By: Craig Debban, Chief Information Security Officer, QuSecure, Inc.
As you may have noticed, daily headlines around quantum computing and its impact on technologies are becoming commonplace. This is driven by the fact that quantum computers will be able to perform certain types of calculations much faster than the classical computers we all use today. Due to this specific way of processing, quantum computers can also break many of the current encryption algorithms used to protect data. This is why CISOs everywhere should be concerned.
No, the sky isn’t falling, and the everyday use of quantum computers is not occurring en masse just yet. However, criminal and state actors are actively harvesting and storing data by listening in to communications, and this data will be decrypted by quantum computers in the future. The concept they are practicing is termed steal now decrypt later (SNDL).
In a typical SNDL attack, the attacker gains access to encrypted data by intercepting network traffic, accessing data stores, or by using techniques such as social engineering or malware to gain access to critical information. Most likely his data is protected using current encryption algorithms and keys. By secretly exfiltrating this data, an adversary can decrypt its contents later and use all the gained resources at their disposal. You might think, “So what? It is safe, encrypted, and should take forever to decrypt.” That is a true statement today. However, SNDL attacks rely on the belief that current cryptographic algorithms will be broken and then data will be decrypted with quantum computers on the horizon. Some data has a lengthy shelf-life, and the nefarious organizations are betting these encrypted items will become available in the future while the data still has a great deal of value.
Some examples of data that may be targeted and particularly damaging to your organization if stolen even years from now include:
- Financial data: Data such as credit card numbers, bank account information, and other financial transactions. This data can be used for identity theft, fraudulent transactions, or other malicious purposes.
- Confidential business information: Business plans, trade secrets, intellectual property, or other data points that can give adversaries a competitive advantage.
- Personal information: Login credentials, social security numbers, medical records, or other personally identifiable information (PII) that can be used for identity theft or other malicious purposes.
- Government secrets: Classified information, military secrets, or other sensitive government information that can be used for espionage.
- Encrypted communication: Emails, chat messages, or other forms of communication that can reveal sensitive information or give the attacker access to additional systems or networks.
So the threat is real but how should you address this?
The key here is to consider the availability of post-quantum cryptography (PQC) algorithms, which are designed to be resistant to quantum attacks. CISOs should begin to familiarize themselves with these and evaluate their potential suitability for adoption.
CISOs likely have a strong grasp of their organizations’ overall security posture, but consider taking another pass at it to explore areas that are especially vulnerable to quantum attacks. It’s worth reviewing the encryption being used to protect sensitive data today, and classes of that data itself. Once that ecosystem is understood and its supporting cryptology has been identified, CISOs should develop a plan that considers quantum-resistant technology. Solutions are available that enable post-quantum cryptography that operates on-premise and through a multi-cloud environment.
Your plan should also include a timeline for upgrades and implementing innovative solutions, and a budget and resource allocation plan. Depending on the complexity of your network, migrating to full quantum resilience across your company could take years. Qualifying that effort is another added value CISOs bring through this exercise. Giving your management team the context of what it will take in terms of operational spend, administrative commitment and engagements with outside resources allows them to truly process the level of effort.
As a CISO, I readily admit a year ago I really didn’t understand what quantum was, why I should care, and the tangible threats it presented to cybersecurity. You may have staff in your company in the same situation. CISOs should include training with their plan and focus on the risks associated with quantum-based attacks to your organization. This may involve developing training programs or partnering with outside resources to provide guidance. The idea is to collectively raise the acumen within an organization to understand these threats, provide leadership on how you plan to deal with this risk, and improve your organization’s “human firewall” by raising awareness.
Once you have your plan, you are on track to protect your critical systems and data. One other consideration is to invest more in research and development. This may vary with your organization, but many organizations will be required to develop quantum-resistant cryptographic systems, or research other technologies that can help protect their specific service offerings against quantum attacks. This quantum resilience topic is new and changing rapidly, so finding the right subject matter expert is important. The process could involve collaborating with academic institutions, research organizations, the vendor community, and other industry partners to stay abreast of the latest developments in quantum computing and cryptography.
Lastly, CISOs should regularly review and update their organization’s security policies and procedures to ensure that they are aligned with best practices for the emerging quantum threat. This may involve updating encryption algorithms, strengthening access controls, and implementing additional security measures to protect the organization and its data.
The quantum computing threat poses a critical challenge, but with careful planning and preparation, it is possible for CISOs to mitigate this risk. Take some time to understand your vulnerabilities, develop a plan for transitioning, and consider the right investments into your people, tools, and procedures. With some thoughtful effort now, you can help ensure that your organization is prepared for the threat quantum computing will inherently bring.