Opinion by: Norman Willox and Tom Patterson, Global Cyber Security Experts
When it comes to the imminent and tremendous advances in quantum computing do you wonder what position the world will be in, in just a few years’ time? Do you wonder what Government, industry, and our adversaries are doing, and what you should be doing?
The truth is that no one knows exactly what the state of quantum computing will be in the future, but there are already great strides being made by governments, academics, and industry around the world in the race for ‘quantum advantage.’ When quantum advantage is achieved, bad actors won’t need a sub-zero lab of their own but will most probably be accessing it via a cloud service, much like the advanced technology of ransomware that has been made available to every crook with a computer and a credit card today.
Defensively, key components of quantum resistance and encryption are now a reality, quantum communication is underway, and quantum clouds are beginning to become available for sensitive operations. The time for governments and companies to get ready is now. Our adversaries already are.
The threat to governments, critical infrastructure, and businesses large and small is most certainly real…it’s just math at this point. And these threats have already begun, with a new era of adversarial behavior called ‘steal now, decrypt later.’ In these SNDL scenarios, adversaries are stealing large volumes of critical encrypted data that they cannot yet decrypt but are confident that their coming quantum computers will soon be able to. We also know that quantum computer supported encryption hacking will come online years before the more mature quantum systems will evolve; again highlighting that the most valuable information be protected now.
This matter is so significant, The President of the United States issued on May 4th, 2022, a National Security Memorandum and an Executive Order (EO) aimed at securing the nation’s competitive advantage in quantum information science (QIS), while mitigating the risks of quantum computers to the nation’s cyber, economic, and national security. This is the fourth such action just this year.
Current public key encryption schemes rely on the outdated premise that it would take the fastest computers too many millions of years to be able to factor large prime numbers. So as computers got incrementally faster, we just added extra bits to the key length to keep that premise alive. As the rapid advances of quantum computers over this past decade have gone from science fiction to science fact, we are getting closer and closer to ‘Y2Q’, when a quantum computer can run Shor’s algorithm and read everything we’ve ever encrypted, regardless of key length. We need to not only have come up with better encryption by then, but we will need to have it be adopted, distributed, installed, and maintained worldwide in advance. That takes years, so the time to begin that process is now.
A bipartisan bill, the Quantum Computing Cyber Preparedness Act, was introduced into the House of Representatives last month (April 2022), which seeks to speed, strengthen and provide regulation of quantum cyber security. The authors of this article both support this bill.
While the bill helps to highlight the tremendous risks associated with the adversarial use of a quantum computer to decrypt government files and communications, it does not address the same need in the 16 critical infrastructure areas of our private sector. While this bill is a welcome step, Congress could go even further in protecting private corporations and business from this emerging and potentially imminent threat.
The private sector owns approximately 85% of our critical infrastructure. Imagine if all our health records were laid bare, our banking information zeroed out, our transportation shut down, or our energy turned off. All these critical infrastructure sectors rely on trusted encryption to provide even the most basic of operations. Additionally, the Federal Government is supported by a very large defense and security industrial base that has extensive sensitive government and industry information. Protecting these critical supply chains is as important as protecting the agencies themselves.
In order to protect against bad actors using quantum computing in criminal, terroristic, or intelligence activities we believe that every component of government and the critical infrastructure sectors should be implementing a four-step process immediately:
Conduct a complete inventory of where your organization uses encryption; document the specific encryption details including algorithm, key distribution, provider, and partner(s).
Begin to make your encryption ‘agile’ in a way that will allow for easier changes in the future.
Leverage the latest encryption available today like the Messaging Layer Security (MLS) that is already designed to resist aggressive collection methods for communications and collaboration, and quantum generated shared keys for symmetric algorithms.
Research and test the NIST candidate ‘quantum resistance’ algorithms (available via the providers you’ve just inventoried), AND the newer ‘quantum encryption’ systems that rely on currently available use of quantum physics with random numbers, keys, and more, to provide provably secure encryption today with some existing algorithms.
We believe the above four steps are the key to success for today and tomorrow. A quantum proofing strategy today is needed and required. Finding the right talent, experts, partners, products, and tools to do such and keep on delivering it into the future will be paramount.
There is an understandable misconception that the threat of adversarial use of quantum computing is just for governments to worry about. But it has the potential to affect everyone and every business. Everyone has secrets, intellectual property and sensitive information that is the cornerstone of their business or life, and everyone is vulnerable when it gets out. Today’s ransomware has shown that the most sophisticated of cyber weapons quickly finds its way into criminal hands. So, what secret data do you have that you rely on systems to keep safe? Will you favor a product that can protect your information into the future, or doesn’t it matter to you?
Commercial data is far more prevalent than government data. With digital data and AI exploding at the moment, the digital value of information grows exponentially as does the threat and risk.
Much of this data is temporal - in that it is simply data that is linked to a state in time - so it won’t really matter if it’s decrypted by a future adversary. The HTTPS link you’re probably reading this article on is an example. However, other data, what we refer to as nontemporal or independent of time, needs to be protected well into the future. An example from news reports is when a foreign power made a copy of a database that included all the sensitive background information about the people that have US Government security clearances (both of ours included!). That’s nontemporal data that we would prefer to have remained safe for at least our lifetimes!
While we are sounding the warning bells to get ready for quantum computing we certainly can’t end this piece by not also extolling all the virtues that it will bring.
Quantum computing promises not just faster computing but computing in completely new ways. Entirely new problems can be crafted and addressed, communications can become instantons, universal, and secure, remote sensing will be a reality, and so very much more. Beyond code-breaking, sectors including fintech, pharma, logistics, communications, space, climate, and data analytics are all actively working to leverage the quantum computing on the horizon. In the 1960’s Albert Einstein famously called quantum computing ‘spooky.’ Today, with everything we now know, we find quantum computing exhilarating! It will take us to intellectual places we have never even imagined and solve problems we never thought solvable.
Welcome to the future.