Duncan Jones: Security teams should be addressing quantum cyber-threats now
(InfoSecurity) Addressing quantum cyber-threats should already be a high priority for cybersecurity professionals, according to Duncan Jones, head of cybersecurity at Quantinuum at a recent presentation. IQT-News summarizes the always excellent and informative Jones below:
Jones offered the following advice to security teams regarding addressing quantum threats:
Understand your assets and use of cryptography
Identify the biggest risks (sensitive data, hack now, decrypt later)
Speak to vendors – ask them about their quantum-safe roadmap
Create a prioritized migration plan
Test and experiment as soon as possible
Jones explained that quantum poses significant dangers in cyberspace. In particular, in the next 10-15 years, it is expected to be able to break existing cryptography algorithms such as RSA, Elliptic curve cryptography and Diffie–Hellman key exchange. For example, quantum algorithms like Shor’s algorithm (1994) will ultimately solve the complexities of such systems.
This threat is not imminent, and Jones said we are currently in the noisy intermediate-scale quantum (NISQ) era, in which the leading quantum processors do not contain enough qubits to mount such attacks. However, this will inevitably change in time, and the asymmetric realm “will be completely broken by Shor’s algorithm.”
This will impact numerous everyday systems, including public key infrastructure (PKI), HTTP/TLS, network security, payments, Internet of Things (IoT) and blockchain.
Jones emphasized that quantum does not just represent a future cyber-threat but nevertheless is very relevant today. This is the concept of ‘hack now, decrypt later.’ In this scenario, a hacker will listen in to and record an encrypted exchange today, which they can decrypt retrospectively on a quantum computer in the future. Therefore, “perfect forward secrecy doesn’t help you here because the attacker can see all the messages that were exchanged, and a quantum computer will be able to break the mathematics protecting that exchange.” This issue is particularly pertinent to data that will still be relevant in 10-15 years, such as health information. “Quantum attacks may well have already started,” noted Jones.
“Quantum attacks may well have already started”
He also highlighted the huge dangers quantum attacks pose to IoT devices. This is because these devices have a secure boot mechanism baked into the silicon that cannot be upgraded, leaving many of these devices vulnerable to quantum attacks. “What happens if you’ve got a device in 30 years’ time that has an elliptic curve-based secure boot mechanism in the field?” he asked.
Despite these concerns, Jones emphasized that there are actions security teams can take now to secure their systems against the threat of quantum. He highlighted the National Institute of Standards and Technology (NIST)’s ongoing process to identify new algorithms “that we don’t think a quantum computer can solve any better than a classical computer.”
Jones said that organizations should consider moving to a ‘hybrid mode’ regarding their cryptographic algorithms, in which a post-quantum algorithm is combined with classical algorithms. This “makes you no less secure than just using your classical algorithm, but if you chose a good candidate that turns out to be quantum-resistant, it protects you against this hack-now-decrypt-later concept.”
Jones went on to discuss how security teams can migrate to post-quantum cryptography, noting “there are a lot of steps ahead of us.”
He added that organizations should be communicating to their cybersecurity vendors about this issue, “asking them what their quantum-safe roadmap looks like.”
The potential cybersecurity benefits of quantum computing were also highlighted by Jones. These revolve around two main areas: quantum key distribution and quantum key generation. “In some areas of cybersecurity, we can actually throw away those complexity assumptions and instead build systems that have no complexity assumptions at all,” he said. A number of organizations are working on developing systems based on this principle, including Quantinuum.
Sandra K. Helsel, Ph.D. has been researching and reporting on frontier technologies since 1990. She has her Ph.D. from the University of Arizona.