Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

Keep Today's Encrypted Data From Becoming Tomorrow's Treasure

Building quantum resilience requires C-suite commitment, but it doesn't have to mean tearing out existing infrastructure.

Vikram Sharma, CEO & Founder, QuintessenceLabs

September 16, 2022

4 Min Read
Photo of a wooden treasure chest sitting in a sand dune, with sea grass and scallop shells lying around
Source: Canetti via Alamy Stock Photo

You may feel that encrypting data with current technology will offer robust protection. Even if there is a data breach, you may presume the information is secure. But if your organization works with data with a "long tail" — that is, its value lasts years — you'd be wrong.

Fast forward five to 10 years from now. Quantum computers — which use quantum mechanics to run operations millions of times faster than today's supercomputers can — will arrive and will be able to decrypt today's encryption in minutes. At that point, nation-state actors simply have to upload the encrypted data that they've been collecting for years into a quantum computer, and in a few minutes, they will be able to access any part of the stolen data in plaintext. This type of "harvest now, decrypt later" (HNDL) attack is one of the reasons why adversaries are targeting encrypted data now. They know they can't decrypt the data today but will be able to tomorrow.

Even though the threat of quantum computing is some years away, the risk exists today. It is for this reason that US President Joe Biden signed a National Security Memorandum requiring federal agencies, defense, critical infrastructure, financial systems, and supply chains to develop plans to adopt quantum-resilient encryption. President Biden setting the tone for federal agencies serves as an apt metaphor — quantum risk should be discussed, and risk mitigation plans developed, at the leadership (CEO and board) level.

Take the Long-Term View

Research analyst data suggests the typical CISO spends two to three years at a company. This leads to potential misalignment with a risk that is likely to materialize in five to 10 years. And yet, as we see with government agencies and a host of other organizations, the data you generate today can provide adversaries with tremendous value in the future once they can access it. This existential problem will likely not be tackled solely by the person in charge of security. It must be addressed at the highest business leadership levels owing to its critical nature.

For this reason, savvy CISOs, CEOs, and boards should address the quantum computing risk problem together, now. Once the decision to embrace quantum-resistant encryption is made, the questions invariably become, "Where do we start, and how much will it cost?"

The good news is it doesn't have to be a painful or costly process. In fact, existing quantum-resilient encryption solutions can run on existing cybersecurity infrastructure. But it is a transformational journey — the learning curve, internal strategy and project planning decisions, technology validation and planning, and implementation all take time — so it is imperative that business leaders begin preparing today.

Focus on Randomizing and Key Management

The road to quantum resilience requires commitment from key stakeholders, but it is practical and does not usually require ripping-and-replacing existing encryption infrastructure. One of the first steps is to understand where all of your critical data resides, who has access to it, and what protection measures are currently in place. Next, it is important to identify which data is most sensitive and what its sensitivity lifetime is. Once you have these data points, you can develop a plan to prioritize the migration of the data sets to quantum-resilient encryption.

Organizations must give thought to two key points when considering quantum-resilient encryption: the quality of the random numbers used to encrypt and decrypt data and the key distribution. One of the vectors quantum computers could use to crack current encryption standards is to exploit encryption/decryption keys that are derived from numbers that are not truly random. Quantum-resistant cryptography uses longer encryption keys and, most importantly, ones that are based on truly random numbers so they can't be cracked.

Second, the typical company has several encryption technologies and key-distribution products, and management is complex. Consequently, to reduce the reliance on keys, often only large files are encrypted, or, worse yet, lost keys leave batches of data inaccessible. It is imperative that organizations deploy high-availability, enterprise-scale encryption key management to enable a virtually unlimited number of smaller files and records to be encrypted. This results in a significantly more secure enterprise.

Quantum-resistant encryption is no longer a "nice to have." With every passing day, risk is mounting as encrypted data is stolen for future cracking. Happily, unlike quantum computing, it does not require a huge investment, and the resulting risk reduction is almost immediate. Getting started is the hardest part.

About the Author(s)

Vikram Sharma

CEO & Founder, QuintessenceLabs

Recognizing the potential of quantum cybersecurity in the early 2000s, Vikram Sharma sought to commercialize the technology, returning to the Australian National University to work with the Quantum Optics Group in the Department of Physics. QuintessenceLabs emerged from the world-leading research conducted by the group. The company's capabilities have received numerous awards including global runner-up from a pool of 2,500+ companies in IBM’s SmartCamp competition, Top 20 Westpac Businesses of Tomorrow, Security Innovation Network's SINET16 Cyber Security Innovators, CyberTech 100, and most recently, recognized as a Global Innovator by the World Economic Forum.

Prior to QuintessenceLabs, Vikram had deep experience in building and managing technology companies. He founded two successful start-up ventures in the information technology infrastructure and services spaces — a consulting company providing IT services to the Federal Government in Australia, and one of India's first private ISPs. He started his career as a programmer analyst and went on to work as a consultant with several leading professional services firms in Australia.

Vikram holds a Master of Science in computer science from The Australian National University, a Master of Science in management (Sloan Fellow) from Stanford University, and a doctorate in quantum physics from The Australian National University. He was presented the Pearcey State Award for Entrepreneurship in 2013. In 2014, Vikram was invited by the UK Government to join an expert panel for its flagship Quantum Technology Hubs program. He is a member of the Advisory Board of the Sydney Quantum Academy and serves on the World Economic Forum's Global Future Council on Cybersecurity. He is a regular contributor to journals and a frequent speaker at conferences. Vikram's TED Talk on "How Quantum Physics Can Make Encryption Stronger" has had over 1.2 million views.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights