Part three of Qrypt’s “Quantum-Security Essentials” series of articles.
In our Quantum-Security Essentials series, we’ve been shedding light on the complex world of quantum security. After covering the basics of quantum cryptography and introducing the tools for quantum security like Quantum Random Number Generation (QRNG) and Quantum Key Generation (QKG), we now turn our focus to the real threats from quantum attacks and the evolving landscape of quantum cryptography standards and regulations. This post highlights the urgent need for organizations to implement quantum-secure solutions in response to ‘harvest now, decrypt later’ (HNDL) threats and explores the evolving landscape of quantum cryptography standards and regulations that will shape how we protect our digital world.
II. Harvest Now Decrypt Later Attacks: A Real Threat
The advent of quantum computing poses a significant threat to data security. A common misunderstanding is that this threat lies far in the future, but this is not true. While the cracking of data by quantum computers may be a future concern, data harvesting is happening now. This “harvest now, decrypt later” strategy is a primary concern. Malicious actors are currently collecting and storing encrypted data with the intention of decrypting it later, either by capitalizing on advancements in today’s computers and new cryptographic attacks or utilizing future quantum computers capable of breaking our current encryption standards. Given the sensitive nature of the data—from personally identifiable information to state secrets that must remain confidential for years or even decades—the potential for breaking encryption through current or future advancements creates a looming threat that should not be taken lightly.
What type of data is at risk? All of it. There is data with tremendous and obvious long-term value, such as DNA or other genetic data, weapons data, and intellectual property. The first to break cryptography will “benefit” from an unprecedented transfer of intellectual capital and associated wealth related to the data. Drug formulations, chip designs, and novel code architectures will immediately enhance the “wealth” of the first entity able to decrypt them. However, all data has value. When combined, even the most minor pieces of data provide intelligence and actionable insights.
In parallel with the growth of artificial intelligence (AI) and machine learning (ML) technologies, along with fast, robust, scalable processing capabilities, we are witnessing an almost uncanny ability for advertisers to target us, seemingly reading our minds, knowing how we live and what we want. This is with only “legally” available data and the data exhaust we create. Consider all these tiny bits of data providing “signals intelligence” when combined – they could reveal intimate details about us individually, about our families, where we live, our health, and all aspects of our lives.
III. When and Where does Data Harvesting Occur?
Information harvesting occurs when data travels across the internet, passing through various servers, global communications infrastructure, and hardware, at each of which interception is possible. Data harvesting typically occurs at points of high data concentration. For instance, large data centers, internet exchange points, or major server hubs are all likely targets due to the vast amount of data flowing through them. They represent trusted infrastructure where data is assumed to be safe because it has already been encrypted by TLS and PKI. The risk of compromise is very low because large enterprise users have the physical reliability of these services as the only requirement. The cloud and other virtualized environments have their own challenges where the detection of HNDL data exfiltration channels is even more problematic.
Many players, from government entities to low-budget hackers, can tap into these data streams. For instance, Russia reportedly has submarines equipped to tap undersea cables, while hackers have found ways to intercept satellite communications inexpensively. According to a 2017 study by Cloudflare, which is quite dated given the rapid advancements in technology, 4-10% of all encrypted web traffic was intercepted then. Since then, this figure has likely grown tremendously as tapping lines has become easier and data storage costs have plummeted.
Geopolitical situations also heighten the risk. Chinese telecom giant Huawei, for instance, has expanded its 5G network hardware across Asia and Africa. This expansion could facilitate data interception by the Chinese government. While you may maintain control over your IT security within your premises, the risk of data interception while communicating globally over unknown and potentially hostile networks is largely beyond your control.
Given the sensitive nature of the data at stake — from personal information to state secrets — the harvest now, decrypt later (HNDL) risk poses a severe threat.
A common misconception posits HNDL as a threat primarily targeting personal devices such as routers or cell phones. However, when individual high-value targets are in question, attackers will compromise the device or endpoint directly to collect unencrypted data, instead of waiting for future decryption possibilities. The real emphasis of HNDL threats is on high-value, long-term data assets like trade secrets or intellectual property, which are passively harvested from large-scale data access points rather than personal WiFi hotspots. In essence, if a device is likely to possess important actionable information of near-term value, it’s more likely to be attacked immediately rather than being subjected to a longer-term HNDL strategy.
IV. Quantum Cryptography Standards and Regulations
The evolving landscape of quantum cryptography regulation and standards is critical for organizations today. The National Institute of Standards and Technology (NIST) is leading an effort to establish post-quantum cryptographic standards. NIST’s Post-Quantum Cryptography Standardization Project is currently in its third phase of evaluations as of mid-2023.
However, the developments go beyond NIST. The US Government has been increasingly concerned about the quantum threat to national security, as highlighted by the mounting urgency in their directives and legislations. The number of government publications addressing quantum risks doubled from three between 2018 and early 2021 to seven from 2021 to 2023, indicating the seriousness with which this threat is being taken.
Bipartisan efforts to fund quantum research and security further underscore the need for swift, decisive action. In a hyper-partisan era, the agreement from both sides of the political aisle signals the US Government’s commitment to tackling the quantum threats facing its citizens and businesses.
While it’s essential to have standards and regulatory guidelines to ensure the robustness and interoperability of quantum-secure solutions, the pressing urgency of the HNDL threat adds an extra layer of complexity. The danger of HNDL attacks is not an abstract problem in the distant future but a clear and present danger. Consequently, organizations must start implementing quantum-secure solutions now, even as standards are still being formulated.
This situation is akin to changing the tires on a car while it’s still moving. Yet, with the quantum threat looming, businesses cannot afford to wait until the perfect set of standards is available. Organizations must stay nimble and adaptable, deploying quantum-resistant solutions while keeping abreast of emerging regulations.
Such proactive action will also have long-term benefits. It will put businesses ahead of the curve when regulations become mandatory and prevent potentially disastrous data breaches. Quantum security isn’t nice to have anymore; it’s a critical element of the current digital landscape, especially considering the potential cost of a breach.
According to the Hudson Institute, the threat of a quantum attack on major banks, the Federal Reserve, or stock exchanges and derivative exchanges could be calamitous for the United States and the global economy. A quantum attack could lead to a financial collapse, with risks rising to levels that eclipse the 2008–09 crisis or the Great Depression. Their analysis suggests that a quantum computer cyberattack on the Fedwire interbank payment system could result in annual declines in real GDP ranging from over 10 percent in the baseline scenario to 17 percent in the maximum impact attack scenario, leading to a loss of between $2 and $3.3 trillion in indirect losses alone.
Remember, regulatory compliance is not just about ticking boxes—it’s a strategic move that protects your organization and ensures longevity in a rapidly changing digital environment. The quantum era is dawning, and preparing for its challenges is crucial.
The quantum era presents both a significant risk and an opportunity. Understanding the threat posed by “harvest now, decrypt later” attacks, and the ongoing changes in quantum cryptography standards is crucial for organizations preparing for the quantum future.
By acknowledging the imminent risks and adapting to the evolving standards, businesses and organizations can protect their critical and long-term data, ensuring their operations remain secure in the face of a quantum computing revolution. As we delve deeper into the quantum age, the need for quantum security becomes even more prominent, and the understanding of these aspects becomes crucial in fortifying our digital landscape.
To learn more, sign up for our newsletter on our home page or contact our sales team at firstname.lastname@example.org.