Four out of five cybersecurity pros are fretting over the potential for a sneak attack by an adversary with a quantum computer that will render the encryption on their data ineffective.
That was one of the findings in a global survey released Tuesday of more than 600 cybersecurity professionals conducted by Dimensional Research for Cambridge Quantum, a quantum cryptography company that recently became part of Quantinuum.
“There’s a lot of fear in the cybersecurity community,” observed Duncan Jones, head of quantum cybersecurity at Cambridge Quantum.
“There’s been a steady increase in sophisticated cyberattacks so people are nervous that something is going to arrive unexpectedly that will render existing defenses insufficient,” he told bluehillco.
“Cryptographic algorithms are usually formed around math problems,” he explained. “The problems are easy to solve if you know what the key is, but impossible to solve if you don’t know what the key is.”
“Unfortunately, the algorithms that we use today use math problems that quantum computers will be able to solve even if they don’t have the key,” he said.
Quantum computers can process data much faster than most computers today because they use qubits to crunch data, which are not limited to zeroes and ones.
Plenty of Warning
Michela Menting, digital security research director at ABI Research, noted that attack-capable quantum computers aren’t far off, but doubts that when they attack, it will be a big surprise.
“I think there is plenty of information out there about the possibility of that happening, so unless organizations have been putting their head in the sand, they will have had plenty of warning,” she told bluehillco.
“In the short term, a without-warning type of event would be very unlikely,” added Heather West, a senior research analyst in IDC’s infrastructure, systems, platforms, and technology group.
“While quantum computing is at an inflection point, transitioning from scientific curiosity to commercial viability, it’s still really young,” she told bluehillco.
“There are still a lot of advancements that need to be made before it can be used to solve complex problems, like breaking the encryption algorithms protecting our data today,” she continued.
“We shouldn’t lose any sleep tonight about it, but as the technology matures over the next 10 years, that’s when we should start to get concerned,” she added.
Hiding Quantum Research
Currently, there aren’t any quantum computers that have the capacity to compromise existing encryption schemes, maintained Mark Horvath, a senior research director at Gartner.
“However, like the SHA-1 compromises of the mid-2000s, we expect that they will make progress over the next five years, weakening existing algorithms to the point that they will need to be replaced,” he told bluehillco.
But Roger Grimes, a defense evangelist at KnowBe4, a security awareness training provider in Clearwater, Fla., maintained that a sneak attack could occur because of the secrecy surrounding quantum computer development.
“Every capable nation-state is working to get sufficiently capable quantum computers, and if they do so before a public competitor, then they will hide their quantum accomplishment. It is guaranteed,” he told bluehillco.
“It might already have taken place, and we just do not know about it,” he said.
“More importantly,” he continued, “if you have big secrets you need to keep secret for many more years from now, a nation-state or competitive adversary could already be sniffing your now encrypted network traffic and storing it for the time when they have sufficiently capable quantum computers in the future.”
“For sure, nation-states are already doing that, just waiting for the day,” he added. “And when it happens, adversaries will be able to read any secrets previously protected by quantum-susceptible encryption.”
For that reason, there are researchers developing so-called post-quantum cryptographic methods, explained Daniel J. Gauthier, a professor of physics atThe Ohio State University.
“These use mathematical techniques that are believed to be secure against an attacker who has a quantum computer,” he told bluehillco.
“Also, some countries are developing quantum communication methods that should be immune to an attack by an actor with a quantum computer,” he added.
Hack Now, Decrypt Later
“Hack now, decrypt later” could pose a significant problem for organizations in the future.
“The strategy being implemented by adversarial nations and other bad actors to steal encrypted communications today for later decryption with quantum computers should especially concern those organizations required to protect critical data over several years or more,” Jones said in a news release.
“It’s very cheap and easy to store data these days,” he added in an interview. “So it’s a safe assumption that bad actors are recording encrypted traffic today, knowing that they can break into it in five or 10 years’ time.”
Menting noted that hack now, decrypt later campaigns are common. “It is mostly undertaken by nation-states and state-sponsored groups, including all the big economic and political powers today, and it is realistic to think that countries like China and Russia are actively engaging in it,” she said.
Gauthier noted that the technique is only useful for data with a long lifetime. “For information that has a short useful lifetime, this attack is not effective,” he observed.
Worth the Wait?
Even if the data is useful five or 10 years from now, extracting it from its encryption, even with a quantum computer, could be challenging.
“While it might be possible to crack an existing key with a quantum computer, its not going to be a fast process, at least not right away,” Horvath said.
“Bulk cracking of large amounts of data — all with different keys — will be impractical this decade,” he continued. “Select targeting of some documents will come in range within five to 10 years, but it will take a lot of resources.”
He explained that since most encryption keys have short lifecycles — around two years — long term documents, such as mortgages, and some classified documents are most at risk from hack now, decrypt later attacks.
Horvath advises organizations to carefully review their crypto needs based on the expected longevity of the data and ramp up encryption accordingly. For the rest of the decade, simply lengthening keys should be enough to keep most sensitive documents safe.
Organizations that want to stay ahead of the encryption game need to keep their systems updated, added Jesse Varsalone, a computer networks and cybersecurity associate professor at the University of Maryland Global Campus in Adelphi, Md.
“What you really have to be worried about are older technologies that were developed when computing power wasn’t what it is today,” he told bluehillco. “Those computers will be especially susceptible to quantum computer attacks, compared to the latest and greatest hardware.”