Are your security systems ready for quantum computers?
There are growing global concerns about the future threat of quantum computers against cryptographic technology. Several current cryptographic techniques would not remain secure with the development of powerful quantum computers.
While governments and other organisations are rightly worried about the impact of cyber attacks from quantum computers against highly sensitive military, health and citizen data, their fears have been tempered somewhat by the fact that it is incredibly difficult to build a properly functioning quantum computing machine. But in recent weeks, awareness of Q-day – the day on which a quantum computer has the power to break security algorithms through force and guesswork – has risen to new levels. This is partly because US President Biden released a National Security Memorandum addressing quantum computing in two ways: its ability to power new discoveries in science and technology, and its threat to government data.
“Most notably, a quantum computer of sufficient size and sophistication — also known as a cryptanalytically relevant quantum computer (CRQC) — will be capable of breaking much of the public-key cryptography used on digital systems across the United States and around the world”, stated Biden.
He continued: “When it becomes available, a CRQC could jeopardize civilian and military communications, undermine supervisory and control systems for critical infrastructure, and defeat security protocols for most Internet-based financial transactions.”
The evolution of quantum computers
The key phrase in the message is ‘when it becomes available’. Estimates vary, but private companies such as IBM are constantly evolving quantum computing to make devices easier to build and operate outside the lab environment. Commentators generally concur that it will be at least 2030 before quantum computers are ready to be used. However, there is also a well-understood risk that criminals or states could gather data before quantum computers are made more widely available, then decrypt it further down the line.
All of this means that preparing for Q-day has moved up the agenda for government organisations, and that demand for quantum-safe or quantum-ready encryption devices is on the rise.
European standards body ETSI explains that: “quantum-safe cryptography refers to efforts to identify algorithms that are resistant to attacks by both classical and quantum computers, to keep information assets secure even after a large-scale quantum computer has been built.” The US National Institute of Standards and Technology (NIST) is sponsoring research to identify suitable candidates for standardization, and refers to the field as post-quantum cryptography (PQC). NIST points out that: “It has taken almost 20 years to deploy our modern public key cryptography infrastructure. It will take significant effort to ensure a smooth and secure migration from the current widely used cryptosystems to their quantum computing resistant counterparts.
Take the first steps today
There is a wealth of guidance available to government organisations about how to prepare for quantum computing, including a highly detailed document from the Cloud Security Alliance (CSA) called Practical Preparations for the Post-Quantum World: Tasks Every Organisation Should be Performing Now to Prepare. Writing in a separate article, Matt Scholl, chief of the Computer Security Division at NIST writes that the best place for any organisation to start is by making an inventory of its most important information.
“Ask yourself what is that data that an adversary is going to want to break into first,” he advises. “The first quantum computers are going to be expensive to operate and maintain, so determine what is your most important information and whether its encryption is vulnerable. If it is, then develop priorities for using quantum-resistant encryption as you plan to upgrade your infrastructures over the next couple of years. And then start to prioritize and plan so that you're ready to implement the new standards when they are available.”
Commentator Sam Bocetta, writing in Security Boulevard, adds that while every organisation is different, and that investing substantially against a threat whose timeline is uncertain may not appear to be financially feasible, it pays to think ahead. He agrees with Scholl that taking action today will pay dividends later. “[Organisations] that have not already inventoried and audited their information systems and data and determined both criticality and potential weaknesses should do so immediately. Doing so will put the organisation in a better position to defend against both future quantum attacks and current threats,” he says.
Choosing quantum-safe encryption technology
Quantum-safe encryption technology including that built by Asperiq are already available to organisations that want to prepare for the quantum computing era sooner rather than later. NIST advises that as part of their preparation organisations should strengthen symmetric key sizes in particular. “Any existing symmetric ciphers that are not quantum-resistant should be replaced or upgraded to commonly accepted quantum-resistant ciphers and key sizes. This means generally accepted traditional symmetric algorithms with key sizes 256-bits or longer,” it says. The official memorandum from Joe Biden, together with the accelerating pace of quantum computing technology development, have served to focus government organisations’ minds on what could be coming down the track for their risk profiles.
As feasible quantum computers may arrive in the future, it’s time to develop as much understanding as possible about the potential threats caused by quantum computing, to consider how to assess information assets for vulnerabilities, and to investigate the potential quantum-safe devices and solutions that are already out there.
