Over the last few months, we have seen two major cybersecurity incidents – the SolarWinds and Supermicro ‘hacks’ – affect hundreds, if not thousands, of private companies and government agencies including the Pentagon, nuclear labs and Fortune 500 companies.
Both hacks involved the insertion of malicious code by nation state actors using tampered software updates routed through government suppliers, affecting both hardware (server motherboards) and software (IT management). In both circumstances, the scale, sophistication and effectiveness of the breaches blindsided government officials, corporations and security companies alike.
For many cybersecurity experts, both incidents were manifestations of their worst fears, but as we grapple with the fallout, an even more devastating threat lurks around the corner: the coming quantum challenge to information security.
Understanding the Quantum Threat
Companies like IBM, Google and Honeywell have joined nations including Russia, China and the US to publicly state their interest in building large-scale, practical quantum computers. At the current pace of development, it’s not beyond the realms of possibility that one of them could successfully realize their vision within the next decade.
While quantum computers promise revolutionary benefits for many industries, they also pose an existential threat to all sensitive digital information, past and present.
Due to their incredible computing power, these machines will be able to break through the public key encryption standards (RSA and Elliptic Curve cryptography) relied on today by virtually every organization, device and end-to-end encryption service. That’s a big problem for businesses and governments alike.
Public key cryptography relies on two different types of keys for encryption and decryption. A quantum computer could gain access to the secret key corresponding to any public key, use that access to forge the signature of a software update and push that to a corresponding piece of hardware.
The outcome? Imagine a bad actor gaining access to an engine part for a commercial aircraft. The vulnerable part would be unable to tell it had been spoofed, and through it, the hacker could alter the operations of the entire plane.
Adding to this problem is the fact that quantum decryption can be applied retrospectively. The groundwork for a ‘harvest now, decrypt later’ attack could be laid today, with encrypted data collected and stored for future decryption when quantum computers became available.
The threat is universal, but it’s particularly acute for industries with long product life cycles – think about cars, planes and satellites, or critical infrastructure in the energy, oil and gas sectors. For any product or component designed to last over 10 years, quantum-readiness should be something that’s taken seriously today.
The Race to Quantum-Readiness
In the face of an imminent and devastating threat, organizations can’t keep responding with quick-fix solutions. The priority should be on implementing robust, quantum-ready solutions that prepare businesses for the challenges of tomorrow while shielding them from the threats of today.
The widespread adoption of post-quantum cryptography will be key to making this a success. The National Institute of Standards and Technology (NIST) has taken an important first step in this regard, initiating a process in 2016 to define new, quantum-secure cryptography standards that will likely be made mandatory for some critical industries. This project is now in its final stages, and is due to report its findings in late 2021 or early 2022.
However, organizations need not wait. First, they can assess their security infrastructure to understand where and how cryptography is being used, where vulnerabilities lie and where changes need to be made. Too many companies have no idea, particularly when inheriting legacy systems that have been built up over time.
It’s also helpful to establish whether data is stored on-premises or in the cloud (or both), and where it is in transit. Such areas are a particular vulnerability, and will demand their own, dedicated quantum protection.
Companies can also map out their ‘crypto agility’ to help them understand the scale of the task ahead. Crypto agility assesses the degree to which a company’s existing cryptography measures can be migrated over to quantum-ready solutions. From latency and throughput thresholds to current key establishment protocols and where cryptographic processes fit into the software stack, these and several other factors will affect crypto agility, helping security teams to prioritize the adjustments they tackle first when entering the migration phase.
Above all, the most important first step is to understand the quantum threat. Cryptographer colleagues – all contributors to the NIST standardization process – have tried to make this accessible in a short series of white papers. Before executives and security experts meet to discuss the challenge, resources like this can be useful as a way of understanding the full extent of the quantum threat, why it matters and why addressing it cannot wait.