It is almost as if the greater the number of cybersecurity products that flood onto the market, the more intense the increase in cybercrime and cyberattacks become. There are quantifiably more breaches and incidents of compromised information assets today than there were a year ago. A lot more.
The consequences are growing as well. Now we have class action lawsuits against a 3 year-old breach at Home Depot, tens of millions of dollars of SWIFT fraud, and new strains of credit card malware resulting in 3.2 million cards breached through Hitachi’s payment services systems in POS and ATM accounts in India. And that was just October.
As we learn to handle the currently known attacks, cybercriminals find new ways to get around, under and through our best defenses. Many of us have come to realize that there are no silver-bullet solutions to achieve cybersecurity and that no one technology, no one vendor, no one “project” will ultimately suffice.
We know that what is needed is a strong cyber immune system, capable of quickly detecting unexpected threats and reacting immediately to deal with them. Some of us have been working to achieve that goal through hybridized SIEM platforms that rely on advanced security analytics to quickly detect and isolate malware prior to a breach.
Others hope for a breakthrough in science to put an end to this vicious circle of warfare. One area of opportunity is quantum computing where researchers have had success applying a new speed paradigm to computing by using quantum effects to solve certain problems with astronomically fewer operations.
“Spooky action at a distance” is how Albert Einstein described one of the key principles of quantum mechanics: entanglement. Entanglement occurs when two particles become related in such a way that they are able to coordinate their properties instantly; even across a galaxy.
Quantum mechanics posits other spooky stuff too: particles with a mysterious property called superposition, which allows them to have a value of one and zero at the same time (as opposed to conventional bits); and these particles’ unique ability to tunnel through barriers as if they were walking through a wall. Fast and super-stateful and very freaky.
Quantum computing will perform in seconds, computations that would have taken today’s conventional high speed computers millions of years to get through. Quantum computing will enable dramatic improvements in financial analysis and predictions, logistical planning, medical research and drug discovery to name just a few fields where the impact of quantum computing is gleefully anticipated.
Yet the collateral risk is that quantum computing will be also able to compromise every bank record, private communication, and password ever created; literally in the blink of an eye. This is bad news in particular for cryptology.
Our modern cryptography is based on encoding data in large combinations of numbers. By simply manipulating a large collection of quantum bits (qubits – a two-state bit that is in superposition of both states at the same time) , a quantum computer can explore the countless configurations of 0s and 1s simultaneously and in the millions of qubits sub-instantaneously.
One of the unintended consequences and immediately obvious risks of quantum computation is the potential for instant destruction of some of the cryptographic tools currently underpinning cybersecurity.
For example, a fundamental requirement for online security is a digital signature. A digital signature allows a verifier (e.g. your browser) to confirm that a piece of code it is downloading comes from the alleged source (providing origin authentication) and has not been tampered with (providing data integrity).
Another fundamental tool is the establishment of a secret key by communicating through a public channel. Encryption algorithms use such secret keys to provide confidentiality.
A corrupt insider threat is easily identified and removed. Similarly, malware can be quickly isolated and destroyed and software holes can be patched and closed. But when the cryptographic foundations upon which a system is built are messed with, unless a fail-over replacement (which does not exist today) is in place, the system becomes history and there are no quick fixes available.
Not surprisingly, China this summer announced its successful launch of the world’s first quantum satellite communications platform, which will enable tons of new quantum experiments, with benefits including advancing the development of quantum cryptography.
Developing new standards for protecting data won’t be easy. The RSA standards that are in common use today each took five years to develop. Lesser well-known public key systems will probably take at least ten years. Then, all we have to do is worry about how all of that gets implemented – globally. It could easily take twenty years or more before we’ve replaced all of the Internet’s present security-critical infrastructure.
Any responsible management of the cryptology risk starts with understanding and assessing the impact of these quantum vulnerabilities, mapping out a strategy for mitigating the risk, and updating this strategy in light of ongoing advances in technology.
Designing systems to be more cryptographically agile would facilitate the eventual transition to cryptography protocols that resist known quantum attacks and are designed to run on conventional information and communication technologies. But as usual, the question will become whether we are willing to spend the capital today to make the necessary decisions and investments that will protect our core systems tomorrow?
Right now, the quantum threat is very well defined, along with the approaches for solving it, so it is probably crucial that we avoid being caught off-guard (again) and then forced to firefight against a threat that takes years of preparation to properly defend against.