Op-Ed: Quantum computing — the next cyber battleground

In response, the government unveiled the country’s first quantum computing strategy this month. Industry and Science Minister Ed Husic emphasised its purpose to position Australia favourably in the race for competitiveness that should unfold. But as the quantum revolution develops, it will also trigger another kind of race, a cyber arms one.

Encryption obsolescence

Technological advancements have always been used for good and bad purposes, and quantum computing is no exception. As we marvel at the technology’s potential to transform our societies, we also have to consider the risks if it falls into the wrong hands, and more specifically, its potential to make cracking current encryption algorithms look like child’s play.

Just like the growth in processing power made the Data Encryption Standard (DES) obsolete in the early 2000s, quantum computing’s processing power is, in turn, threatening to outmatch its Advanced Encryption Standard (AES) successor, currently used to protect modern digital systems.

Quantum computers powerful enough to crack today’s strong encryption algorithms, such as AES, will not hit the market for another few years, and most will be for research environments and large organisations at first. But we can’t rule out the risk of ill-intentioned governments using those capabilities to launch state-sponsored attacks, and it probably won’t be long before other threat actors also access quantum computers, especially if they operate in an organised fashion.

Another risk lies in the encrypted data bad actors have already managed to steal. Following a widespread “steal now, crack later” strategy, cyber criminals are storing a wealth of encrypted data that they hope to decrypt in a few years’ time when the technology is available. This further underlines the timely nature of the cyber arms race triggered by the democratisation of quantum computing, and if the threat isn’t immediate, nor is our state of preparedness.

The great migration

The parent organisation behind the DES and the AES, the US National Institute of Standards and Technology (NIST), anticipated the issue as early as 2016 when it launched a campaign calling the world’s cryptographers to submit encryption algorithms that would ultimately help build a new quantum-resistant encryption standard. Last year, the NIST announced that it had narrowed it down to eight algorithms and that a new standard could be only a couple of years away. But the fact that it took only an hour for a team of Belgian researchers (see here for a nerdy analysis) to crack one of those algorithms with a legacy computer cast some doubt on that timeline.

VIEW ALL

Furthermore, coming up with a new standard is only the first step in a large-scale defensive strategy, and it is likely that a few more years are necessary before a new quantum-resistant encryption standard is translated into government policies, and widespread compliance across organisations is a reality.

Will bad actors beat us at this game? The race is on.

The US government is already asking its agencies and their suppliers to use quantum-resistant encryption standards by 2035, and if the Australian government is serious about its quantum computing commitment, it should consider similar decisions and incentives quickly. If cyber war is a race, then pace is its winning factor. The ability to achieve this encryption migration quickly will be instrumental in ensuring we outpace cyber criminals.

On your mark, set …

While a standard is not yet available, organisations can start laying the groundwork to ensure a smooth and fast transition when it is.

Considering the solutions in their cyber security stacks, they should start asking vendors about building a security architecture that provides solid foundations for encryption changes. It is also essential that they continue sticking to the best data protection standards, regularly auditing and optimising systems in a way that provides complete, easy and real-time visibility over where and how static (including archived) and dynamic data are hosted and protected. There should be a particular focus on protecting data that has a long-term value and would still be valuable if they are stolen today, and decrypted in a few years.

While organisations start preparing for this migration, they should also ensure there won’t be weak links in their physical or digital supply chains. It is worth kicking off conversations with key partners to understand if and how they’re anticipating this change. We can only win as a team, and a single player’s complacency can undermine the whole ecosystem.

Security leaders also need to start planning how they open the quantum security conversation with the rest of the C-suite and clarify how strategic this is going to be for the organisation. It is all about justifying the necessary investments and resources allocated to the transition when it happens. Finally, we won’t achieve widespread and fast adoption of quantum-resistant encryption among Australian organisations without timely policy changes and incentives from our government. It is also private organisations’ responsibility to kick off industry-wide conversations and advocacy to raise awareness of this issue with regulators.

There are still question marks on how the quantum computing revolution will develop and at which pace, but as always in cyber security, prevention is better than cure.

David Fairman is the chief information security officer for APAC at Netskope.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.