By Steve Grobman, Chief Technology Officer, McAfee Corp.
Until recently, quantum computing has been largely theoretical. Recent advances, however, show that it has the potential to address an array of seemingly intractable challenges: global warming, protracted drug and vaccine development, world hunger resulting from inefficient food distribution, difficulty forecasting bio-risks, and national defense preparedness, among others. Quantum computing’s ability to crunch previously unimaginable computational challenges would help find answers to these and other problems, partly by optimizing machine learning and artificial intelligence on a massive scale.
But these rewards also come with a certain amount of risk. Quantum computing could also enable decryption of data that is currently protected by traditional computing encryption algorithms. This would undermine our entire digital universe as we know it today.
Adversarial nation states such as China and Russia are in a technology innovation race with the U.S. and its allies, and they are not likely to share the extent to which they have successfully developed quantum computing or related decryption capabilities. There is precedent for this: Bletchley Park’s success in cracking Germany’s Enigma code during World War II – an achievement that was kept secret until the 1970s. The Allied code breakers understood that concealing their achievement would ensure that the Axis Powers would continue to use the Enigma coding machines to their strategic disadvantage.
In order to mitigate such a risk, we cannot think of quantum in terms of “eventually” or “tomorrow.” We must address the quantum decryption risk today, before it manifests itself in catastrophic intelligence security incidents tomorrow.
How is quantum computing different?
Traditional computing, based on transistors and electricity, uses software written in binary code. Quantum computing harnesses quantum mechanics using two properties of subatomic particles, superposition and entanglement, to process data. Superposition allows data to exist in multiple states and places simultaneously; entanglement allows computation of extremely large sets of opportunities. Together, these properties will allow quantum computers to perform with exponentially increased efficiency and speed.
The vulnerability of traditional encryption
Encryption is everywhere. In our digital infrastructure, sophisticated security algorithms encrypt all manner of data: stored and transmitted data; data residing in individual applications; and public sector, business and personal information. Encryption is embedded in the web infrastructure, digital certificate ecosystems, and code-signing ecosystems.
Traditional encryption does two things. It secures data so that only parties with appropriate rights can access it. It also ensures integrity, for instance when it confirms that the bank website with which you are transacting and sharing personal data, is not a fraudulent one.
The processing power of quantum computing will dwarf the capabilities of even today’s supercomputers for certain workloads, making it possible to break current secure encryption methods and compromise all encrypted data transferred over the internet. This would enable adversaries to impersonate trusted entities, access data, and decrypt all manner of information, including corporate intellectual property, government secrets with national security implications, and personal information such as biometric data, health and financial records.
In fact, that incursion is undoubtedly already underway. Bad actors are likely siphoning sensitive encrypted data off the Internet today and simply holding onto it until – maybe 5 or 10 or 15 years from now – advances in quantum computing make unlocking it possible.
Gauging vulnerability: probability vs. impact
Humans are not great at recognizing low-frequency, high-impact risks. One need only think of the world’s initial assessment of the COVID-19 pandemic. Quantum computing falls into this same category and, much like the current pandemic, the impact is potentially staggering.
It needn’t be like this. If I told you there was a .0001 percent chance your car would blow up the next time you started it, you probably wouldn’t even step foot inside your car, much less start it. In this case, even though the frequency of such an occurrence would be low, the impact – getting blown into smithereens – is obviously high.
And that is the lens through which we should view quantum computing’s current threat to our encrypted data. Corporate leaders and security professionals need to assess the threat that a quantum-enabled cyberattack poses to their organizations and its customers. If the potential harm is great, they need to prepare for the threat, even if the probability, at least for some time into the future, is low.
Evaluating data: sensitivity vs. value over time
In preparing to defend against future quantum cyberattacks, it is necessary to assess the current data being protected. This means determining both how sensitive it is and how long it must be protected for.
Some data is very sensitive but valuable for only a short time, such as pre-release earnings data for a publicly traded company. Between the end of the quarter and the reporting of financial results several weeks later, this information is highly sensitive. Other data is not as sensitive but is valuable for a long time. Think of Social Security numbers which are used for the lifetime of the holder. Many have already been compromised, though, meaning they are no longer as sensitive as they once were.
Still other data is highly sensitive and has a long value horizon. This could include business-critical intellectual property or trade secrets, which, if stolen during the extended period that they provide a competitive advantage, may allow a competitor to create a variant that puts you out of business. Nation-states like the U.S. also have long-term sensitive data. Even now, some data from U.S. President Kennedy’s 1963 assassination continues to be classified for national security reasons.
What can we do?
Incentives drive behaviors, and use cases generally drive investments in IT. We need to ask ourselves: which market forces will drive positive quantum computing use cases, and which will drive cyber-criminality? While we may seek to use quantum computing for good, one of the biggest risks of such a transformational technology is that our cyber adversaries may be more motivated, or motivated earlier, to use the technology for nefarious purposes than we realize.
For this reason, it is important to raise awareness – and concern – about the quantum threat we face. But once we acknowledge the threat, what can we do to counter it?
Determine priorities. We need to create quantum action plans that take into account the importance and value of different types of data over time, and then set priorities for data protection. Be sure not to dismiss low-probability risks with potentially catastrophic outcomes. Generally, invest in security initiatives that address high-probability/low-impact and low-probability/high-impact risks.
Move to quantum-resistant algorithms. We can develop quantum-resistant algorithms before powerful quantum computing capabilities become viable. The National Institute of Standards and Technology (NIST) is currently evaluating candidate algorithms to replace our current public key capabilities.
Map your encryption systems. Organizations and government agencies in particular need to assess how they currently protect data from theft and prevent decryption, then retool systems that they find are inadequate. Some environments are historically slow to adopt next-generation security capabilities. For example, there are government agencies still running 1950s-era COBOL-based apps on some systems. Developing a comprehensive understanding of where traditional encryption is used and what potential risks exist in each domain should start today.
Develop Incentives. Bad actors may have stronger incentives to use quantum computing for malicious intent than those of us who want to use quantum computing for good. Governments and the technology industry need to partner in influencing market forces that drive faster adoption of quantum resistant algorithms and look for ways to utilize quantum computing for good.
Such moves will help companies – and nations – prepare for the security risks posed by quantum computing, along with all the benefits it will bring. The first step, though, is recognizing that it is never too early to prepare for future risk, especially when the stakes are as high as they are with quantum computing and the threat it poses to encryption.
Quantum computing could enable decryption of data currently protected by traditional encryption algorithm, putting all kinds of data at risk, from corporate intellectual property to personal information such as biometric data. We need to defuse this risk long before it manifests itself in security incidents.
In assessing your organization’s risk, first, evaluate the sensitivity of types of data over time, and second, gauge its vulnerability: If the potential for harm is great, you need to prepare for the threat, even if the current probability is low.
There are a number of steps organizations can begin taking now, including mapping your current encryption systems and moving to quantum-resistant algorithms as they are developed.