Today, we live in an ever-increasing digital world and our digital footprints, or the amount of data we leave behind mimicking our human behaviors, choices and thoughts, are becoming so close to our actual physical experience that there may as well be two of us walking the earth. While it does not seem that at this moment people can hack our brains, our digital selves are exposed to hackers. With this increased digital shadow — think meta-verse — we open our preferences, location, personal data and finances to digital hackers who will access this data for harm. To make this worse, when quantum computers gain enough power to crack our current encryption, our digital footprints, banking information and national secrets will be laid bare.
The internet and encryption
The internet started as a fantastic communications mechanism which has since evolved into a platform where we spend an increasing amount of our lives each day. On an hourly basis we trade this fantastic access and convenience (ordered anything from Amazon recently?) given to us by the internet for our privacy and security, causing a human conundrum. Security was an afterthought when the internet was conceived and built, and this security has not changed in over 30 years. While there have been some cybersecurity improvements like increased encryption key sizes, and policies around securing communications and data, we still largely rely on a single mathematical puzzle to protect all our data traveling over the internet: factoring.
Factoring (and in the case of cybersecurity, prime number factoring) refers to a mathematical equation where the challenge is to find which two numbers are the factors of a much larger number. Here is an example: If I asked you to find the two prime numbers (or factors) that multiply into the number 187, what would they be? For most of us we will need a calculator and could easily calculate that the answer is 11 and 17. Now our private cyber keys are guarded by a much larger number that takes two 308-digit prime numbers that multiply into a single 617-digit number. While this math problem has provided a secure environment for attacks from the classical or standard computers which we use today, there is a new form of computing that could create a doomsday event: quantum computers.
Quantum computers as weapons
You have heard of quantum computers by now. They use a new computing structure to process data unlike the zeros and ones to which we are accustomed with standard or classical computers. These new computing elements that make up the structure of quantum computers utilize subatomic properties including superposition and entanglement. Using these properties, quantum computers have been mathematically proven to break our current factoring-based encryption (mentioned above). So while finding two numbers that multiply into a larger number has proven extremely difficult for classical computers, with quantum computers of the right size and power (also called cryptographically relevant quantum computers), this will not be a problem. In fact, quantum computers will crack current encryption which is the key to the data, privacy and security of the digital world, thus creating a potential doomsday event.
Fortunately, our federal government and many business leaders have been aware of this quantum threat for quite a while. For over six years now government organizations like the National Institute of Standards and Technology have been researching and testing algorithms that will protect against quantum attacks. NIST has made recommendations as to which algorithms they believe will be quantum resilient, so enterprises and government agencies can start upgrading to post-quantum cybersecurity (PQC) which is resilient to quantum computing attacks. This will provide another layer of protection to ensure that our data remains private and secure in the future.
Top tips on how to prepare
For large organizations to start the process of upgrading the PQC, here are some steps they should follow:
Educate the board, the executive team, IT and the cyber team on the quantum threat, estimated timelines and various post-quantum cybersecurity solutions. This information will enable risk analysis and strategic objective setting with respect to a post-quantum business environment. It will also provide resource prioritization alignment across the business.
Begin the assessment process to review your existing cryptography and look for vulnerabilities that need to be upgraded/patched. Business leaders may be surprised at how many different crypto libraries are being used across their enterprise. The challenge is that systems use protocols that automatically negotiate the crypto algorithms that are common between devices to establish a secure session. If one device is using a mode that is less secure than what a post-quantum era demands, then there is a potential for compromising the organization’s data.
Begin talking with PQC companies to understand what solutions are available. Not only will the vendors provide a variety of approaches to the post-quantum challenge, but they will be able to provide insight into the IT architecture and security posture of the organization from different perspectives. Differing viewpoints, when rationalized together, will provide the organization with a more robust representation of their architecture, and illuminate options for better decision making.
Look for solutions that are cryptographically agile, meaning they can use any of the NIST approved algorithms which ensures that your organization will have the optimal quantum protection. So, if one algorithm fails, or causes issues, with crypto agility you can seamlessly switch to another algorithm.
Replace existing pseudo random number generators with quantum random number generators. This step will ensure that the entropy source used to generate keys is at the highest level possible and closes potential loopholes in the cryptographic system.
Be sure to find solutions that are backwards compatible, meaning that they can interoperate with your existing cybersecurity environment. It is difficult for large organizations to rip and replace technology so the quantum resilient solution you choose should be able to create quantum protection while easing into your current cybersecurity environment.
Look for a solution that can create quantum secure channels for all your end devices, as well as your servers. To have a truly post-quantum cybersecurity environment, you will need to protect all nodes including Internet of Things, laptops, phones and more. If the solutions you review can quickly and easily create quantum secure communication channels to these nodes, then you will limit quantum vulnerabilities.
Start testing some of these solutions in test environments with IT and cybersecurity teams so they can get used to working with post-quantum cybersecurity in your organization.
After testing, begin upgrading various parts of the network to post-quantum cybersecurity.
The quantum threat is real, and a doomsday event is a possibility, so taking steps today to make your organization quantum resilient will help protect from attacks in a pre- and post-quantum world.
Skip Sanzeri is co-founder and COO of QuSecure, Inc.