Quantum Computing and Code-BreakingPrepare today for the quantum threats of tomorrow.
With all the grand speculation and hype tied to quantum computing, the technology seems more like it belongs in the realm of science fiction rather than your daily tech newsfeed. But this isn't science fiction. Tech companies around the world are racing to bring quantum computers into the mainstream of business processes to unlock new capabilities, services, and revenue models.
However, as quantum computers are beginning to gain traction and soon will be moving out of R&D environments, government agencies and security experts are already sounding the alarm for the potential harm such breakthrough technology could be capable of wreaking in the area of data security.
A quantum computer is based on the superposition principle — that a qubit (a bit in a quantum computer) can exist in the state of a 0, a 1, or both states at once. Today, the largest publicly available quantum computer from IBM Q (an IBM initiative to build quantum computers for business and science) has 20 qubits — so it can exist in 220 or just over a million states at once. When technologists double this to 40 qubits, that becomes just over a trillion states at once. This could be a powerful tool for breaking data encryption; instead of trying one combination at a time sequentially, the quantum computer can try a very large number at the same time. Experts suggest that a computer with 2,000 to 4,000 qubits would be enough to defeat conventional strong encryption standards within a reasonable time.
Today's largest publicly available computer from IBM: IBM's Q System One, a 20-qubit machine, was on display at IBM's THINK Conference in San Francisco this February. It is shown here without the cooling required to get it to a fraction of a degree above absolute zero.
Luckily for the data security industry, a quantum computer is made of a collection of high-end refrigeration and other large-science experimental gear — because, well, it is cutting-edge experimental physics. When first invented, a 5MB disk drive was as big as two large vending machines. Now you can put a million times more data on a thumb drive that fits in your pocket. The constant in computing is that things get smaller, faster, and cheaper, but for now, quantum computing is a large, expensive, and finicky physics lab resident.
The security industry is gearing up to upgrade standards to protect against quantum attacks. But there are a couple of methods available to protect against this threat right now. Today, best practices in security require multiple levels of protection. Advanced persistent threats (APTs) involve malicious code being installed on a server inside the security perimeter, so once the hacker has defeated the firewalls, the malicious code is inside and looks for vulnerable servers. Every server should use encryption to prevent data extraction or corruption. You can't put a quantum computer onto a corporate server because, remember, it's a physics lab, not a piece of portable code. Therefore, you need to protect data right at the source — on the servers. It is important to protect data with proper access policies that ties to process, applications, and users with unique encryption for different data sets. This reduces APT-initiated process's ability to access data in the first place, and unique encryption makes it even more difficult to decrypt all the data together.
But what if a cybercriminal or nation-state hacker extracts data or keys and transports them to a quantum computer facility? IBM and others already have made small quantum computers available to the public. And if you compare an emerging technology such as TensorFlow for machine learning, you will see that you can already provision very large capacities of highly optimized TensorFlow on Amazon Web Services, so it's likely that a public cloud provider will offer quantum computing as a service once the technology has matured.
To face this threat, adopting a comprehensive approach to protecting data on servers includes:
- Proper management of keys, including hierarchical keys to enable key rotation.
- Applying firewall-like rules for data access, restricting access by user ID and application.
- Reporting any unauthorized or suspicious attempts to access data. Good reporting and alerting can prevent loss of data after a single key or server has been compromised but before critical data is sent out for quantum-powered code breaking.
Encrypting and spreading the data across multiple servers or clouds provides additional protection, meaning that if one is compromised, the data is still secure and can be recovered from the uncorrupted servers, while the threat is being identified and neutralized.
Particularly, organizations need to have cryptographic agility, which is the capacity for an IT system to promptly shift from existing cryptographic methods without significant changes to system infrastructure. In fact, according to NIST guidelines, becoming crypto-agile is no longer optional. Here are a few steps organizations can take to become crypto-agile:
- Implement a cryptographic control center that functions as an interface to manage cryptographic policies for every application.
- Establish an abstraction layer that acts as an API to hide cryptographic information. This ensures that application programmers can continue development without any clear disruptions to cryptographic solutions. When a security team needs to update an encryption solution, all they have to do is update the abstraction layer, thus eliminating the need to educate programmers on complex details of cryptography.
- Conduct a full assessment of cryptography used by various information systems, and implement a centralized crypto key management system. This gives administrators the flexibility to manage application keys through automated protocols.
Regular use of quantum mechanics in computing is still far from common, but according to a recent report from the National Academies of Sciences, Engineering, and Medicine, companies need to speed up preparations for the time when quantum technology can crack conventional defenses.
While there may not be an immediate danger of sensitive data being breached by someone with quantum computing technology, all organizations should have the beginnings of a quantum resilience data protection plan in place because the race to the first quantum computer is fierce. Fortune 500 companies, including IBM, Google, Microsoft, and Intel, are increasingly plugging away on quantum technology, and countries (including China) are investing billions of dollars into research and development, ensuring the era of quantum computing is quickly approaching. My advice: Begin protecting against tomorrow's — or 2029's — threats today.
Pankaj Parekh was appointed Chief Product and Strategy Officer (CPSO) of SecurityFirst in August 2018. He is responsible for the long-range vision to set the direction for the company's products, as well as running the development, testing, and delivery organizations for ... View Full Bio
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.