Time to Quell the Alarm Bells Around Post-Quantum Crypto-Cracking

  /     /     /  
Publicated : 23/11/2024   Category : security


Time to Quell the Alarm Bells Around Post-Quantum Crypto-Cracking


Quantum computings impact on cryptography is not a cliff that well all be forced to jump off of, according to Deloitte.



As computer scientists march forward in the process of taking quantum computing into the practical realm, cybersecurity vendors and practitioners will need to be ready with encryption mechanisms that can withstand the power of quantums compute potential. But risk experts say that future-proofing measures for post-quantum cryptography dont have to be created in panic.
Contrary to the way some early pundits have painted the post-quantum computing landscape, the truth is that there will be no quantum cliff in which todays encryption mechanisms will suddenly become obsolete, says Dr. Colin Soutar, the US quantum cyber-readiness leader and managing director for Deloitte Risk & Financial Advisory, which just released a report on
quantum encryption
. He explains that in reality, the transition to quantum is going to be an ongoing process.
Theres a lot of discussion around quantum right now, and theres a lot of conflation of different ideas. There are even some alarmist statements about how everything needs to change overnight to update to quantum-resistant algorithms, says Soutar. That implies theres a specific date (for quantum adoption), and theres really not.
Viewing post-quantum security problems from that kind of lens can help the cybersecurity industry start to work the issue with the same kind of risk management and roadmap planning steps theyd take for any other kind of serious emerging technology trend.
One thing is for certain: The drumbeat for quantum computing and post-quantum cryptography is getting louder.
Quantum computing stands to give the computing world a major boost in the ability to
tackle multi-dimensional analysis problems
that strain todays most advanced traditional supercomputers. Whereas traditional computers fundamentally work based on the storage of information in binary, quantum computing is not limited by the on or off position of information storage.
Quantum computers depend on the phenomenon of quantum mechanics called superposition, in which a particle can exist in two different states simultaneously. They take advantage of that phenomenon by using qubits, which can store information in a variety of states at the same time.
Once perfected, this will give quantum computers the ability to greatly speed up data analysis on tough problems in areas as disparate as healthcare research and AI. However, this kind of power also makes these computers
ideal for cracking cryptographic algorithms
. This is the crux of the push for awareness from security advocates over the last several years to ensure that the industry starts preparing for that
post-quantum reality
.
Our view on this is less about being alarmist and saying, You need to update everything now and more of raising the awareness to start to think about what your data are, what your risk could be relative to that data and the crypto you use, Soutar says. And then deciding when you might want to think about, start looking at discovery on your roadmap, and then updates later.
According to the
survey
released by Deloitte this week, the good news is that among those technology and business executives who are aware of quantum computing, a little over 50% also understood the attendant security considerations to it as well.
The trick in all of this for security professionals is that there are a lot of fires to put out elsewhere before worrying about something that could be years away. Todays quantum computers operate in the research realm only. They require immensely specialized equipment — including microwaves manipulating quantum objects within supercooled environments that operate at near absolute zero in many instances. There is a long way to go on the research front for quantum computers to work in a commercially viable fashion, and no one is quite sure on what the timeline will be.
That ambiguity of the timeline is complicated, says Soutar, who explains there are numerous timelines to consider from a post-quantum cryptography perspective.
The implications of quantum computing on cybersecurity is fairly well known, and it could be huge. I mean, cryptography is endemic in what we do throughout the economy. The thing is that the timing is unknown because first, a quantum computer needs to be mature and viable enough and commercially robust as well, to actually be able to run Shors algorithm, he says, referring to an algorithm for finding prime factors of an integer that is
the benchmark
for whether a quantum computer could effectively break public key cryptography. Secondly, attackers need to get access to data, and they need to untangle that data.
The other variable in this is a concept of attack called harvest now, decrypt later, where attackers gather encrypted information now with the understanding that they could
break it through quantum computing resources
at a later date. The Deloitte survey shows that 50.2% of organizations believe they could be at risk for harvest now, decrypt later schemes.
That then opens up risk to this data that Im expecting to be good for the lifetime out of an individual, Soutar says. Maybe its personal information, or its financial information that I want to be secure for at least 10 years. Or its national security information which may have longer requirements on it.
He adds, So, people are starting to think about, Well, what data do I have and how do I need to protect it? For how long? Secondly, how long is it going to take me to do the updates to post quantum cryptography? When should I start thinking about it?
These are the big timeline questions for security and quantum computing experts, who are still at odds over whether weve got 5, 10, or 15 years before the quantum effect impacts encryption. Soutar reiterates that perhaps the better thought process is to stop thinking about it as a definitive date the industry times for, and instead think about relative risk over time. He explains that this is an idea put forward by Dr. Michele Mosca, co-founder and CEO of Evolution Inc, and co-author of a
report
earlier this year that details that line of thinking.
Then you can start to think, if Im with a huge organization, maybe its going to take me a decade to do the updates, Soutar explains. Ive got all these medical devices or other OT devices that Ive got to think about the supply chain communications, and how do I enforce this on my suppliers?
He adds, So, again, its getting that right degree of understanding so that people can start to maybe even quantify what the risk is, and stack that up against other cyber-risks that theyre looking to invest in over time.
At the end of the day, Soutar says that maybe that the quantum lens can be a bit distracting to security. As long as organizations keep quantum on the horizon, it may just be a matter of making perfunctory updates to crypto that might not be that big of a deal for the industry if it is all done in due time.
The quantum threat to crypto should really just be something thats addressed over time. Just do updates as the algorithms get standardized, says Soutar, who believes that the industry should be talking about the nuts and bolts of standardization, which can be boring but also are the most important way to start moving forward. As they go through that process, then companies and governments have more confidence in making the changes, doing the updates, and they just do it. So, it really should be a non-event.
Thats not to say that Soutar believes security practitioners should be sticking their heads in the sand with regard to quantum risk to security postures. The risks will accelerate, but its just a matter of
working that encryption roadmap
like any other part of the cyber-risk roadmap. That includes doing risk assessments, discovering and classifying data, and projecting risk over time.
Its never a bad idea to go look around in the attic. You dont know what youre going to find there. When we do that, when we go through basic cryptography, there are things that we find, he says. You might say, Well, lets update that or lets make sure that weve got the right segregation of duties relative to that. Or, Have we got all the responsibilities and governance laid out? Again, its the boring things. But those are things that you find when you look through the quantum lens.
Deloittes
survey
shows that it may take some kind of regulatory push to prod security practitioners into serious steps on post-quantum cryptography. Soutar hopes that the industry is able to come together in the coming years to develop a framework for post-quantum cryptographic methods perhaps in the same spirit as the NIST Cybersecurity Framework (CSF).
Its not a bad idea to have some framework out there when theres a whiff of potential regulation downstream, he says. I think thats always better than just regulation, having something thats voluntary and outcome-based.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Time to Quell the Alarm Bells Around Post-Quantum Crypto-Cracking