Quantum Here Today, Your Data Gone Tomorrow
A good friend provided an excellent image of the present state of data protection; she showed a photo of her golden retriever standing at her yard gate and waiting for her to open the gate, even though the yard's fence is no longer standing. Her dog has learned the rules and diligently obeys them. She described her dog's adherence to rules as similar to what we see within the cybersecurity industry: We follow rules, and the bad guys do not. In reaction to widespread data loss and the threat of ever more sophisticated cyberattacks, I believe cybersecurity leaders must quickly adopt a change in rules to keep quantum computing from having us repeat the last 30 years of reactivity.
We all know and realize that "technology isn't inherently good or bad — it's the people who use it." Yet we seem to be stuck in the same place we were in the 1990s when it comes to data protection. The 1980s and 1990s invited the first overt attempts to access data via the internet. DDOS attacks, for many, were the wake-up call. IT departments suddenly had the company interested in the security of its data and business.
For the past 30 years or so, many business leaders have had no idea what could or should be done; both then and now, we've seen security as a constantly moving target that's being assaulted from every vector. Zero-day events, malware, and poor protocol and procedures often take the brunt of the blame, but to go back to the first quote: "Technology isn't inherently good or bad — it's the people who use it." When you read "people," who do you think of: the nefarious character in the hoodie eating potato chips and coding at light-speed or your employees and colleagues being productive and diligently handling business tasks? The answer should be both, plus the tools they utilize in doing the job.
Are we destined to repeat ourselves if quantum computing (and quantum-powered hacking) is just over the horizon? Are we giving it lip service like we did with cybersecurity in the 1990s?
The current theme I see within cybersecurity circles remains reactive, not an aggressive approach in seeking out a solution for quantum hacking. While the quantum computers presently sitting in the labs of Google, IBM, D-Wave, and other researchers may not have the processing power to break commonly used encryption keys (such as AES 256 and RSA), future quantum computers very well may, which could enable the stolen encrypted data of today to be unencrypted in the future. In fact, a leak revealed that the NSA (through its "Penetrating Hard Targets" program) was working on "a cryptologically useful quantum computer." One must not be naive and think that the U.S. is alone in developing such capabilities. Future quantum hackers could create major disruptions to modern communications and e-commerce that rely heavily on vulnerable cryptography. Unsettlingly, it may take decades until we know that the sanctity of our best encryption has in fact been broken.
A consensus I've heard voiced around quantum computing is that it has altruistic goals, yet the first quote keeps surfacing right along with it: "technology isn't inherently..." In order to provide equivalent quantum-level data and content protection, cybersecurity leaders will be required to build quantum encryption (foundational to cybersecurity architectures) that operates at the file level. As it remains, I have no doubt that quantum computing will disrupt the cybersecurity landscape in a variety of ways, so we should move to that aforementioned rule change.
The solutions we create should eliminate the excessive burden on our users and our IT staff and provide for productivity and assurance of data and content security at the file level, regardless of location, file type or size. If security leaders can automate encryption by utilizing quantum algorithms, businesses will be armed with protection that complements other security tools in their IT suite. Quantum-resilient security should further remove the onus put on the user. Why should firms trust all their users to manage data classification, sensitivity labeling and key management and ensure they save documents to the correct protected folders? They should leave security to IT, AI and automation.
Unfortunately, I assume a quantum-driven cybersecurity apocalypse is just over the horizon. Quantum computers (hardware limitations notwithstanding) still have hurdles to overcome. Early models I've seen are large, extremely expensive, and must be maintained in supercooled environments. The number of qubits required to even approach the scale of brute force attack encryption varies but remains a final barrier for future quantum hackers. Yet with any technology, unforeseen breakthroughs seem to always be around the corner.
There is hope. Post-quantum cryptography that's under development today, in addition to the algorithms NIST has been reviewing, may very well nullify any impending security tragedy. The challenges and vulnerabilities we could see in the post-quantum future may look very similar to those of the past 30 years. The key difference may be not in any abstract new method but in the pre-breach or post-breach manipulation of data, encryption, key management and identity.
It is certainly not too early for cybersecurity leaders to worry and plan their defense against the abuse of quantum power. Operating on current custom-built computers enhanced with high-performance video cards arrayed in parallel using current quantum software could provide the power needed to break current asymmetric algorithms. As quantum computing may not trigger the InfoSec community's early warning systems any differently than current computing, will we even know quantum computing is in play? It would be advisable that everyone engaged in thwarting the new future of computing betters AI, enhances solution architecture for storage and data transport, and improves the ability to cloak data from prying eyes.
We should not rule out that the next scientific breakthrough in the following years will bring quantum to the public, cybercriminals and nation states — and the weakly encrypted data stolen and stored today could be easily accessible. If this were to happen, it would require a rapid farewell to long-held practices and wishful thinking. Will businesses continue to roll the dice and hope that decades-old algorithms continue to protect them? We shall see...
Gloss