Quantum Computing Is Coming, But Quantum Risk Is Here Now
What Is Quantum Risk?
Quantum risk is the threat of capable quantum computers upending cryptographic methods, such as RSA or elliptical curve algorithms, widely used today for securing information flows through communication networks. A sufficiently capable quantum adversary would be able to decrypt sensitive data in short order disrupting the trust in the digital systems that increasingly undergird our society. As with most disruptive technologies, a timeline of when a quantum computer at scale will materialize cannot be defined with precision. However, most experts concur that it is likely to occur within 5-10 years. Given the weight of investment into quantum computing, the risk is skewed towards the timeline being compressed. In brief, current cryptographic standards have an expiration date.
What Is a HNDL Attack?
How Is Quantum Risk a Thing Now?
One of the biggest risks at present is what’s known as a HNDL attack. This is an acronym for “Harvest Now, Decrypt Later” where encrypted data is captured, stored, and held onto, until a quantum computer is able to unlock it. While this intercepted data is encrypted, this is a false sense of security — it will easily be decrypted by a threat actor with access to a quantum computer. So, the risk is very real today. Further, recent significant investments in quantum tech globally, as well as geopolitical motivations, have proven the debate over the quantum risk threat has shifted from no longer if, to when.
How Can Enterprises Mitigate Quantum Risk?
They can proactively mitigate quantum risk by devoting time now to transitioning to a post-quantum world using quantum-safe encryption solutions that already exist today. This is a rare opportunity for security to take center stage in business initiatives, but it is also necessary — by the time companies start “feeling” risk from a quantum computer, it will be much too late, because data that was stolen years ago will have been decrypted. The path to Quantum-Resilient can be considered a journey, with some clear milestones, and you must act now.
One of the first steps is to understand where all your data resides, who has access to it, and what protection measures are currently in place. Next, it is important to understand which data is the most sensitive or valuable, what’s its lifetime, and then develop a plan to prioritize the migration of these data sets to quantum-resilient encryption. The good news is quantum secure encryption is not an exercise in “rip and replace.” Rather, it can work with existing encryption technology to move data to a quantum safe paradigm. Once organizations start quantum encrypting their most sensitive data, cybersecurity risk begins to reduce.
Cryptology vs. Post Quantum Cryptography?
The Differences Between Cryptology and Post Quantum Cryptography
Traditional encryption started with RSA back in 1977. It was a public key encryption system and is the most common one used today. Basically, it uses a public key to scramble text, and then the recipient uses a private key, known only to the recipient, to “descramble” the text. Threat actors have had some limited success in “cracking” this encryption scheme, but it takes enormous computing power and, perhaps most significantly, time.
A quantum computer will be able to descramble information encrypted with conventional methods in hours or days by exploiting inherent weaknesses in classical encryption.
Cryptology is the use of cryptographic codes and protocols to protect information from adversaries. Most cryptosystems use a combination of public key cryptography (for key exchange and digital signatures) and symmetric key cryptography (for confidentiality and integrity). Examples of cryptographic protocols working in this fashion include SSL/TLS, IPsec, SSH, and encrypted email.
Public algorithms typically used in current cryptosystems are RSA and ECC. Using an attack built around Shor’s algorithm, a sufficiently powerful quantum computer will be able to break RSA and ECC, and thus reveal the keys exchanged for confidentiality and integrity, as well as compromise digital signatures.
Post quantum cryptography refers to cryptographic methods that provide resistance to attacks by adversaries using powerful quantum computers. Methods resistant, or even immune, to quantum computing attack include symmetric key cryptography with large, high entropy keys, quantum-resistant public key algorithms based on mathematical problems believed to be difficult even for powerful quantum computers to break, and quantum key distribution, a technique that uses quantum effects to securely distribute cryptographic key material.
Quantum Encryption Market Differentiators
First, whether you use QuintessenceLabs or another vendor, cybersecurity is rapidly reaching a tipping point and you should be moving to quantum-safe encryption because the risk to sensitive, long-lived data is material today. At QuintessenceLabs we deliver value to our customers, through an integrated set of tools available today to address some of the most pressing current cybersecurity challenges while preparing for the quantum threat of tomorrow.
- We provide full entropy keys using high-speed quantum random number generators.
- We ensure post-quantum crypto-agile Key Management and upgrading to using Continuous-Variable Quantum Key Distribution technology.
- We seamlessly integrate with cybersecurity infrastructure deployed today in data centers and the cloud.
Technical Decision Makers & Quantum Risk
What Technical Decision Makers Should Know
Every technical decision maker must begin prioritizing quantum-resilient encryption. Solutions exist today, and more are coming. However, the learning curve, internal strategy and project planning decisions, technology validation/planning, and implementation are likely to take years. And so, it is imperative that business leaders begin preparing now. If you are a CISO, you need to bring your CEO and the Board into these conversations, and collectively develop a strategy that will transition your organization to a quantum-resilient cyber posture thereby ensuring value for your employees, customers, and shareholders is not eroded through the compromise of valuable information assets.
Reports from credible sources clearly indicate that HNDL attacks are occurring today and that the threat is real. Recognizing the urgency of safeguarding information systems in the Federal, Defense, Critical Infrastructure, Financial Systems, and Supply Chain sectors, President Biden issued a National Security Memorandum in early May 2022 urging the development of plans to upgrade information systems to adopt quantum-resistant cryptographic technologies.
An important question for decision makers is, how much of their stolen data will be valuable in 5 years? For some companies, like those in manufacturing and pharmaceuticals, it could represent a significant loss of value, as it can take years of R&D and trials for products to come to market. And as for the U.S. federal government and related organizations, that have data deemed valuable to other countries and threat actors, the risk is equally pressing. Losing strategic or proprietary information, or even personal data, could turn out to be costly a few years from now.
President Biden’s National Security Memo
What Technical Decision Makers Should Know
As the threat is clearly evident and approaching rapidly (given the timelines to transition cybersecurity), the cyber risk is real today. There is little to be gained by downplaying the quantum threat timeline or “kicking the can down the road.” In the Presidential National Security Memo we mentioned above, the White House itself said that quantum computing could “jeopardize civilian and military communications, undermine supervisory and control systems for critical infrastructure, and defeat security protocols for most internet-based financial transactions.” So, the U.S. federal government is already planning to get ahead of the quantum curve.
As could be expected, the memo does not provide technical guidance, and so technical decision makers should seek out a technology partner who has demonstrated competence in understanding the nature of the quantum risk and possesses deep expertise in quantum-resilient technologies. And then start having real conversations with that selected partner about building a quantum-resilient strategic roadmap.