Quantum computers live in research universities, government offices, and leading scientific companies and, except in rare circumstances, find themselves out of reach of bad actors. That may not always be the case, though.
As research on quantum computers continues to move the technology forward, there is a growing concern that these computers might soon break modern cryptography. That would make all current data encryption methods obsolete and require new cryptography methods to protect against these powerful machines.
While the concept of quantum computers is not new, the discourse around them has increased in recent months thanks to continued federal action.
In May of 2022, President Biden released a national security memorandum that outlined government efforts to get ahead of quantum computing security concerns. In June, the U.S. House of Representatives passed the Quantum Computing Cybersecurity Preparedness Act requiring federal agencies to migrate information technology systems to post-quantum cryptography.
This legislation (PDF), which still requires passage in the U.S. Senate, builds off the continued efforts of the National Institutes of Standards and Technology (NIST) to create post-quantum cryptography standards. For its part, NIST released its first four quantum-proof algorithms in July 2022. Not long after, the CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST had been broken using AI combined with side channel attacks.
The Power of Quantum Computing
Even the fastest computers today struggle to break security keys thanks to complexity. It would take years for a system to break down the standard keys, even in the best-case scenarios. This is what makes encryption such a valuable security defense.
Quantum computing looks to dramatically change this time from years to a few hours. While it can quickly get complicated, experts believe many public-key encryption methods popular today, such as RSA, Diffie-Hellman, and elliptic curve could one day be relatively simple for quantum computers to solve.
The good news in this scenario is that commercial quantum computing remains in the distance. A study from the National Academies believes future code-breaking quantum computers would need 100,000 times more processing power and an error rate of 100 times better. These improvements could be more than a decade away, but they are something security leaders need to consider now.
It will be too late if we wait until those powerful quantum computers start breaking our encryption.
Leveraging Defense In-Depth
While quantum-based attacks are still in the future, organizations must think about how to defend data in transit when encryption no longer works. Best practices include things like segmenting networks, leveraging 5G private networks, and leveraging Zero Trust architectures.
Organizations must also secure data at rest. Many databases feature encryption that could become moot in the future. Organizations may need to store certain data offline or have a practice of re-encrypting old files once newer encryption technologies become available.
Right now, everything from browser cache, to password managers, to local Outlook email files is encrypted. If that encryption becomes breakable, organizations may need to reduce the distribution overall to limit risk, at least until better quantum encryption is created.
The Road Forward
The growing concern of a quantum-related cyberattack is not imminent but also not unfounded. Cyber security professionals must remain agile in the face of new threats and changes in thinking. While we move forward to this next challenge, let’s remember to keep a strong foundation.
We are moving toward a future with quantum computing, so prepare your organization now for this emerging threat along with handling the other threats that impact your enterprise today. A defense-in-depth approach acts as a hedge against differing attack vectors. It provides organizations with blanket coverage and a robust defense against various attacks.