Securing Data Today Against Quantum Tomorrow

Image

The article “DARPA Leverages Universities’ Quantum Expertise” by Kimberly Underwood in the July issue of SIGNAL Magazine discussed the exciting partnership between the Defense Advanced Research Projects Agency (DARPA) and the University of Maryland’s Applied Research Laboratory for Intelligence and Security (ARLIS) program to research quantum computing’s application to national security. With hopeful projections of over $1 billion in investment, this partnership seeks to craft “an industrially useful computer” by 2033. This is an ambitious project, given the difficulties of quantum computing, so I foresee massive cost overruns and schedule delays for something that half of the physicists in the article believe will be revolutionary technology, while the other half doubt it will ever work.

I am confident in the scientific acumen of our researchers, and even if quantum computing, as imagined, is never fully realized, the advancements made during research are likely to have a significant impact on technology and its applications. As a cybersecurity professional, the discussion usually revolves around encryption and the inevitability that quantum computers will render modern encryption techniques obsolete. The most impactful implications of quantum computing in this area come from Shor’s and Grover’s algorithms.

Shor’s algorithm is designed to solve mathematical problems of factoring prime numbers and discrete logarithms. These two mathematical concepts form the foundation of Rivest-Shamir-Adleman and Elliptic Curve Cryptography, which underlie most modern public-key encryption. Using principles of quantum mechanics in the computer, Shor’s algorithm can test all of the possible solutions at the same time to determine the correct answer, versus a conventional computer that must check each potential solution one at a time (which is why our current encryption works—it’s just too hard for modern computers to break within reasonable timeframes). The application of quantum computing means that calculations that take our modern computers many years to solve could theoretically be solved in minutes.

Grover’s algorithm is designed to help search unsorted data, like trying to find a specific book in a library that has no organization. Symmetric key encryption, such as the Advanced Encryption Standard, relies on a large string of random characters to serve as an encryption key. To decrypt the data, a modern computer must try every possible combination of characters, one at a time, to find the correct match. The same concept applies to hashing, wherein a specific hash can only be generated by a specific data set that was used to create it, requiring a modern computer to check every possible combination of data against the hash. Like Shor’s, Grover’s algorithm significantly speeds up this process by being able to check multiple solutions at once and quickly narrow down the options. Through its function, Grover’s algorithm basically halves the effective strength of a given key.

There are modern methods of getting around these encryption techniques without quantum, either by stealing cryptographic keys, using rainbow tables or exhibiting simple patience with a brute force attack (allowing the computer time to test every possible answer). Quantum computing theoretically makes this process much faster and easier. I say it is easier, but quantum computing is not easy. These machines are incredibly expensive, and they require a highly skilled team to engineer, build and maintain them. Quantum computers require extreme environmental controls, such as cryogenic temperatures, vacuums and massive power requirements. As a result, access to a fully functional quantum computer would likely be restricted to nation-states or well-funded research laboratories.

Knowing the engineering difficulties, expense, restricted access and questionable success of quantum computing, it is tempting to shrug and ignore the future implications for data protection. After all, it is so far away and we wouldn’t be able to stop it anyway, so why worry about it? While we certainly don’t want to envision some kind of quantum apocalypse, planning is essential for the future of quantum computing. There are two related focus areas:

First, there is the “harvest now, decrypt later” threat, looking forward to the colloquial Y2Q, the date when quantum computing will be able to break modern encryption. We know that hacking groups already breach federal and commercial information systems with the intent of stealing data. Often, the response is simply to encrypt the data. The thinking goes that if the data is encrypted, even if the hacker manages to steal it, the data is of little use. Encryption is a bedrock of data confidentiality and integrity. The advent of Y2Q heralds a time when this is no longer true, and the data that a nation-state’s advanced persistent threat harvests today will be stored and decrypted by quantum computing later. Organizations must begin planning for the day when that stolen sensitive data will be decrypted and the secrets are exposed.

Second, understand what data requires what protection and for how long. This is at the heart of modern cybersecurity; you must know your data. What do you have? Where is it? What is the impact if that data is compromised? Cloud computing, zero-trust architecture, artificial intelligence and now quantum computing all drive organizations to have intimate knowledge of their data. Knowing what data will still require security controls in a decade will help organizations prioritize risk and investment in post-quantum encryption methods when they become more available and integrated into U.S. Department of Defense systems and operations.

Third, we must acknowledge that cyber war has blurred the lines between government and private enterprise. Data stolen from both government and private industry can and will be used in the event of such conflict. In the same issue of SIGNAL Magazine, Klint Walker of the Cybersecurity and Infrastructure Security Agency discussed his work on U.S. port cybersecurity exercises, with the hope of expanding the government/private collaboration into a more robust framework. We know that adversaries can and have compromised ports and other infrastructure, as well as private industry, necessary for daily life in the United States. The data of these organizations can be just as important as any government data. Local, tribal, state and federal governments, as well as private industries, must guard their data against the future. Collaboration between these entities is crucial to prevent a potential cybersecurity pandemic in Y2Q.

We are privileged to have expert teams working on the quantum computing advantage in DARPA and ARLIS, which will forge national security initiatives for years to come and lay the foundation for future tools in cyber warfare. Today, however, we must remain vigilant of what the future holds. With the knowledge that adversaries with potential quantum computing capabilities will use “harvest now, encrypt later” tactics against U.S. interests, the priority is to identify long-term critical data and build strong, strategic defensive measures around it to prevent data exfiltration. The adversary cannot decrypt later what they can’t harvest now. We can use today’s defensive technology to prepare for the fight against future threat technologies while awaiting that future defensive technology capability. Securitas per praevidentiam—security through foresight.

Shaun Rieth is a 22-year retired Air Force cyber operator who returned to serve as a federal contractor under Management and Engineering Technologies International (METI), currently supporting the 557th Weather Wing on Offutt Air Force Base in Nebraska as a senior cybersecurity analyst in the Defensive Cyber Operations flight. He holds an MBA, a Bachelor of Science in IT operations management, and CCISO, CISSP and CCSP certifications.