The previous two years have demonstrated the importance of working diligently to secure our data, especially as organizations have undergone digital transformations and suffered increased cyberattacks as a result. For those organizations that have been broken down, but their data has not yet been exploited and released to nature, it may be too late.
Organizations that have already experienced data breach may fall victim to “harvest today, decrypt tomorrow” or capture-now-decrypt-later attacks. These attacks, also known as “harvest work”, take advantage of known vulnerabilities to steal data that may not even be truly accessible using today’s decryption technologies.
These attacks require long-term planning and projections for the advancement of quantum computing technologies. While these technologies may still be years away from being commercially available and widely used, organizations should seek to protect against these threats now to prevent themselves from becoming a future victim.
Before going into more detail about the future threat posed by quantum computing, we should look at a historical example to inform our current decision.
Lessons from the Enigma
In 1919 a Dutchman invented a code machine, which was universally adopted by the German army, called “the Enigma”. Unknown to Germany, the Allied Powers managed to break the coding scheme, and were able to decipher a number of messages as early as 1939, when the first German boots set foot in Poland. For years, however, the German military believed that the Enigma codes were unbreakable and communicated in confidence, never realizing that their messages were out.
History may be repeating itself. I can’t help but think that most organizations today also believe that their encrypted data is secure, but someone else may be close, or already, reading their “secure” mail without them even knowing it.
Today’s modern crypt is often considered unbreakable, but a large, shiny black building in Maryland suggests that governments may be better at this than is generally believed. Although a lot of credit goes to the magic and evasive quantum computer, the reality is different: bad implementations of crypto series are the main vector to break encryption of trapped traffic. So are certificates captured by other means, raw-devolved passwords and even raw-forced crypto, because insufficient entropy is used to generate random numbers.
All of these techniques are part of the arsenal of any nation that wants to strategically gather information about the happenings of other international players – whether government or private companies. These techniques also require higher levels of coordination and financial support to be a successful part of an intelligence strategy. As I continue to see, when the value of the captured information is high enough, the investment is worth it. So consider the vast data centers built by many governments: they are full of spinning disks of memory storage just in case, if current accesses do not give access. Data storage has become an investment in the future of intelligence gathering.
Looking to the future
Harvesting attacks not only serves as a strategy for quantum computers. We will probably have more powerful processors for raw power in the future. Additionally, other types of stochastic computing machines, such as spintronics, show promise and even the dismantling of popular algorithms may one day see a binary computer version of Peter Shor’s algorithm. The latter helps us explain how quantum computing can help make a quick job of current encryption techniques. This will allow you to break Diffie-Hellman key exchanges or RSA on a conventional computer in smaller time frames.
So how do we protect ourselves? It’s hard to imagine armor yourself against any potential threat to encryption. Just as it is difficult to predict exactly which stocks will do well and which will not. There are too many factors and too much chaos. One is left with only the option of diversification: using an out-of-group key distributing strategy that allows multiple paths for key and data to flow, and a range of algorithms and keys to be used. By diversifying our cryptic approaches we are also able to minimize the damage if any particular strategy fails us. Monocultures risk pandemics, let’s not fall victim to encrypted monoculture as we move into the future.
Time has passed to take steps now that will protect organizations from future threats. This includes development standards. Both federal agencies and the private sector must accept quantum-secure encryption. Additionally, they should seek to develop next-generation, standards-based systems that address current encryption method shortcomings and poor key management practices. This will help ensure not only quantum security protection against future threats, but also stronger security against current threats.
Organizations face a dizzying array of threats and must constantly stay vigilant to prevent attacks. While seeking to protect against current threats is certainly important, organizations should begin to project future threats, including the threat posed by quantum computing. As technology continues to advance every day, it must be remembered that past encryption, such as the Enigma machine, did not long remain an enigma and was broken in time. The advent of quantum computing may soon cause our “unbreakable” codes to go the way of the dinosaur. Prepare accordingly.