Even though more public and private organizations are understanding the opportunities created by quantum technology, the space, and its potential threats, still feels too “in the future” to many traditional network and security practitioners. Unfortunately, waiting for the future to address these issues could expose commercial and government organizations in the United States to potentially catastrophic security breaches. Quantum attacks of this type could happen in the not too distant future! Experts estimate that quantum technology capable of breaking encryption algorithms and intercepting communications will be possible no later than 2030.
The Vulnerabilities of Current Cybersecurity Solutions
Public and private organizations currently rely on math-based asymmetric algorithms for authentication and key establishment, vital components of cybersecurity. The security of these schemes relies on the assumption that it is computationally infeasible for even the most powerful classical computers to solve certain mathematical problems (e.g., factoring large numbers or computing a discrete logarithm). Quantum computers will be able to easily solve these problems, and so once the technology arrives, secured systems, networks, communications, devices, and data will be rendered transparent.
One might believe that it will be many years before the security threat posed by the unique power of quantum computing becomes a reality. The issue still remains that there is information and data being stored today that must remain confidential for long periods of time and rolling out new solutions takes time. Existing encrypted information is vulnerable to a real and imminent security threat known as “harvest now, decrypt later” attacks. Imagine a bad actor gaining access to data at rest which is encrypted to the highest level using today’s available technology, storing this data, and then decrypting it using quantum computers in a few years. Because of this,organizations should assume that ALL encrypted information and communications from before it implements appropriate countermeasures (regardless of the state of quantum computing at that time) is non-secure.
Monitoring Other Nation States
Unfortunately, the United States is behind in getting quantum ready. Because of the security implications from quantum computing, many other countries are in the process of or have already implemented quantum networks, including ones that use unmanned aerial vehicles and satellites. ,
Demonstrating an early, strong lead in quantum capabilities and infrastructure, China has invested over $15 billion USD in quantum technologies. In 2019, Iran unveiled a new quantum technology lab, the first of its kind in West Asia and the Middle East, the same year that Russia formulated its Quantum Technologies Roadmap and North Korea began developing quantum technology to create a highly secure command and control link between Pyongyang and key missile launching sites. In 2021, Russia announced the development of a prototype 4-qubit ion quantum computer which could become the basis of a future cloud-accessible quantum computer within three years. While the U.S. government has recently increased investment into quantum technologies through the CHIPS Act, there is still a need to use that funding in an appropriate and expedited manner in order to achieve quantum security and be a world leader when it comes to quantum technologies. Current and planned funding might vary, but the message is clear: governments all over the world are racing to implement this technology first.
Addressing the Quantum Threat
Over the next decade, quantum technology will evolve rapidly and there are a number of countermeasures to consider. With Post-Quantum Cryptography (PQC) the basic idea is to replace, or augment, in-use classical cryptographic algorithms with those that are assumed to be quantum-secure. This method’s main advantage is that it doesn’t rely on quantum networking and can be deployed on existing classical networks and the Internet. Unfortunately, some PQC algorithms, which had been under development for more than five years, were able to be cracked in less than a few hours on a conventional laptop.
Quantum Key Distribution (QKD) typically refers to “prepare-and-measure” quantum key distribution protocols that run on and are enabled by prepare-and-measure quantum networks (QKD networks). This method has several advantages. The protocols themselves are provably secure since the laws of quantum physics allow for the two communicating parties to be able to detect the presence of an eavesdropper, and QKD systems have been commercially available for several years from multiple vendors. QKD’s main disadvantage is that it requires deployment of expensive resources (QKD devices and fiber), but only enables a single application. Current generation QKD products also have vulnerabilities due to their hardware implementation. They’re susceptible to side-channel attacks and rely on insecure relay nodes for distances over 150 km.
Quantum Secure Communications (QSC) addresses the deficiencies and security risks of QKD. While the security of QSC is also based on the laws of quantum physics, it relies on a different quantum phenomena than QKD. Whereas QKD relies on prepare-and-measure technology, QSC relies on high-quality distributed entanglement. These entanglement-based quantum security protocols run over and are enabled by entanglement-based quantum networks, and are provably secure. By nature of these protocols and networks, QSC does not face vulnerabilities from hardware implementation. While entanglement-based networks will require use of some emerging technologies, they do not need to be built entirely from scratch. These networks utilize existing classical infrastructure, such as running over optical fiber. Another advantage and the main differentiator of QSC compared to QKD is that QSC runs on a universal network: Distributed quantum computing and distributed quantum sensing, among other revolutionary applications, can run over the same quantum network infrastructure, providing additional value to the user.
QSC provides additional security and versatility relative to the other two countermeasures and should be a part of any recommended solution going forward. However, these countermeasures are not mutually exclusive. Quantum Secure Communication and Post Quantum Cryptography can be used together in such a way that an adversary would need to break the schemes from each in order to access secured information.
While a quantum computer large enough to break today’s traditional encryption has not yet been publicly announced, the quantum revolution is well under way. The progress made in 2022 makes the future clear: it’s not a matter of when quantum technology will break our existing security protocols, but how we can best prepare ourselves to meet the challenges of quantum technology as it reaches its full potential and beyond. The time to act is now.
Michael Gaffney is Head of Public Sector, Aliro Quantum, the first pure play quantum networking company. Gaffney recently opened Aliro’s Washington D.C. presence to support the company’s expanding government and public sector initiatives following a career in Army intelligence and years implementing cloud and security solutions for the government.
Aliro Quantum is a Gold Sponsor at the coming IQT Quantum Cybersecurity event in NYC, October 25-27, 2022. Co-founder Michael Cubeddu will discuss “Quantum Safe in the Military” on October 26th.