SHARED INTEL: What can be done — today — to keep quantum computing from killing encryption

By Byron V. Acohido

There’s little doubt that the shift to quantum computing  will open new horizons of digital commerce. But it’s also plain as day that the mainstreaming of quantum processing power will profoundly exacerbate cybersecurity exposures.

Related: The ‘post quantum crytpo’ race is on

This isn’t coming as any surprise to IT department heads. In fact, there’s widespread recognition in corporate circles that the planning to address fresh cyber risks associated with quantum computing should have commenced long ago.

That’s the upshot of a survey of 400 large organizations across critical infrastructure industries in the U.S., Germany and Japan. The study, sponsored by DigiCert, Inc., a Lehi,Utah-based supplier of digital certificates, found 71 percent of global organizations already see the emergence of quantum processing power as a material security threat.

Their trepidation is focused on the potential undermining of a core security component of classical computing systems: encryption. In a nutshell, when quantum processing power becomes widely available – whether that be three years or 10 years from now — threat actors will gain the ability to decrypt everything companies have been protecting with classical encryption.

To its credit, the global cybersecurity community is not asleep on this. A major public-private effort is underway to revamp classical cryptography, and ultimately replace it with something called post-quantum-cryptography, or PQC. DigiCert happens to be in the thick of this effort; I recently had a wide-ranging discussion about this with Tim Hollebeek, DigiCert’s industry and standards technical strategist.

“I’m impressed that people understand the urgency of this issue,” Hollebeck told me. “Organizations seem to understand that they simply cannot afford to delay any necessary security improvements. It’s just not optional. Everyone needs to get started. Things will go very badly for anyone who ignores this issue.”

Leveraging QaaS

Quite clearly, quantum computing, which uses mysterious quantum mechanical processes to crunch data at an otherworldly scale, is no longer just a jazzy concept.

The tech giants, led by IBM, Google and Microsoft, have poured billions into it. They are, in fact, very close to solving the final few technical choke points. And they’ve already signaled the path they intend to take for monetizing quantum processing power. It will look very much like how classical computing processing power got transformed into a cloud service via Amazon Web Services, Google Cloud and Microsoft Azure.

Microsoft CEO Satya Nadella very recently laid out the software giant’s hand by announcing Azure Quantum, an offer to select customers to let them access processing power from three prototype quantum computers. This comes as Microsoft, IBM and Google have been bending over backwards to encourage independent developers and enterprises to accelerate their experimentation with quantum algorithms and to brainstorm novel ways to leverage quantum power.

Cyber criminals, of course, have always moved much quicker than enterprises to leverage cheap computing resources; so there should be little doubt that elite threat actors are also brainstorming how to best leverage, shall we call it, QaaS – Quantum as a Service. To its credit, the global cybersecurity community has been taking methodical steps to address this scenario.  Case in point, the U.S National Institute of Standards and Technology is directing a process to derive a fundamental PQC algorithm, one that is globally acceptable and will stand the test of time.

PQC was definitely on the minds of the respondents to DigiCert’s poll. Their median prediction for when PQC will become a necessity was 2022, just three years from now. And some 83 percent acknowledged they were already wrestling with quantum computing security issues, such as how much it will cost to mitigate quantum threats and how to go about hardening the classical encryption now in place to be able to withstand coming quantum attacks.

A difficult transition

The transition enterprises face won’t be simple nor cheap. Respondents to DigiCert’s poll realize this and expressed their concerns about costs spiraling out of control. With the time horizon fast shrinking, 83 percent of respondents conceded the obvious – that it was important for IT to learn about quantum-safe security practices.

PQC could be ready before or at about the same time as QaaS is ready for prime time. But that’s not the crucial issue. The monumental challenge is that replacing classical encryption with PQC will be complicated and time consuming. As quantum services ramp up, threat actors will have a huge advantage.

Just think about how reliant enterprises have become on transacting with customers and third-party suppliers via web applications and cloud services. Each relationship, each transaction and much of the associated digital assets will continue to be largely protected by classical encryption for some time to come.

“The threat actors will be able to purchase quantum services just like everybody else,” Hollebeek observes. “And it will be very difficult for the quantum service provider to exhaustively determine if someone is doing something bad.”

Companies are specifically concerned that data encrypted safely by today’s standards will become all too easy to decrypt once QaaS goes mainstream. Then there is another tier of concerns that threat attackers will train quantum processing power on decrypting the data  circulating between their browser and mobile applications. PQC should mitigate this exposure; but implementing PQC widely, once it’s ready, will take a very long time.

A good starting point

Meanwhile, classical encryption continues to be embedded in IoT devices, smart buildings and autonomous transportation grids. These too will be exposed to quantum attacks, and may be problematic to upgrade. DigiCert and other vendors are in the midst of developing and promoting use of prototype PQC solutions as well as encryption systems designed to be more easily upgraded down the line, a stop gap measure companies can take today.

Hollebeek

“Since we’re not 100 percent sure what the NIST end-state encryption recommendations will look like right now, our best recommendation is to build the ability to upgrade your crypto into the software,” he says. “This will give you the ability to ensure communications are protected from being decrypted in the future and improve your crypto-agility.”

A good starting point for organizations to gain a clear, granular view of where their mission-critical operations intersect with encryption. “Enterprises’ need to investigate their infrastructures, gain an understanding of all of the places that cryptography is used and put together an actual transition plan for each component of their infrastructure that needs to be upgraded,” Hollebeek says. “And that includes working with vendors, asking them about their transition plans, and if they don’t have reasonable plans, they may have to migrate to other suppliers in order to keep their architecture secure.”

Makes sense. I’ll keep watch.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.


(LW provides consulting services to the vendors we cover.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone