Quantum computers were a hot topic in 2017 but since it’s still very early in the game for that technology, and the technology is improving in leaps and bounds, it’s a safe bet we’ll be hearing much more about quantum computing in 2018 and beyond. There have been fears that quantum computers might be leading to a new cryptographic arms race. While there’s some truth to that, it’s not new – cryptography has been a race between those trying to keep secrets and those trying to uncover them since the beginning. It’s likely that in the near term the more serious challenges to cryptography will come from other new technologies.
In Part I of a two-part series, we’ll first address how as we anticipate new threats in the new year, we must remember that our old problems aren’t going away. Data breaches and security concerns will continue to grow, and all those companies that haven’t yet become serious about cybersecurity are going to have to catch up fast.
New Tech, Old Problems As stated above, quantum computers are already leading governments and companies to explore developing stronger, quantum-resistant algorithms, developing mathematical solutions to this challenge. The National Institute of Standards and Technology (NIST)’s window for proposing post-quantum candidate algorithms nominations closed on November 30, 2017, and 2018 will see increasing efforts in this area, with the first post-quantum crypto standardization conference in April.
Efforts are intensifying on the physics side of the solution menu as well, with multiple organizations around the globe racing to improve quantum key distribution solutions, safe from the attacks of quantum computers. Most recently these have started to even be integrated into satellite communications, with the vision of ultimately yielding global high-security communications. While this is a major effort that will not be completed in a year, you can expect to see headlines on progress in this area, particularly from Chinese research groups.
IoT Security Often MIA The Internet of Things (IoT) ecosystems represent another example of new technology or at least new uses of technology revisiting old patterns and repeating old mistakes. Many IoT devices have either weak or non-existent encryption that leaves other devices they are connected to vulnerable. The weak security links represented by IoT devices will only become more dangerous if they are not taken care of. Fortunately, we’ve seen how enterprises have fixed similar vulnerabilities in the past, so we know what we need to do to keep things secure.
If IoT devices do offer an encryption option, everyone needs to make sure they use it.
Ensure that high-quality key pairs are in the mix at time of device manufacture
Weak encryption keys can be greatly strengthened by pre-loading devices at production with seed material for cryptographic keys that comes from a true random number generator.
Also, manufacturers need to stop reusing keys among devices. Being able to hack into one shouldn’t mean all an entire product line of devices are compromised.
Effortless Security Still Not a Thing Thanks to Apple’s iPhone X, facial recognition and the wider topic of biometric security got a lot of press in the second half of this year. While these aren’t new technologies, it seems Apple has come much closer to perfecting facial recognition than anyone before, and this is set to continue through 2018 with extension to high-end iPads. Unfortunately, researchers in Vietnam claimed to have fooled the system using about $150 worth of materials a week after the phone became available, so even Apple is only approaching perfection, not attaining it.
We can expect to see a maturation of this technology in the coming year, with improving security as the vulnerabilities are addressed. Even so, this is probably not a solution that will suit everyone, leaving plenty of room open to more innovation. Manufacturers will continue to develop new methods, or combinations of methods to control access to our devices. It’s always going to be difficult finding foolproof mechanisms that don’t discourage users from employing them. Also, whether a mechanism is easy to use but too weak or too inconvenient but strong, companies need to keep fallback mechanisms (like a passcode) in place because one of the basic rules of security is: don’t put all your eggs in one basket.
In this post, I’ve covered some of the legacy cybersecurity challenges facing new technologies. In Part II, I’ll discuss some of the newer problems for new technologies.