Booz Allen Hamilton has analyzed the quantum computing arms race to determine China’s current and future capabilities, and to understand the likely use of China’s cyber capabilities within that race. It concludes, “Risk management must start now.”
The report is really in two halves. The first describes the cybersecurity threat inherent in the quantum arms race, while the second is a primer on the complexities of quantum computing. While this is worth reading, only the cybersecurity threats are relevant to us here.
The two cybersecurity threats
Theft of quantum-relevant research
The background is China’s avowed intention to lead the world in technology and economy. The former is key to the latter; and being first to achieve quantum computing will be a major fillip. For now, China is behind the U.S. and Europe in quantum research but claims it will achieve at least parity by the mid-2020s.
Booz Allen is not convinced this will happen, but believes that China may be the first to achieve limited use cases in quantum computing. The first practical benefits from quantum are likely to come from quantum simulators rather than general purpose quantum computing. These are sometimes called ‘noisy intermediate scale quantum’ (NISQ) computers, so named by John Preskill, a quantum physics researcher at Caltech.
They will be able to outperform classical computers in areas that include quantum properties – such as drug research. Booz Allen sees this area as providing the earliest quantum computing benefit. In the shorter term, the best quantum simulators will provide the greatest economic benefit.
This is not a cybersecurity threat. But western research in this area will be a primary target for Chinese threat groups seeking to ensure that Chinese capabilities remain at the forefront.
The most direct cybersecurity threat will come from quantum-assisted asymmetric decryption – that is, the ability to crack the public key encryption ubiquitous in communications. A quantum asymmetric decryption algorithm was developed by mathematician Peter Shor as long ago as 1994. Although still largely theoretical, it is believed that this algorithm will crack asymmetric encryption at usable speeds as soon as a sufficiently powerful quantum computer is developed. The report suggests this could be achieved as early as 2027, but is more likely to be impossible before 2030
Booz Allen alludes to this threat in three of its five ‘anticipated quantum computing threats from China’: theft of encrypted data with an expectation of future quantum-assisted decryption; adversarial development of quantum-assisted decryption sooner than quantum-resistant encryption can be deployed; and unobservable adversarial development of quantum-assisted decryption.
The second of these is not a threat from China, but a failure of western organizations. Quantum-proof encryption is already available with more on the way; and genuinely random number generators (using quantum mechanics) can already produce the true randomness necessary for secure key generation. Tokenization as opposed to encryption can also be explored. Tokenization is potentially resilient to quantum computers because a separate ‘garbling’ process can be applied to every individual character – cracking encryption can reveal everything, while cracking tokenization needs to be repeated for every character (with no contextual indication of success for any individual character).
The third is a little worrying since it implies we might not recognize when adversaries have this capability – and at a stretch implies that it might already exist (which is not likely, but possible).
The two remaining threats of the five anticipated threats (note that Booz Allen means ‘expected’, not ‘anticipated’) are “Theft of fundamental pharmaceutical, chemical, and material science research for use in quantum-assisted simulations”, and “Strategic surprise as novel quantum cases shape unexpected threats”. The former will be part of China’s drive to achieve economic supremacy, while the latter simply asserts that we don’t know what the use of quantum computing might bring.
The state of quantum and the threats today
There is, however, little that is new in the Booz Allen analysis – except, perhaps, a suggestion that the threat is not as pressing as some people argue. The report states, “Many of quantum computing’s improvements over classical computers… are unlikely to be demonstrated for at least a decade.” This is a big unknown – nobody knows how long it will be before limited use quantum computing becomes a reality.
(Image Credit: Chinese Threats in the Quantum Era | Booz Allen Hamilton (PDF)
On November 30, 2021, Honeywell Quantum Solutions (U.S.-based quantum hardware) merged with Cambridge Quantum (UK-based quantum software) to form Quantinuum. The new company suggests that it will have – within a few months, not after a decade – a cybersecurity product and other products that “will include solutions for drug discovery and drug delivery, materials science, finance, natural language processing, as well as optimization, pattern recognition, and supply chain and logistics management.”
(This is likely to come from the area of quantum computing known as quantum simulation. The cybersecurity product will possibly be in the area of quantum-proofing current encryption options.)
The subjects mentioned by Quantinuum are areas of interest to China for it to fulfill its strategic plans. If the west is ahead in the development of quantum solutions in these areas, China’s only real solution will be to steal western research – which is one of today’s primary quantum threats from China.
This is also where quantum decryption comes into play. Shor’s algorithm alone shows current asymmetric encryption will rapidly be broken. Booz Allen suggests, “The likelihood of China developing the ability to break current generation encryption with quantum computers before 2030 is very small,” but acknowledges that it could be as early as 2027. It is worth noting that the report’s timelines are largely based on the public comments of Chinese scientists, not on inside intelligence. For risk management purposes, we should allow the possibility that it could be even sooner.
“Social Security numbers, and weapons’ designs, may be increasingly stolen under the expectation that they can eventually be decrypted,” says the report. In fact, any secret that has longevity is likely to be targeted because sooner or later it will be decrypted. If those secrets have already been stolen, it is already too late to do anything. However, western organizations need to start using quantum-proof encryption as rapidly as possible to protect anything and everything that hasn’t already been stolen.
Booz Allen recommendations
The report makes only three primary recommendations to counter the quantum-related threats from China. The first is to use threat modeling to assess changes to organizational risks based on a better understanding of what China wants and why it wants it.
“Organizations are constantly challenged to stay ahead of attackers. While the application of quantum computing may be several years away, if and when it does become a part of the threat landscape it will put additional pressure on cybersecurity teams to minimize risks that can be exploited,” says Yaniv Bar-Dayan, CEO & co-founder at Vulcan Cyber. “Booz Allen appropriately recommends that organizations use threat modeling to assess how their risk will change and develop associated strategies for mitigating that risk.”
The second recommendation is to develop an organizational strategy for deploying post-quantum (that is, quantum proof) encryption. This really should be done as soon as possible. Chinese threat actors are not waiting for the ability to decrypt data, they are stealing it now for decryption later.
“The computational ability of quantum computers poses a high risk to public-key algorithms, and it may allow nation-state threat actors to break asymmetric cryptography efficiently,” comments Ivan Righi, cyber threat intelligence analyst at Digital Shadows. “This may enable nation-state actors to eavesdrop on communications, intercept private keys, and steal data.”
The third is more general purpose – educate staff and keep informed about the state of quantum development and the risks that come from it. “The arms race to quantum computing ushers in a new era of competitive advantage and cyber risk,” says Rajiv Pimplaskar, CRO at Veridium. “CISOs, IT and business leaders should be acutely mindful of this risk.”