirements and contracts for a variety of suppliers of individual components and systems, who will be ultimately responsible for fulfilling their contractual requirements economically rather than end-user security and safety directly. The global nature of the suppliers means that incentives to address security are different depending on the system being supplied and the local and international legal environments.

    a. The international regulatory and legal controls across the global supply chain provide conflicting through-life objectives of safety, privacy, and access to data. The ResAuto demonstrator, funded by the DSbD programme, is explicitly investigating how to quantify the advantages of CHERI-based solutions in complex interconnected systems with sophisticated supply ecosystems and liability models. It is using an Automotive Braking System integrated with a real-time monitoring and compliance system as its exemplar for the demonstration.

  • The support ecosystem is complex, with a variety of standards and legacy software that would need to be updated if CHERI processors were adopted. Part of the issue would be backwards compatibility; there is a “long tail” of vehicles with very long lifetimes that still need maintenance and repair.

5.4.4 Defence

Historical trends
The GVA of the defence sector has seen periods of decline, followed by stability and then a period of growth. The defence GVA decreased from £22 billion in 2010 to £19 billion in 2013. This period saw a consistent decrease in the defence budget, with a significant drop of -6.72% in 2012. This could be attributed to the global economic slowdown and austerity measures implemented in many countries, including the UK.[footnote 129]

2014 to 2019 marked a period of stability with slight fluctuations such as a growth rate of 3.71 between 2016 and 2017. The years 2020 to 2022 saw a significant increase in defence GVA, with an 8.76% increase in 2021 and a 9.34% increase in 20221. Although not explicitly stated, this could indicatively be due to the global uncertainty caused by events such as the Russian invasion of Ukraine and the COVID-19 pandemic.[footnote 130]

UK GVA projection
The defence sector’s growth is projected to align with the UK’s GDP growth. This projection aligns with the employment forecast, which also predicts a steady growth rate for the ‘Public Administration and Defence sector’, mirroring the overall employment growth in the UK.

Defence expenditure is expected to be 2% of real GDP from 2023 to 2035. RSM’s analysis projects that the Defence sector GVA in the UK would range from £23 billion to £28 billion in the period between 2023 and 2025.

Potential for adoption in the UK Defence industry

UK Defence is a relatively small sector in the silicon market, but one with very strong intrinsic security and safety cases, and where UK Government is well placed to intervene by Policy and Regulation to specify memory safety or CHERI on pure security / national interest grounds rather than a consumer business case. This could help promote CHERI adoption in other areas.

A recent Government policy change, specifying a “Secure by Design” (SbD) digital procurement framework[footnote 131], provides a route to CHERI adoption. The SbD framework is developed by the Central Digital and Data Office in collaboration with the Government Security Group, the National Cyber Security Centre (NCSC) and industry experts. SbD is a strategic priority included in the Transforming for a Digital Future roadmap and the Government Cyber Security Strategy. The SbD framework changes the security emphasis from accreditation and demonstration of security at or near the end of a project, to the explicit requirement that security is addressed throughout the life of a project, from design onwards. CHERI offers an industry-leading route for future government or Ministry of Defence (MOD) procurement where cyber security in general or memory safety in particular is a requirement. The success of the DSbD programme, and the example of CHERI as a world-leading solution in improving security in compute, contributed to the thinking behind SbD.

Evidence of defence interest in CHERI is provided by the £1.5m Defence and Security Accelerator (DASA) competition that sought proposals from Defence and Security suppliers and Academia to experiment and evaluate the impacts of their extant code running on the Morello prototype. This MOD research call was part of the Cyber Defence Enhancement Programme to reduce the Cyber attack surface. Fifteen projects received up to £100,000 each to assess the benefits and challenges of deploying the CHERI protection platform in defence and security systems. The full results are not yet public, but nearly all projects were deemed successful, including one which translated around 200,000 lines of code into Morello applications. A larger-scale, MOD project (circa £13m), is the “Edge Avionics” project to demonstrate an avionics system testbed on the Morello platform at scale. The Edge Avionics project is around 3 years into a 4-year schedule, at the time of publication of this report.

The latter project gives some idea of the lead time for defence projects and other sector projects where the necessary supporting CHERI applications are immature. Typically, a procurement/design requirement takes around 2 years to develop, following which suppliers would need to design and build systems to fulfil the requirement, which would take around another 2-3 years. According to one interviewee, there is interest in CHERI amongst defence manufacturers, and interest in the RISC-V and FPGA packages that are becoming available to implement it, but some disappointment that there are no suitable commercial products (and supporting tools) available “off the shelf”.

Even if CHERI is being actively investigated now, it would therefore be at least 5 years before CHERI-enabled products were being delivered by the UK defence industry. However, the overall lifetime of defence equipment is such that it is not unusual for significant upgrades to be made during the lifetime of a particular product. For example, the lifetime of a fighter jet might be thirty to forty years, during which time it would not be unusual for its computing hardware to be replaced and/or for new capabilities to be added via software. It was reported in an interview that around 80% of the capability of military hardware such a fast jet is dependent on its software, so being able to add new capabilities in software, and be able to secure those with a CHERI-based system, could be advantageous for existing hardware as well as wholly new equipment – with the proviso that existing software would need to be adapted to run on CHERI.

The overall scale of the market is estimated to be of the order of thousands, or tens of thousands of processors. This would not be enough, at consumer market prices, to motivate a commercial designer to implement a new chip; however, the nature of the defence sector is that purchasers would be willing to pay over the odds for small runs of bespoke chips if they provided a unique capability or an effective solution to a particular problem.

Due to security concerns, the exposure of technology would most likely be slow and limited, and some use cases and technological advances would not have any impact on the wider commercial market. However, UK Defence has been a supporter of open source technology for non-secret applications because this allows for testing and innovation in the R&D ecosystem, which provides a route for defence implementations of CHERI to diffuse into the wider marketplace. Indeed, it is Defence that funded the fundamental research on CHERI, via DARPA (USA). Defence Military may be a relatively small sector by market share but it is a key driving force. Work on defence technology could also help support the growth and maintenance of CHERI-related skills. Defence has also historically been heavily involved in the development of international standards which have then become requirements in other sectors.

5.5 Key takeaways about the potential market for CHERI as a whole

Globally, mobile devices are a key driver for innovation in the most complex and powerful microprocessors, and – for the moment – it appears that the costs of adoption are too great for CHERI to become a requirement in any of the three major mobile device ecosystems, which all use Arm processors.

However, the Arm Morello processor is not the only design to have been funded or catalysed by the DSbD programme. The level of innovation coming out of the DSbD programme in smaller processors such as microcontrollers, suggests that CHERI technology might be adopted first in IoT or embedded systems. This sector could potentially adopt CHERI through a RISC-V based processor, such as the Microsoft CHERIoT design (now released as open source and under active development for commercialisation by a UK chip design start-up, SCI Semiconductor) or Codasip’s commercial processor.

The UK would be in a relatively good position to benefit from this growth; the UK is a world-leading contributor to international standards for IoT devices, and the IT and cyber security sectors are forecast to grow strongly. With the UK as a centre for knowledge on how to use CHERI, there is the prospect for native growth in the first niche applications of CHERI technology, and more widely as a centre for software development, systems support and consultancy if CHERI is adopted worldwide.

The defence sector also offers a path for the UK government to act directly by directing expenditure towards secure systems and using the new “Secure by Design” procurement approach to define what is required in terms of memory safety. The industry could possibly provide demonstrations and use cases applicable to other sectors, but due to security concerns the exposure of technology would most likely be slow and limited. A rough estimate would be 5 years before externally visible progress. Nevertheless, the sector offers a platform for UK expertise to be developed.

The automotive industry is a large sector with a strong security/safety case for CHERI adoption, but with a very complex global supply chain where many different actors have trade-offs to manage between safety, security, performance, and cost. Automotive manufacture is not expected to grow in the UK in the medium term, and the global supply chain is difficult to influence as a single country. However, there are pockets of design and R&D expertise in the UK which could benefit if CHERI begins to make its way into individual systems within vehicles that would benefit from memory safety.

Telecoms infrastructure is in a similar situation to automotive. It has a strong security business case because it is capital-intensive and connected by its nature; there is a high risk of attack, and the ongoing maintenance cost of defence against new attacks is high. There are however a small number of large suppliers who would need to include CHERI in their technology roadmaps in an environment where their customers operate in highly competitive marketplaces and have relatively low margins and willingness to pay for security. There is also a long lead time associated with the need for ROI on existing equipment. Nevertheless, this is a growing sector in the UK and one where standards and legislation connected with the telecoms resilience agenda provide a route for government to influence the market.

Considering all the above, IoT and embedded systems is likely to be the first market segment to commercially adopt CHERI, potentially within 2-3 years depending upon the success of design pioneers such as Codasip and SCI Semiconductor. For other sectors, the available evidence from publicly available sources, and our interview programme, is that external evidence of adoption is unlikely within 5 years, and the market barriers that we have considered above may mean that companies are not yet actively working towards CHERI adoption, which would mean that the product lead times have not yet commenced. The economic incentives and market conditions make this likely in many cases. It is however possible that another sector or company is currently working towards CHERI adoption without having been able to disclose this to us at interview.

5.5.1 Summary of barriers and enablers

In our consultations with industry and government, we asked about factors which were barriers or enablers to CHERI adoption, and whether they were “critical” factors which were necessary for CHERI, or less critical factors which would merely hinder or accelerate CHERI adoption. These barriers and enablers to adoption across the economy as a whole are covered in the figure below:

Figure 11: Summary of Barriers and Enablers to CHERI adoption

[Insert figure 11 here]

6. Emerging conclusions and recommendations

6.1 Conclusions

On the supply side, the critical decision-making sectors for adoption are chip designers and software development. The chip manufacturing segment is less critical for CHERI adoption as decisions to adopt CHERI would not be made in this sector. Key supply side firms to engage with include Arm, Imagination Technologies; EnSilica; Codasip, Broadcom and Qualcomm. Arm and Codasip have been involved in the development of CHERI products and there is evidence from interviews of some awareness of the technology from Imagination.

  • A key barrier to adoption will be the need to update existing software (operating systems and applications) to run on CHERI. The larger the existing codebase, and the more complex the ecosystem built around a particular product, the more prohibitive this will be.

Key demand sectors identified for CHERI adoption include telecoms, automotive, defence, IoT/embedded systems, utilities, finance and healthcare. Key firms to engage with in these sectors are outlined in Chapter 3. Many are Systems Manufacturers, including those (such as Samsung and Intel) who also produce chips in their own fabs. These are both important for supply and demand considerations in CHERI adoption.

  • The software barrier to adoption is more pronounced in sectors with mature and widespread ecosystems (such as mobile devices), or complex international supply chains (such as automotive); less so for novel products without a legacy codebase (e.g. some areas of consumer IoT or embedded systems). It is relatively simpler for vertically integrated companies such as Apple, Google, or Samsung, though this still depends critically upon the nature of the product and its ecosystem.

Initially CHERI was developed around the Arm architecture, but there is growing interest and engagement with RISC-V open-source ecosystem, and this may be the first chip architecture to see wider CHERI adoption. Intel’s x86 is the other main chip architecture and there appear to be little interest or appetite for adopting CHERI on x86 chips.

We identified 394 firms as potential adopters of CHERI through our market study[[1]][footnote 132]. We struggled to assess the level of awareness of CHERI among these firms due to a low response rate from our survey. However, interviewees were largely aware of CHERI (only three had not heard of the technology before we contacted them). Many, but not all, of the interviewees were involved in the DSbD ecosystem which has been the main driver of awareness of the technology to date. A rough assessment of the CHERI ecosystem based on participation in the DSbD programme, DASA CHERI for Defence competition and unfunded Morello Board Recipients is that 136 organisations including businesses, universities and government departments and about 875 people are aware of CHERI and have some experience of using it. Awareness is likely to be increased by the CHERI alliance which was launched at the recent DSbD All Hands event (March 2024). Papers by government and business also help to raise awareness of the technology.

Many of the people involved are in technical, cyber security and research roles. More work is needed to engage with senior decision makers to drive CHERI adoption.

We have explored possible scenarios for CHERI adoption in particular sectors. IoT/Embedded Systems look to be the sector that is likely to adopt CHERI first. This is where the economic case is strongest, and the barriers seem lowest. Defence and automotive also look like likely sectors for adoption. Mobile phones are the least likely sector to adopt of the ones identified for case studies as there are significant barriers for this industry.

6.2 Recommendations

6.2.1 Further funding to develop CHERI technology

Further funding beyond the life of the DSbD programme would help to address some important barriers, maintaining some key features that have enabled progress so far:

  • Improving the TRL of the technology (Barrier): Interviewees highlighted that CHERI is still at the stage of experimentation and research and not yet ready for commercial take up. In particular, more work is needed to explore the benefits of compartmentalisation and improve CHERI’s compatibility with other technologies, most notably Linux and Rust. For safety critical sectors such as automotive, significant and rigorous testing and validation would be required before adoption.
    a. Specific programmes could be funded to implement a version of Linux and supporting tools that run on one of the existing processors, or to develop an open-source design for a more fully featured application core processor. The latter would not be as fully featured as the Arm design but could be made powerful enough to run general purpose computing tasks and multi-task.

  • Sustaining the existing skills ecosystem and networks of people with experience in CHERI (Enabler): Interviewees also noted the existing ecosystem knowledge was an important enabler for CHERI adoption. While there is some frustration with some of the awareness raising activities, they generally agreed that the DSbD programme as a whole has provided several companies and academic researchers the opportunity to experiment with the technology. This means that most of the skilled workforce with the knowledge and experience of using CHERI are based in this country, giving the UK a competitive advantage. The programme is mentioned in the national semiconductor strategy and cyber strategy.

  • Opportunities for further innovation (Enabler): The DSbD ecosystem has allowed for the development of CHERI-specific skills and has led to the creation of at least one spin out company. Another company involved in the SME software ecosystem competition pivoted its business to focus on CHERI. This suggests that some innovation-focused people are working with CHERI. The increasing prominence of other technologies (quantum computing; AI etc) also require some software changes to be made to legacy code. If people are reviewing the code anyway, re-compiling in CHERI is something that could be done at the same time as updating for other purposes.

  • Use cases demonstrating that the technology works and delivers economic benefits (Enabler): Interviewees expressed that the programme had successfully proved the technology (CHERI) works and is effective in improving memory safety. However, more work is needed to explore use cases and the economic benefits from adopting CHERI. Supporting development of microprocessors at the microcontroller or mid-range application core level. Further R&D competitions or technology demonstrators, targeted on sectors of interest, could help in building the capability of the technology and raise awareness.

  • Regulation and standards (Enabler): Telecoms, automotive and other sectors identified are safety conscious with a high demand for security, resilience and integrity requiring a robust system for regulations and standards. At least three stakeholders said they thought this focus on standards and regulations would enable or drive the adoption of CHERI.

We therefore recommend DSIT closely observe and contribute to efforts to develop common nomenclature and standards. Examples where this approach has worked:

  • Consumer IoT policy – where the UK Code of Practice for Consumer IoT security was first incorporated into a global standard (ETSI EN 303 645), elements of which will be mandated in UK law from 29 April 2024 as part of the Product Security and Telecommunications Infrastructure (PSTI) Act.[footnote 133]

  • A code of practice for app store operators and app developers developed along the same principles as the consumer IoT work. DSIT has also announced its intention to publish a code of practice for software vendors to ensure software will be more secure.[footnote 134]

  • CHERI is not currently mentioned in CyBOK (the Cyber Security Body of Knowledge[footnote 135] and it would be good for it to be included, whether an addition to an area, or a new document. A case should be made to the CyBOK steering board to consider incorporating CHERI.

6.2.2 Procurement

Two government stakeholders mentioned procurement as a possible enabler for the adoption of CHERI. This issue was also raised at the most recent DSbD “All hands” event in March 2024. Stakeholders from DSTL highlighted recent Secure by Design procurement guidelines produced by the Ministry of Defence. This approach the previous accreditation system and sets out principles to ensure cyber security is considered early to manage risk. These principles are technology neutral, setting out good practice rather than specifying technologies to support good practice.[footnote 136] This is likely to be particularly significant for adoption of CHERI within Defence.

Nomenclature of “secure by design” has been adopted by Government: cross-Government Secure by Design Approach - UK Government Security, a digital procurement policy for departments and agencies. There is an opportunity to highlight CHERI as a recommended way to implement this in hardware.

Actions:

  • Ensure Government departments are aware of CHERI as a technology – lead from departments such as Defence which can provide use cases / demonstrations (via DASA/DSTL funding competition)

  • Ensure suppliers are aware also: adopt “memory safety” as a recommendation or requirement in procurement, alongside clear guidance on which approaches meet this standard.

6.2.3 Targeting marketing and awareness raising on key sectors

A key barrier identified by consultees was that cyber security is not seen as feature, it is largely perceived as a cost. The people or organisations who suffer the impacts of security breaches are not typically the same groups who make decisions about which security features to implement. DSIT’s annual Cyber Breaches Survey provides an average cost of a cyber breach, but does not expose the scale and extent of impacts to individual businesses which are successfully targeted. This report identifies several key sectors where adoption of CHERI would be beneficial. From our consultation, the sector most likely to adopt CHERI first is probably IoT/embedded systems. Sectors such as telecoms infrastructure and automotive also seem likely to adopt CHERI, but their overall adoption cycles for new hardware are longer. These then are sectors to focus on building awareness and targeting marketing at. We are aware that activities are underway in these areas, for example:

  • Sensible (not fearmongering) presentation of increasing hostility of online environment.
  • Briefings from NCSC, intelligence services etc.
  • DSIT have announced an intention to publish a Cyber Governance Code of Practice[footnote 137].
  • Collaboration with industry (e.g. through the recently announced CHERI Alliance) to help members recognise threats and respond better.
  • Help CEOs to understand the risks to their businesses.
  • Learnings from other projects focused on this area of research. (e.g. a future cost-benefit simulator being developed which will be available on the Discribe Hub[footnote 138], case studies[footnote 139].

Other actions that would support this work include:

  • Targeting awareness raising activities at senior decision makers in the key companies identified in Table 13.

  • Crafting messaging to highlight economic benefits over time of CHERI investment; marketing it as an investment with positive ROI, not an ongoing security cost.

  • Using case studies and real-world examples of security incidents that would have been prevented by CHERI.

  • Working with companies that are particularly influential over software ecosystems, such as Google, to help build awareness and share tools which they develop.

  • Monitoring levels of engagement and awareness with these organisations to understand the current baseline of awareness and how this may change over time.

  • Re-implementing the “bottom-up” company search methodology to study changes in the market, potentially refining the search terms manually or using a combination of AI and web-scraping to find more relevant companies.

Annex: Acknowledgements

This study was carried out by RSM UK Consulting LLP. The RSM Project Team comprised Jenny Irwin (Partner), Cristian Niculescu-Marcu (Director), Matt Rooke (Associate Director and Project Manager), Polly Jackson (Senior Consultant), and Vivek Rao, Samarth Padaliya and Aditi Mehrotra from the wider Economics Consulting Team at RSM UK.

Technical advice was provided by Rupert Baines of Real Wireless and Professor Siraj Shaikh of the University of Swansea.

We are grateful to the Project Steering Group at DSIT for their advice and guidance, the Digital Security by Design programme management team for their support in accessing contacts and relevant research, and all the companies and wider stakeholders who took part in interviews or completed our online surveys.

  1. UKRI, 2022 

  2. BCG & SIA, 2021 

  3. The DSbD programme’s comms team have been issuing “rapid responses” when new security vulnerabilities are discovered, drawing attention to incidents that CHERI technology would have mitigated or prevented. It would be a useful follow-up exercise to evaluate the effectiveness of this approach and the level of engagement generated. 

  4. A distribution of Linux adapted for an open-source or early-to-market CHERI processor was highlighted by consultees as a potential game-changer for allowing further experimentation with the technology. 

  5. Microsoft, 2020 

  6. Watson, Moore, Sewell, & Neumann, 2019 

  7. Watson, et al., 2020 

  8. MSRC Team, 2019 

  9. Stakeholder consultations 

  10. UKRI, 2024 

  11. RSM, 2023 

  12. Linaro, 2024 

  13. CHERIoT Platform, 2024 

  14. lowRISC, 2024 

  15. Amar, Survey of security mitigations and architectures, 2022 

  16. Fabless firms refer to companies that design and patent semiconductors but do not manufacture (fabricate) them. The manufacturing is outsourced to fabrication plants (“fabs”, also known as foundries). 

  17. BCG & SIA, 2021 

  18. BCG & SIA (2021) and Expert Consultation 

  19. BCG & SIA, 2021 

  20. BCG & SIA, 2021 

  21. Kleinhans & Baisakova, 2020 

  22. Kleinhans & Baisakova, 2020 

  23. Note: The percentages may not add to 100% because of rounding. 

  24. Adapted from Wallach (2021), which references a Statista database without specifying the original source of the data. 

  25. Embedded devices are a complete system designed to perform dedicated functions. For example, System-on-a-chip (SoC) in smartphones is an embedded device that integrates all of the components of the phone into one chip. 

  26. Defence and Security Accelerator, 2023 

  27. DSIT, 2023 

  28. Grisenthwaite, 2022 

  29. Rebert & Kern, 2024 

  30. Amar, Microsoft Sercurity Response Center, 2022 

  31. Furnell, Bada, & Kaberuka, 2022 

  32. DSIT, 2023 

  33. UKRI, 2023 

  34. Discribe, 2020 

  35. RSM, 2023 

  36. CISA, 2023 

  37. White House, 2024 

  38. (Grisenthwaite, 2022). This item has had 281 full text views and been cited in 1 paper. 

  39. Codasip, 2023 

  40. Rebert & Kern, 2024 

  41. Amar, Microsoft Sercurity Response Center, 2022 

  42. RocketReach is a professional contacts database tool that specialises in finding contact information of professionals worldwide. 

  43. The notation “N = 22” indicates that the analysis is based on 22 survey responses, both partial and complete. However, not all findings encompass all 22 responses, as some respondents, particularly those with partial responses, may have omitted or chosen not to answer certain questions. 

  44. Furnell, Bada, & Kaberuka, 2022 

  45. It should be noted that the SIC codes identified through the top-down approach may include activities are that not relevant to semiconductors. The entire SIC code cannot be attributed solely to the semiconductor industry. 

  46. DSIT, 2023 

  47. Intel, n.d. 

  48. FAME is a comprehensive financial database that provides detailed information on both public and private companies in the UK. It contains up to 20 years’ financial data, and includes company accounts, ratios, activities, ownership, and management details. 

  49. Tracker is RSM’s internal financial database. 

  50. It is to be noted that several companies identified in the bottom-up research do not fit neatly into industrial sectors that are mostly CHERI-relevant; they are found to be outside the core sectors identified by the top-down approach. This is because the semiconductor industry does not map neatly onto the Standard Industrial Classification. 

  51. Electronic Design Automation (EDA) tools automate the design process and are utilised for the efficient design of complex integrated circuits and chips, which can have up to 80 billion transistors. 

  52. Kuzior et. al., 2023 

  53. Khan, M. Saif 2021 

  54. BCG & SIA, 2021 

  55. White House, 2024 

  56. Guardian 2023 

  57. BCG & SIA, 2021 

  58. Dimerco, 2023 

  59. Center for Strategic & International Studies, 2022 

  60. 5nm chips are the new generation of silicon semiconductor chips with increased transistor density, high speeds and lower energy consumption. 

  61. World Economic Forum, 2023 

  62. DSIT, 2023 

  63. McKinsey, 2023 

  64. International Trade Administration, 2023 

  65. Statista, 2023 

  66. Investopedia, 2024 

  67. EDB Singapore, 2022 

  68. Led Wayline, tech360, 2022 

  69. IBISWorld, 2023 

  70. Indian Government, 2023 

  71. BBC, 2023 

  72. BBC, 2023 

  73. World Economic Forum, 2022 

  74. Martin Lindak, Hit Horizons, 2021 

  75. BCG & SIA, 2021 

  76. An SME (Small and Medium-sized Enterprise) is defined as an organisation with a workforce of under 250, a turnover not exceeding £50 million, or a balance sheet total below £43 million 

  77. Note: The percentages may not add to 100% because of rounding. 

  78. Note: The table includes 393 companies instead of the expected 394. The discrepancy is due to the absence of financial data for one company as its UK subsidiary’s name remains unidentified. However, this company, which is headquartered overseas, is relevant to the adoption and diffusion of CHERI

  79. The data consists of 19 outliers with turnover greater than £5 billion. When these outliers are removed, the GVA drops to approximately £70 billion. 

  80. Wallach, 2021 

  81. The enabling and catalytic impact of CHERI refers to its impact on the downstream user sectors through semiconductors, electronic components, and OEMs, among other things. 

  82. The direct impact of CHERI refers to the impact of firms involved in the direct production of CHERI. The indirect impact of CHERI is generated by firms along the core CHERI supply chain from designers, and software developers through to distributers and sellers of CHERI

  83. These include subsidiaries of firms, headquartered outside the UK, that generate less than £50 million turnovers within the UK. 

  84. DSIT, 2023 

  85. Almeida, P., & Kogut, B., 1997 

  86. Kerr et. al., 2017 

  87. Compound Semiconductor Applications Catapult, 2023 

  88. IoT Insider News Desk, 2024 

  89. Stakeholder consultations 

  90. De Mey, 2020 

  91. Meyers & Spingford, 2022 

  92. UK Defence Journal, 2020 

  93. Baker McKenzie, 2021 

  94. Burkacky, Coping with the auto-semiconductor shortage: strategies for success, 2021 

  95. Ministry of Defence, 2022 

  96. Lajous, Madner, Palermo, & van den Broek, 2023 

  97. Burkacky, Deichmann, Guggenheimer, & Kellner, 2023 

  98. DCMS/DSIT, 2024 

  99. 5GUK.co.uk, n.d. 

  100. House of Commons Library, 2024 

  101. Government Office for Science, 2021 

  102. RSM, 2023 

  103. DCMS, 2020 

  104. Deloitte, 2018 

  105. Uswitch, 2024 

  106. Deloitte, 2019 

  107. Laricchia, 2024 

  108. PWC, 2023 

  109. Uswitch, 2024 

  110. Laricchia, 2023 

  111. Globe Newswire, 2023 

  112. Richard Grisenthwaite, Chief Architect at Arm, explained some of the costs and constraints of processor development at Cyber UK 2023: CyberUK Online (2023) CyberUK 2023 - Plenary 4, Uploaded 8 June 2023. https://www.cyberuk.uk/2024/cyberuk-online 

  113. We understand that research on this topic is being carried out by key players in the market but have not had access to any findings for this study. 

  114. A consistent finding across sectors is that a software-led approach makes more sense in “greenfield” applications with genuinely new hardware and use cases, than for adoption into mature ecosystems. 

  115. Faber, 2023 

  116. DCMS/DSIT, 2024 

  117. Government Office for Science, 2021 

  118. Government Office for Science, 2021 

  119. Insights Desk - TechDemand, 2023 

  120. Statista Market Insights, 2023 

  121. One interview mentioned the finance sector as one where there may be niche applications requiring maximum performance and best-in-class security, such as automated trading, where the economics of adoption would be favourable even if the number of devices to be manufactured was very small. 

  122. IEA, 2021 

  123. House of Commons, 2023 

  124. Burkacky, Deichmann, Pfingstag, & Werra, 2022 

  125. The Society of Motor Manufacturers and Traders, 2021 

  126. As per the UK government, 2030 marks the end of sale year for internal combustion engine cars. Source: (GOV.UK, 2020) 

  127. Electronic Control Unit (ECU) is an embedded system in automotive electronics that control electronic systems in a vehicle. 

  128. Els, 2016 

  129. UK Government, 2013 

  130. House of Commons, 2023 

  131. The overall approach can be seen at Secure by Design Approach - UK Government Security; the implications for the UK defence industry are set out in an Industry Security Notice, ‘Secure by Design Requirements’ (ISN 2023/09, dated 21 July 2023). 

  132. Please note that this is not an estimate of the number of semiconductor firms active in the UK and should not be used as such, as the sector definitions are broader in the potential CHERI market. 

  133. DSIT, 2023 

  134. DSIT, 2024 

  135. University of Bristol, 2024 

  136. Ministry of Defence, 2023 

  137. DSIT, 2024 

  138. Shaikh & Mudassir 

  139. UKRI, 2024. This contains a list of story names, but it is not comprehensive, and items are not linked.