Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/26/2021
10:00 AM
Tim Hollebeek
Tim Hollebeek
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

After a Year of Quantum Advances, the Time to Protect Is Now

Innovations in quantum computing mean enterprise and manufacturing organizations need to start planning now to defend against new types of cybersecurity threats.

We've been hearing a great deal about advances in quantum computing for a few years, but 2020 was definitely groundbreaking. Innovation is continuing to gain momentum, and new advances are pushing this revolutionary technology closer to commercial adoption. Some of the most recent milestones include:

Related Content:

Is Your Encryption Ready for Quantum Threats?

Special Report: Understanding Your Cyber Attackers

New From The Edge: Fighting Fileless Malware, Part 3: Mitigations

  • IBM partnered with leading Japanese universities and corporations in July to bring quantum computers to the workplace through applications for business, finance, and materials development.
  • In August, University of Chicago students announced they had discovered a technique that would enable quantum states to last 10,000 times longer.
  • Google achieved a chemistry milestone for quantum computing in September, stimulating a chemical reaction with its quantum computer and opening a path toward more possible discoveries and inventions.

Although quantum technology will not reach maturity for years, standards bodies and other industry leaders are already considering its impact on cybersecurity and today's widely used encryption algorithms. ETSI recently released new strategies and recommendations for migrating to quantum-safe schemes. The Accredited Standards Committee (ASC X9) issued a new standard for public key cryptography use of digital signatures.

Big Strides in Quantum, and More to Come
It's clear that 2020 was a watershed year in realizing large-scale, practical quantum computing, and the innovation will only accelerate. It won't be long before a major technology company announces it has applied quantum computing to successfully solve a problem that could not be tackled by traditional supercomputers.

We are not yet at the point where algorithms such as ECC or RSA are at risk, because breaking these advanced protections requires large-scale quantum computing power. However, the ability to solve practical problems will be a significant milestone that will spark additional investment in quantum technology — and create a virtuous feedback loop to drive further, faster advances.

What do these advances mean for enterprise and original equipment manufacturing (OEM) organizations? The past year's progress moves us much closer to a quantum reality. According to a recent survey, 71% of IT professionals believe that quantum computing will present a major security threat in the near future.

Transforming cybersecurity strategies can take a considerable amount of time — sometimes even decades. That means organizations will have to start preparing now if they want to be ready when sufficiently large numbers of quantum computers exist. Enterprises and manufacturers that fail to move forward on their journey now risk being left behind in the years ahead.

Planning a Four-Year Strategy
Although 2020 has been packed with quantum computing advances, it is still impossible to predict a precise date when quantum computing will arrive. Still, to get in front of the curve, it's advisable to plan to have cybersecurity preparations fully in place by 2025. For some critical systems, it's important to have defenses in place even earlier.

Why is 2025 an important time frame? The National Institute for Standards and Technology (NIST) recently launched an evaluation process for choosing quantum-safe algorithms, and this process is expected to be completed by 2024. This is an important time frame for OEMs and organizations responsible for embedded security in products, solutions, and processes to keep in view.

Organizations securing long-life valuable data such as financial records, military secrets, healthcare records, and other assets are vulnerable to "harvest and decrypt" attacks. Information organizations need to be preparing now to ensure they secure data at risk today.

Also, devices that are shipping today may still be around when quantum computers arrive and will need to have a plan in place, such as for secure remote updates, to update them to quantum-safe methods. Since those methods are not standardized yet, some products will need two updates to be secure: one to prepare them to securely receive post-quantum updates and another one once post-quantum technologies are more mature.

In addition, organizations securing products and solutions that have significant development timelines, long life cycles, and high cost to repair or recall should take proactive steps. They should begin testing, proof of concept, and infrastructure-upgrade planning to ensure they are ready, before the risk of large-scale, cryptographically relevant quantum computers becomes a reality. Full transition for these types of products should be completed by 2025. Without standards, these organizations will need to deploy hybridized and crypto-agile solutions that maintain NIST Federal Information Processing Standards (FIPS) compliance.

It's Time to Get Started
Organizations can begin taking initial steps now to prepare for a post-quantum world. Some initial planning considerations for safeguarding devices could include:

  • Does the device require strong security, such as:
    • Public key infrastructure (PKI) and digital certificates?
    • Hardware security modules (HSMs)?
    • Physically embedded roots of trust?
  • How many years does a device need to be secured for? If the answer is seven or more years, you need to start preparing today.
  • How long does the information need to remain confidential? Again, if the answer is seven or more years, it's time to start preparing now.

As you prepare for your technology transition, take the time to understand the problem, and find out what technologies are available to mitigate it. Find all the cryptography in your organization and start working on a plan to replace it. 

As you become more crypto-agile and prepare for deployment, ask your third-party vendors about their transition plans, and consider replacing any products and services that cannot be upgraded. Take steps to test your transition plans and mechanisms to make sure they work. Then, move aggressively to put a quantum-safe PKI solution in place to support future upgrades, and continue to deploy quantum-safe technologies as they become available.

While quantum computing might easily take a decade or more to go mainstream, this is not a race that an organization can afford to lose. The stakes are higher than ever for maintaining security and compliance. Fortunately, by putting planning into motion soon, you'll assure your ability to stay several steps ahead of the coming revolution in quantum computing.

Timothy Hollebeek has 19 years of computer science experience, including eight years working on innovative security research funded by the Defense Advanced Research Projects Agency. He then moved on to architecting payment security systems, with an emphasis on encryption and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24368
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.