Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

02:30 PM
Pankaj Parekh
Pankaj Parekh
Connect Directly
E-Mail vvv

Quantum Computing and Code-Breaking

Prepare today for the quantum threats of tomorrow.

With all the grand speculation and hype tied to quantum computing, the technology seems more like it belongs in the realm of science fiction rather than your daily tech newsfeed. But this isn't science fiction. Tech companies around the world are racing to bring quantum computers into the mainstream of business processes to unlock new capabilities, services, and revenue models.

However, as quantum computers are beginning to gain traction and soon will be moving out of R&D environments, government agencies and security experts are already sounding the alarm for the potential harm such breakthrough technology could be capable of wreaking in the area of data security.

A quantum computer is based on the superposition principle — that a qubit (a bit in a quantum computer) can exist in the state of a 0, a 1, or both states at once. Today, the largest publicly available quantum computer from IBM Q (an IBM initiative to build quantum computers for business and science) has 20 qubits — so it can exist in 220 or just over a million states at once. When technologists double this to 40 qubits, that becomes just over a trillion states at once. This could be a powerful tool for breaking data encryption; instead of trying one combination at a time sequentially, the quantum computer can try a very large number at the same time. Experts suggest that a computer with 2,000 to 4,000 qubits would be enough to defeat conventional strong encryption standards within a reasonable time.

Luckily for the data security industry, a quantum computer is made of a collection of high-end refrigeration and other large-science experimental gear — because, well, it is cutting-edge experimental physics. When first invented, a 5MB disk drive was as big as two large vending machines. Now you can put a million times more data on a thumb drive that fits in your pocket. The constant in computing is that things get smaller, faster, and cheaper, but for now, quantum computing is a large, expensive, and finicky physics lab resident.

The security industry is gearing up to upgrade standards to protect against quantum attacks. But there are a couple of methods available to protect against this threat right now. Today, best practices in security require multiple levels of protection. Advanced persistent threats (APTs) involve malicious code being installed on a server inside the security perimeter, so once the hacker has defeated the firewalls, the malicious code is inside and looks for vulnerable servers. Every server should use encryption to prevent data extraction or corruption. You can't put a quantum computer onto a corporate server because, remember, it's a physics lab, not a piece of portable code. Therefore, you need to protect data right at the source — on the servers. It is important to protect data with proper access policies that ties to process, applications, and users with unique encryption for different data sets. This reduces APT-initiated process's ability to access data in the first place, and unique encryption makes it even more difficult to decrypt all the data together.

But what if a cybercriminal or nation-state hacker extracts data or keys and transports them to a quantum computer facility? IBM and others already have made small quantum computers available to the public. And if you compare an emerging technology such as TensorFlow for machine learning, you will see that you can already provision very large capacities of highly optimized TensorFlow on Amazon Web Services, so it's likely that a public cloud provider will offer quantum computing as a service once the technology has matured.

To face this threat, adopting a comprehensive approach to protecting data on servers includes:

  • Proper management of keys, including hierarchical keys to enable key rotation.
  • Applying firewall-like rules for data access, restricting access by user ID and application.
  • Reporting any unauthorized or suspicious attempts to access data. Good reporting and alerting can prevent loss of data after a single key or server has been compromised but before critical data is sent out for quantum-powered code breaking.

Encrypting and spreading the data across multiple servers or clouds provides additional protection, meaning that if one is compromised, the data is still secure and can be recovered from the uncorrupted servers, while the threat is being identified and neutralized.

Particularly, organizations need to have cryptographic agility, which is the capacity for an IT system to promptly shift from existing cryptographic methods without significant changes to system infrastructure. In fact, according to NIST guidelines, becoming crypto-agile is no longer optional. Here are a few steps organizations can take to become crypto-agile:

  • Implement a cryptographic control center that functions as an interface to manage cryptographic policies for every application.
  • Establish an abstraction layer that acts as an API to hide cryptographic information. This ensures that application programmers can continue development without any clear disruptions to cryptographic solutions. When a security team needs to update an encryption solution, all they have to do is update the abstraction layer, thus eliminating the need to educate programmers on complex details of cryptography.
  • Conduct a full assessment of cryptography used by various information systems, and implement a centralized crypto key management system. This gives administrators the flexibility to manage application keys through automated protocols.

Regular use of quantum mechanics in computing is still far from common, but according to a recent report from the National Academies of Sciences, Engineering, and Medicine, companies need to speed up preparations for the time when quantum technology can crack conventional defenses.

While there may not be an immediate danger of sensitive data being breached by someone with quantum computing technology, all organizations should have the beginnings of a quantum resilience data protection plan in place because the race to the first quantum computer is fierce. Fortune 500 companies, including IBM, Google, Microsoft, and Intel, are increasingly plugging away on quantum technology, and countries (including China) are investing billions of dollars into research and development, ensuring the era of quantum computing is quickly approaching. My advice: Begin protecting against tomorrow's — or 2029's — threats today.



Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Pankaj Parekh was appointed Chief Product and Strategy Officer (CPSO) of SecurityFirst in August 2018. He is responsible for the long-range vision to set the direction for the company's products, as well as running the development, testing, and delivery organizations for ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/29/2019 | 3:10:18 AM
Forward progress
Sometimes we need to bear in mind that breakthroughs do not necessarily provide solely benefit to us. When we are dealing with something great, sometimes the risks involved are even greater. We need to weigh in on what is more important to us before we progress forward.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of arbitra...
PUBLISHED: 2020-09-30
An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when attempting to update said custom field via bug_actiongroup_page.php.
PUBLISHED: 2020-09-30
In Oniguruma 6.9.5_rev1, an attacker able to supply a regular expression for compilation may be able to overflow a buffer by one byte in concat_opt_exact_str in src/regcomp.c .
PUBLISHED: 2020-09-30
A DLL Hijacking vulnerability in Eaton's 9000x Programming and Configuration Software v 2.0.38 and prior allows an attacker to execute arbitrary code by replacing the required DLLs with malicious DLLs when the software try to load vci11un6.DLL and cinpl.DLL.