The Best Approaches to Quantum-Proof Security
This is a sponsored article, written by Terry Cronin, VP at Toshiba who oversees the QKD Division
It’s no secret that good security requires a good defense, especially when quantum computing is involved. To achieve in-depth security, organizations must utilize multiple different defense methods, as relying on only one could result in a disaster. To invest and implement it successfully, companies should utilize a multilayered security approach known as defense-in-depth and understand where the future of quantum computing is heading. For example, organizations can deploy two different types of security practices, like post-quantum cryptography (PQC) and quantum key distribution (QKD).
Quantum-proof encryption: A necessity
Quantum computers are becoming more advanced, and as their widespread adoption becomes imminent, it increases the need for organizations to get serious about quantum-proof encryption. Quantum computers will be powerful enough that public key encryption does not stand a fighting chance against them. To put it into perspective, it can take a classical computer thousands of years to break public key cryptography, whereas a quantum computer will break it in minutes. Therefore, quantum-proof encryption ensures the privacy and security of data in the event of a cyberattack done by a cryptographically relevant (powerful enough) quantum computer. While this will be important when quantum computers become widely available, it is equally important today.
It may not seem like an immediate threat, but organizations must evaluate their cybersecurity infrastructure today as it could be rendered useless if infiltrated by a hacker with access to quantum computing technology. One threat that is imminent is “harvest now, decrypt later” attacks, where cybercriminals collect and hold onto encrypted data until they can decrypt it with a quantum computer. This type of attack is happening on a global scale right now—hackers are harvesting data and holding onto it for when they can decrypt it. QKD is not only the best defense an organization has against “harvest now, decrypt later” attacks, but until the National Institute of Standards and Technology (NIST) certifies PQC algorithms, QKD is currently the only solution protecting companies from this attack today. Even post-standardization, it’s likely QKD will remain the only defense against HNDL attacks. Even if a hacker successfully harvests the data, there is no way for them to obtain the necessary key to encrypt the data, thereby ensuring the data’s safety and security.
Approaching quantum-proof security
To achieve the most successful protection, organizations must deploy a combination of defenses and not rely on solely one method. This can bolster overall security and can reduce a cyber attack’s impact on the organization. If one security defense fails, the other defense will deploy and protect the data, thwarting hackers’ attempts to infiltrate the system. This will only work if the security methods fail in different ways, as this ensures one remains in-tact if the other is compromised.
Following a multilayered security method also sets the organization apart from its competitors, since the chance for a successful cyberattack decreases due to the multilayered approach. It is also the best defense against “harvest now, decrypt later” attacks. While adopting these security approaches may seem like a worry for tomorrow, organizations should begin to implement quantum-proof security practices today. In fact, quantum key distribution (QKD) is the only method that organizations can implement now, since it can operate on existing computers and infrastructure with the strength of quantum protection. It is also true that PQC algorithms have not yet been standardized by NIST. This standardization process is expected to be complete sometime in 2024. Waiting until then exposes a company to harvest now, decrypt later as discussed above.
The future of quantum security
The wide adoption of quantum computers is not far off into the future, with some experts predicting that they will be widely used in the next five to 10 years. The biggest danger quantum computing holds is its speed—the quickness at which it can run calculations renders security algorithms practically useless, since it can break those easily.
Given the power of these machines, companies must choose more than one defense type to protect their data. Although cryptographically relevant quantum computers and solutions are not commercially available today, organizations who implement quantum-proof security sooner rather than later will be better prepared for “harvest now, decrypt later” attacks and other future cyberattacks. With early adoption, organizations can examine and identify their security gaps and can take time—without the pressure of a cyberattack—to mitigate the issues.
The importance of protecting data today for the potential quantum computing attacks of the future cannot be overstated. As discussed, there is no single best security solution to defend against attacks. A multilayered approach is the best way to protect data, ensuring that if one method fails, there is another method in place to safeguard the company’s data. We must make choices of defensive products based on dissimilar defense algorithms. To choose algorithms that use the same mathematics is asking for repeated failures after the algorithm in question is defeated a first time.