How America can get ahead of Q-Day: Preparation is Key
(NationalInterest.org) Skip Sanzeri, the Founder, Board Chair, CRO and COO at QuSecure, explains in frightening detail how vital it is that all company leaders start the process of understanding how to move to a PQC world—the future of U.S. national security depends on it. IQT-News summarizes Sanzeri’s essay; the complete article worth the time to read.
Arthur Herman, senior fellow at the Hudson Institute, once wrote the following: “Q-Day is the term some experts use to describe when large-scale quantum computers are able to factorize the large prime numbers that underlie our public encryption systems…” Ironically, the phrase “Q-Day” was also used for the testing of the first atom bomb in 1945.
Today, most of the world s digital communications rely on standardized encryption to protect against classical (the computers we currently use today) computing attacks. This encryption, sometimes referred to as public-key encryption, PKI (Public Key Infrastructure), RSA (Rivest Shamir Adleman) or ECC (Elliptic Curve Cryptography), is based on a single transaction of factoring a large number. This mathematical equation is all that stands between our data and our adversaries.
So, what could happen if a U.S. adversary fully utilized a powerful quantum computer? We could see massive amounts of data being stolen and decrypted, financial system collapses, energy grid hacks, and even control over major military systems. The fact is that we are all leaving ever-increasing digital footprints and every company and government agency on this planet utilizes increasing amounts of digital capabilities and assets. Everything we do has a digital trace, and all data is now flowing and openly accessible though current standard encryption. Imagine if all that data was available to whoever had access to a CRQC? The power they would have would be so great that it is hard to imagine the damage that would be done and the global power that would be held.
Arthur Herman conducted two formidable studies on what a single, successful quantum computing attack would do to both our banking systems and a major cryptocurrency. A single attack on the banking system by a quantum computer would take down Fedwire and cause $2 trillion of damage in a very short period of time. A similar attack on a cryptocurrency like bitcoin would cause a 90 percent drop in price and would start a three-year recession in the United States. Both studies were backed up by econometric models using over 18,000 data points to predict these cascading failures.
Another disastrous effect could be that an attacker with a CRQC could take control of any systems that rely on standard PKI. So, by hacking communications, they would be able to disrupt data flows so that the attacker could take control of a device, crashing it into the ground or even using it against an enemy. Think of the number of autonomous vehicles that we are using both from a civilian and military standpoint. Any autonomous devices such as passenger cars, military drones, ships, planes, and robots could be hacked by a CRQC and shut down or controlled to perform activities not originally intended by the current users or owners.
Do not be fooled by what you see in the news or in public-facing articles. You can be sure that a nation-state attacker is not going to announce that they have a CRQC capable of dissolving PKI. Their incentive is to stay underground, harvesting as much data as they can before anyone notices.
In conclusion, Sanzeri recommends that leadership, whether government, commercial or other, begin to look at existing cryptographic systems to understand where digital vulnerabilities exist. In many cases with large enterprises and government agencies, the cryptographic upgrade process from PKI to post-quantum cryptography (PQC) to protect systems could take years. PQC refers to the implementation of software-based cryptography and systems that are resistant to quantum attacks. Even with CRQCs, both communications and data would be resilient to quantum attacks since they use much more complex algorithms and systems than our standard PKI, which uses factoring.
This move from PKI to PQC will be the largest upgrade cycle in computer history, and all public-key encryption needs to change to provide a completely quantum resilient ecosystem. Data in transit and at rest, and all devices will need to upgrade to PQC, which will reduce or mitigate the ability for quantum computers to crack encryption. Enterprise and government agencies can start now by testing PQC to understand how it works in their environments. Companies today provide PQC that can be tested in an enterprise or via the cloud. It is vital that all company leaders start the process of understanding how to move to a PQC world. The future of U.S. national security depends on it.
Sandra K. Helsel, Ph.D. has been researching and reporting on frontier technologies since 1990. She has her Ph.D. from the University of Arizona.