The need for sustainable development and competition sets ambitious goals that demand unprecedented efforts in various economic, social, and environmental fields. Technology, in turn, plays a crucial role in achieving these global objectives. New technological advances are transforming economies and improving living standards through increased productivity and reduced cost of production. Quantum computing is one of the key fields being explored as a powerful means to deliver technology’s long-promised replacement of classical computing. In spite of the promise, the arrival of the technology will have a detrimental impact on cybersecurity.
By Julien Legrand, Security Governance Lead at Neat
Before we dive into the implications of quantum computing on cybersecurity, it is important to understand the concept of this new technology.
What is a Quantum Computer?
According to a 2018 report by the National Academies of Sciences, Engineering, and Medicine, “A quantum computer utilizes the unusual characteristics of quantum mechanics – the nonintuitive behavior of very small particles – to perform computation, unlike current computers.” This feature of the new technology enables a quantum computer, which encodes data in qubits (quantum bits), to span the possible states of a classical computer.
A conventional computer bit is either 0 or 1, and cannot simultaneously represent 0 and 1. On the contrary, a qubit can represent both 0 and 1 at any given time, a phenomenon known as superposition. As a result of this feature, a quantum computer can process massive calculations, which effectively increases the new technology’s power and capacity.
A completely robust quantum computer is likely more than a decade away. However, leading tech giants, such as Google, Intel, IBM, and Microsoft, already have tiny quantum computers, which they incrementally pack more quantum bits to enhance their performance. Other vendors leading the way in this technology include Toshiba, NTT, Honeywell, D-Wave Solutions, and Alibaba Quantum Computing. A review of these companies indicates a race towards the development of systems that can solve complicated transactions using numerous variables. Some application areas include predicting fluctuations in stock markets, designing AI, weather forecasting, and cracking complex cryptography methods. Quantum computers rely on probabilistic algorithms that give results within certain probabilities, instead of exact answers. This feature makes the technology ideal for a set of special problems in risk management, finance, and areas with a range of probabilities.
With this in mind, it is important to identify significant cybersecurity challenges that lie ahead of the arrival of general-purpose and easily accessible quantum computers.
Quantum Computing can Easily Break Modern Cryptography
The uttermost worry of cybersecurity analysts is that new devices, based on quantum physics believed to be superior to the standard computers, will enable cyber attackers to break what they believe are secure cryptography methods. This prediction, in turn, renders trusted encrypted communication and data storage insecure.
Classical digital ciphers rely on complex mathematical formulas to convert data into encrypted messages for storage and transmission. A digital key is used to encrypt and decrypt the data. Consequently, an attacker attempts to break the encryption method used to steal or modify protected information. The obvious way to do this is to try all possible keys to identify the one that decrypts data back to a readable form. The process can be handled using a conventional computer, but it requires a huge effort and time to accomplish. The American Scientists states, “the world’s fastest supercomputer would need trillions of years to find the right key.” In contrast, Grover’s Algorithm, a quantum computing method, simplifies and speeds up the cracking process.
Certainly, the transition phase from conventional to quantum computers will take a long time. This prediction points out that some computing areas will involve the use of both technologies, instead of replacing one with the other. As quantum computers complement and accelerate the power of conventional systems, modern cryptographic methods will remain in use throughout the period.
Eventually, quantum computing developers will pose implications for national security due to their ability to break today’s cryptography to reveal encrypted information and stored data.
As an article on the American Scientist states, the issue of quantum computing breaking modern cryptography remains hypothetical since the power of the existing quantum computer is incapable of cracking commonly used encryption approaches. Besides, the current quantum computers are too error-prone to crack current codes, according to the National Academies. Manufacturers and developers in the new technology still require significant advances to break a code widely used over the Internet effectively. Auspicious for cybersecurity enthusiasts?
Quantum Computing Power Malware Attacks
Today, hackers can adopt advanced technologies, such as machine learning techniques, to develop and distribute deadly forms of malware. What can a quantum computer offer to criminals running massive data sets for machine learning?
Threat actors can leverage the strengths of quantum computing to create a novel approach to breach cybersecurity. Such activities could be too computationally expensive on classical computers, but with a quantum computer, the hacker can quickly analyze datasets and proceed to launch a sophisticated attack on a large population of networks and devices.
Factors that will Enhance the Use of Quantum Computing to Improve Hackers’ Capabilities
- Affordable Cloud Quantum Computing for Hackers
It is unlikely that hackers will have resources to develop their quantum computing systems. However, with the current technological advancements, the emergence of general-purpose quantum computing will soon be available in the cloud as an infrastructure-as-a-service platform, making it affordable for a wide range of users. Quantum computing over the cloud will give businesses an opportunity to explore potential applications, according to CNN Business. At the same time, cybercriminals will leverage the technology to carry out advanced data breaches across the globe.
In 2019, Microsoft announced that it will offer quantum computing in its Azure Cloud, but limit the use to select customers. Under this product, the company provides quantum solutions like solvers and algorithms, quantum software like simulators and resource estimation tools, and quantum hardware with a variety of qubit architectures, all of which can be utilized by hackers. Other potential vendors of cloud-based quantum computing services include IBM and Amazon Web Services (AWS).
- State-Sponsored Attackers:
Nation-states are investing in quantum computing. In effect, countries will employ the systems to empower hackers as part of cyber-warfare and espionage activities that are increasingly gaining popularity.
In 2018, US President Donald Trump signed a bill that dedicates approximately $1.2 billion towards quantum information science, under the control of the National Quantum Initiative Act. On the other hand, Canada is ranked among the leading states in quantum research, investing more than $ 1 billion in the technology. Other countries leading in quantum computing technology include Germany, France, UK, Netherlands, Russia, China, South Korea, and Japan, according to Analytics Insight.
Defending against Quantum-Based Cyberthreats
According to a 2018 report by the National Academies of Sciences, Engineering, and Medicine, “New cryptography must be developed and deployed now, even though a quantum computer that could compromise today’s cryptography is likely at least a decade away.” In fact, the report indicates that it takes more than 10 years to replace the existing and widely used web standards. The future code-breaking quantum computers might have 100,000 times more processing power and a reduced error rate, making it meek and superfast to compromise modern cybersecurity methods.
It is, therefore, important to address quantum attack vectors now, instead of waiting until the emergence of general-purpose and commercial quantum computers. If an attacker or an agency intercepts encrypted information from a victim, they can keep the encoded data for the next few years, awaiting to develop a quantum computer to decrypt them. Besides, developing, testing, deploying, and improving new quantum-safe cryptographic solutions requires years of research and design by different stakeholders.
- Quantum Cryptography Procedures
Technology creators and users require several years to develop and implement new algorithms for an established Internet protocol. For this reason, it becomes imperative to start improving and replacing existing cryptographic methods as early as now, to offer users and businesses quantum resilient procedures that can avert an attack from such systems.
- Lattice-Based Cryptography
Security professionals can replace conventional cryptographic algorithms with lattice-based ones that are created with security in mind. These new methods hide data inside complex math problems called lattices. Such algebraic structures are difficult to solve, making it possible for cryptographers to protect the information in the presence of strong quantum computers.
According to IBM’s researcher, Cecilia Boschini, lattice-based cryptography will thwart future quantum computing-based attacks as well as form a basis for Fully Homomorphic Encryption (FHE) that makes it possible for users to perform calculations on a file without seeing the data or revealing it to hackers. Some use cases of FHE involve analyzing and producing credit scores without decrypting credit card data by a credit reporting agency or sharing medical records without revealing a patient’s identity among health practitioners.
Lattice-based primitives can be plugged into the Transport Layer Security and the Internet Key Exchange protocols, securing crucial security protocols from quantum-based attacks.
- White Hat Quantum Computing Hacking
Future white hat hackers can use their skills to protect systems against quantum-based attacks. Businesses, private researchers, governments, and academics should test and detect weaknesses on quantum computing algorithms before they are deployed. A new class of quantum computing white hat hackers can be trained to proactively find security weaknesses in the new technology and fix them before malicious actors exploit them.
- Risk Management Roadmap for Quantum Attacks
A risk management roadmap for businesses and government agencies can effectively mitigate quantum computing-based attacks. Such a program should inventory impacted IT assets, including hardware, software, IoT devices, and communication infrastructure. Afterward, the risk management program explores and recommends alternative cybersecurity measures that encompass developing layers of defense. Some of the best practices include the use of tokenization, quantum-safe procedures, and zero-knowledge proof systems.
Ultimately, quantum computing offers increased power that presents great breakthroughs in various fields, such as finance, climate, medicine, and so on. The technology has consequently become a new front for big tech firms and governments in the quest for advancement and competitive edge. Both businesses and nation-states spend billions on researching and developing quantum computers. Nevertheless, such developments have implications on the safety conventional computing systems, requiring immediate attention and action from cybersecurity professionals and analysts. There is a need for the design and deployment of quantum-safe procedures and measures to prevent eavesdropping and maintain the integrity and authenticity of data. The new protection measures should secure both data at rest and in transit.
About the Author
Julien Legrand, Security Governance Lead at Neat, is an experienced cybersecurity specialist, application security leader, technology writer and international speaker with a strong combination of business leadership and technical background, focused on risk management, security assessment, identity and access management, penetration testing and cryptography.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.