Cybercrime , Encryption & Key Management , Fraud Management & Cybercrime
Quantum Computing: A New Dawn for Encryption Vulnerabilities
Expert Perspectives on Protecting Data and Developing Quantum-Safe CryptographyThe quantum doomsday clock is ticking, and it's set to strike midnight within the next decade.
See Also: Gartner Guide for Digital Forensics and Incident Response
When it tolls and the quantum computing revolution arrives, today's encryption standards will become obsolete. The impending technological advancement of quantum means attackers could decrypt previously stolen data with ease, and some adversaries are stealing encrypted data now for the sole purpose of decrypting it later, said Devo CISO Kayla Williams.
"Encryption that today would take years and years to decrypt may only take a matter of hours with the computing power that's being developed in the quantum computing labs," Williams said. "When you go to a website, the lock in the browser, that's going to be meaningless if quantum computer-enabled criminals are able to decrypt every banking transaction, text message or social media message."
How bad could it be? Quantum computing could break all known public key cryptography, which underpins modern internet and network security, warned Bob Burns, chief security officer at Thales Cloud Protection and Licensing. What about the global economy? Gains in quantum computing could compromise the cryptographic underpinning of the digital economy, affecting browsing, digital signatures and authentication, predicted IBM Security CTO Sridhar Muppidi.
'An Armageddon for Modern-Day Cryptography'
Muppidi said the security community is focused on identifying which assets and systems are most at risk from the quantum computing doomsday clock and which of those have been in service for decades, such as automobiles or medical equipment. The transition from theoretical quantum computing to practical development has spurred significant investment in quantum technologies by private industries and governments, Burns said.
"This puts us in the precarious situation of really having to consider the actual 'what if?' scenario," Burns told Information Security Media Group. "It would be an Armageddon for modern-day cryptography if all of that data could suddenly be completely in the clear."
It's a race against time for companies to protect their digital assets against the quantum threat, even cash-strapped businesses will be forced to adopt quantum-safe practices before it's too late. Given that quantum computing could threaten current encryption standards within the next decade, Williams urged organizations to start preparing now.
Transitioning to quantum-resistant cryptography will be a major challenge requiring careful planning, testing and prioritization based on the sensitivity and value of the data under lock and key, Burns said. CISOs should catalog the use of cryptography within their own organizations, prepare for quantum-safe algorithms and prioritize the protection of sensitive data that has a long life span, according to Burns.
"This transition won't come for free," Burns said. "It's not just going to magically happen, nor is an organization's ability to react if we reach that precipice of having a cryptographically relevant quantum computer invented."
Standardizing Around Quantum-Resistant Algorithms
Muppidi said ensuring long-term resilience against quantum threats requires crypto agility, or the ability to easily switch cryptographic methods as quantum-safe options become available. He urged businesses to understand quantum computing's scope of impact at the application, network and transaction levels, which will involve a detailed discovery process as well as prioritized asset protection and remediation.
Williams said protective measures will be needed beyond the corporate sphere since quantum-enabled criminals can also decrypt sensitive personal data. The lack of a comprehensive federal personal data protection law in the United States is deeply concerning given the threat posed by quantum computing, according to Williams.
"It would be an Armageddon for modern-day computing."
– Bob Burns, chief security officer, Thales Cloud Protection and Licensing
Approaches to quantum readiness vary in different parts of the world, Muppidi said. The U.S. National Security Administration is focused on compliance-driven changes while other geographies adopt a risk-based approach. The National Institute of Standards and Technology is close to standardizing four quantum-resistant cryptographic algorithms, paving the way for quantum-safe cryptography, Burns said.
"There are a number of algorithms that are thought to be resistant," Burns said. "We are at a point where they have been vetted to the degree that five or six years' worth of research can vet them, and we're on the precipice of standardizing them."
Even without an official government standard, Burns said, companies including Apple and Cloudflare have introduced products they claim feature quantum-safe cryptography, and private sector innovation will only accelerate. Muppidi said companies should inventory their cryptographic assets and understand where sensitive data is protected along with how it's affected by quantum computing advances.
Highly Regulated Firms Most Ready for Quantum Winter
Muppidi said common language and standards are needed to effectively describe and mitigate quantum threats to the supply chain. From there, organizations should devise a strategy for protecting sensitive keys and data, which Muppidi said should include understanding cryptography's role in organizational security, standardizing quantum-resistant algorithms, and future-proofing cryptographic practices.
"Start now," Muppidi said. "This is not something we've faced before. It takes time to discover all the cryptography and evaluate the risks."
A lack of basic cybersecurity measures in many organizations - such as data segmentation, isolation and network segregation - could amplify the risks associated with quantum computing, according to Williams. She urged businesses to use the time before quantum computing arrives to create an inventory of all digital assets, conduct risk assessments and ensure industry-standard security practices are in place.
"Being able to stay on top of your risk assessments, your data flow diagrams and your architecture diagrams, and really spending the time to make sure that the controls you've put in place are still operating as you initially intended and designed, is going to save you a lot of trouble in the long run," Williams said.
Specifically, she said, it's vital that companies continually reassess their security controls to ensure they're effective and haven't been compromised by changes or misconfigurations. Industries subject to stringent regulation -such as financial services, healthcare and retail - are better prepared in terms of network segmentation and isolation than less-regulated sectors, such as enterprise software.
"Companies that are already in the public domain or that are regulated are going to be far more advanced than companies in the SaaS space," Williams said. "We don't have to worry about the SEC, the OCC or FINRA enforcing security requirements on us. There is certainly a disparity in the ways that different organizations across verticals or industries would approach something like this."