“Addressing quantum cyber-threats should already be a high priority for cybersecurity professionals, according to Duncan Jones, head of cybersecurity at Quantinuum, speaking during the ISC2 Secure Webinar ‘The Threat and Promise of Quantum Cybersecurity.
Jones emphasized the significant differences between quantum & classical computing, both in operations and possibilities. One of the most significant of these is that while classical computers only have binary choices, 0 or 1, quantum computers are made up of ‘qubits,’ which “can have values that are combinations of 0 and 1.” This mixture is known as a ‘superposition.’ This enables calculations to be made in parallel. In addition, qubits can be connected, which provides the opportunity to model aspects of nature in their entirety. This aspect offers enormous potential in fields like drug discovery, where testing could be simulated rather than requiring lengthy and expensive trials.” (Info Security Magazine, 2022).
Quantum technology poses a significant risk to cybersecurity. Jones claims that in the next 10-15 years, quantum computers will be able to break existing encryption algorithms like RSA, Elliptic curve, and Diffie-Hellman key exchange. At the moment, quantum technologies do not contain enough qubits to mount an attack against these encryption methods, but we're heading in that direction. Additional impacted security functions could include public key infrastructure (PKI), HTTP/TLS, network security, payments, IoT, and blockchain.
Jones is also concerned about Internet of Things devices, as these devices have security mechanisms built into their chips (and cannot be upgraded.) Quantum attacks that are able to break through these security features could put millions of devices at risk, with no ability to upgrade.
“Despite these concerns, Jones emphasized that there are actions security teams can take now to secure their systems against the threat of quantum. He highlighted the National Institute of Standards and Technology (NIST)’s ongoing process to identify new algorithms “that we don’t think a quantum computer can solve any better than a classical computer.” It is currently at round three, a stage that will decide the algorithms selected for standardization. Jones added that we have been “spoilt” by algorithms like RSA, which provides both digital signatures and encryption. However, post-quantum algorithms will not be able to do both, with different algorithms required for different problems. Therefore, NIST is seeking separate algorithms for public key enabling (PKE) and digital signatures. Once round three has closed, the ‘winners’ will proceed to standardization, with the final standards set to be finalized in 2024. In addition, round four will subsequently try and identify further potential candidates” (Info Security Magazine, 2022).
Threat actors are likely stealing encrypted data right now, which could be decrypted later. This is alarming–as we may not be able to access this data in the future. Data that will still be relevant in 10-15 years could be at risk. Things like health information and other pieces of sensitive PII.
“Jones said that organizations should consider moving to a ‘hybrid mode’ regarding their cryptographic algorithms, in which a post-quantum algorithm is combined with classical algorithms. This “makes you no less secure than just using your classical algorithm, but if you chose a good candidate that turns out to be quantum-resistant, it protects you against this hack-now-decrypt-later concept.” He noted that some systems and products are already moving in this direction. Currently, this should be done in a closed eco-system in the absence of standardization” (Info Security Magazine, 2022).
Organizations should begin communicating with their cybersecurity vendors to ensure that they are working on a “quantum-safe roadmap.”
At the end of his presentation, Jones offered the following advice to security teams regarding addressing quantum threats:
- Understand your assets and use of cryptography
- Identify the biggest risks (sensitive data, hack now, decrypt later)
- Speak to vendors & ask them about their quantum-safe roadmap
- Create a prioritized migration plan
- Test and experiment now (don't wait)