Quantum computing may appear to be an abstract technical challenge that lies far ahead in the future, but the truth is that the threats it poses to data security and businesses are already present. This is due, in part, to a hacking strategy called “steal-now, decrypt-later” (SNDL). As a result, technology leaders need to take immediate action to address this issue, long before the quantum revolution truly arrives.
A quick quantum refresher
Quantum computers use the state of subatomic particles, known as qubits, to represent numeric values. These particles have peculiar properties like quantum superposition, which allows them to represent numerous values simultaneously. This ability makes quantum computers capable of solving specific mathematical problems in mere minutes that classical computers would require hundreds of years or more to solve.
This remarkable capability has the potential to bring about unimaginable breakthroughs in physics, biotechnology, chemistry, and other industries. However, it also presents a significant risk to the petabytes of private and public data that rely on cryptographic schemes based on mathematical algorithms for protection. Although these schemes make data impenetrable to hacking from today’s classical computers, they will be easy to crack for quantum computers, exposing sensitive personal, corporate, and government data to anyone.
What is “steal now, decrypt later”?
Here in the calm before the quantum storm, the reality is that both the good guys and bad guys are positioning themselves now, for success when quantum finally makes its debut.
One current hacking strategy owes a debt to more than one heist movie: the bad guys don’t just steal the jewels, they steal the safe with the jewels still in it. They can crack the safe later – almost always in an abandoned warehouse down by the docks, for some reason.
Cliches aside, the cybersecurity version of this ‘take the safe’ strategy is known as “steal now, decrypt later”, SNDL, where hackers download encrypted data knowing they can’t read it now, but anticipating it will become readable and therefore valuable when quantum computing algorithms eventually allow decryption.
Tempting targets for SDNL include the usual suspects, like data in transit, archived data and email messaging, but also infrastructure, like the commands routinely sent between the cloud and the ever more numerous IoT systems proliferating on the edge.
In simple terms, quantum computing is expected to be particularly adept at breaking encryption that relies on deterministic, mathematical algorithms, rather than random or anonymized numbers to generate “keys”. The prime numbers that underlie public key encryption (PKE) are an example, so efforts to secure data must start with the most widely-used asymmetric encryption standards like RSA 2048 and ECC 512.
Those schemes have an encryption “strength” of 128 and 256 bits respectively. But Quantum computing will break them easily, reducing their effective strength to 0.
Pre-quantum security strategies
Data-driven businesses are facing the imminent emergence of quantum computing and its potential to break encryption through Shor’s algorithm, which is a significant threat known as the SDNL. While the majority of the literature on the quantum sector discourages optimism, quantum physicist Christian Bauer from Lawrence Berkeley National Lab believes that we will stay ahead of the threat. He claims that developing new encryption mechanisms takes less time than a quantum computer takes to break encryption.
However, Bauer’s prediction relies on assuming that the most vulnerable points of encryption are being addressed by the good guys. Existing Public Key Encryption (PKE) and other vulnerable encryptions must be replaced or overlaid with quantum-proof schemes to maintain security. One promising approach is to layer new security on top of existing protection to avoid replacing existing systems, which could be disruptive and tedious.
An important shift in thinking is to move away from mathematically generated keys and instead emphasize the use of truly random keys. Quantum-proof Virtual Private Networks (VPNs) that use perfectly random numbers to encrypt communication can provide a quantum-proof “wrapper” without requiring changes in the underlying encryption schemes.
The bottom line is that businesses must secure their data today to avert a quantum fire drill on day zero. By implementing quantum-proof encryption mechanisms and emphasizing the use of truly random keys, businesses can ensure that their data remains secure even in the face of quantum computing.
What’s it all mean?
As the frequency of cyberattacks continues to escalate, it is worth noting that approximately 35% of state-sponsored attacks that are well-funded and highly sophisticated are aimed at corporate enterprises. The intention behind these attacks is typically to steal intellectual property, disrupt supply chains, or infect infrastructure.
There are a variety of perpetrators who engage in cybercrime, including countries, non-governmental organizations, rival firms, individual criminals, and activists, all of whom commonly utilize SNDL. It is widely recognized that any type of data breach can have serious business implications, resulting in direct financial losses, damage to the organization’s reputation, regulatory fines, and other penalties.
It is intriguing to consider that the “steal now” concept implies that an organization’s data exists in a state of limbo between being completely secure and being completely exposed. Which state the data ultimately falls into will depend largely on the actions taken by the organization in the present, rather than on any future quantum revolution that may occur.
The next generation of quantum-proof cryptography will rely heavily on random numbers that are theoretically impossible to hack. In the final part of this series, we will explore how some random numbers are more random than others.