Originally published on 25 July 2019
Updated 30 November 2021
Looking back to 2019, I’m sure some of us can remember the leaked memos from Britain’s ambassador to the USA. This diplomatic incident publicly highlighted a “new” and aggressive kind of cyber attack — one that allowed access to sensitive, historical and encrypted information. Without a doubt, this caused significant problems for the UK and our commercial organisations trading with the USA. But the breach also served as a loud warning to our government that they need to employ more protective measures on our data, especially now with the rise and development of complex quantum methods and computing.
Is this quantum future a potential threat to your organisation from a quantum cyber security perspective? Should ordinary commercial businesses be concerned with improving the crypto protection of their files? Should it be a high priority for all organisations to utilise methods that reduce the growing risk of a crypto data breach?
We think so, especially when considering the growing risk that a crypto breach might occur and the financial damages an organisation might face in that situation — potential fines, settlements and losses of business due to irreparable reputational damage.
The Growing Threat of Quantum Computing
Quantum computers are made using quantum theory and elements of quantum physics. They can solve problems much more complex than even the most powerful computers of today can, including algorithms that could potentially break encryption keys protecting our sensitive data. Though these computers might not currently have quite enough processing power to attack our data, there is every possibility that future quantum attacks could pose a significant threat to key public algorithms. So all organisations should be doing what they can to protect against this threat.
As we see it, the potential for these data leaks can only grow in the face of developing quantum methods. The future of quantum mechanics could see attackers given limitless processing power and the potential to break the confidentiality of encrypted data files. This will affect central government data and data held by commercial organisations of all sizes, posing a real threat to organisations carrying large networks of encrypted sensitive information.
Who Is at Risk from Quantum Attacks?
Government and defence data files are the most targeted by actors employing advanced cryptanalysis (such as foreign intelligence services and domestic, politically motivated internal attackers). However, all organisations with sensitive data about individuals (such as healthcare, social services departments, criminal justice records, nuclear energy, etc.) are increasingly at risk. Plus, the increased use of the cloud within these organisations brings with it new, cloud-native threats when it comes to quantum attacks, so your organisation could be at further risk.
As quantum cryptography develops, the security level of all organisations needs to keep up. The only way to ensure protection from the threat of quantum is to update the security methods currently employed to protect from the attacks of classical computers, ensuring they also protect against quantum computing — usually using quantum-safe algorithms and quantum-safe cryptography.
When Are Quantum Technologies Likely to Present a Risk?
The idea that quantum technology does not pose a cyber security threat as it is not yet advanced enough to break our current encryptions is ill-informed. The real danger is that data encrypted today, with today’s algorithms, can be syphoned to one side and held until quantum development catches up. With a range of sensitive data out there needing long-term protection (like intellectual property or national secrets), the notion that future quantum computers will be able to break today’s algorithms is a problem we need to start tackling now.
Without quantum algorithms, it is considered practically impossible for the classical computers that exist today to provide a method to break encryptions like the RSA with 2048-bit keys in less than around 6.4 quadrillion years — beyond the predicted end of the universe. And even with the most powerful supercomputers on the planet, the range is in the billions of years.
National cyber defence organisations monitor developments in cryptanalysis and quantum computation closely, assessing the current and future ability of quantum computing to recover data encrypted by current cyphers. This ensures they can protect the information for a suitable length of time, which needs to be 25 years or more in many cases, such as those mentioned above.
Since 2014 the theory has been that a quantum computer would require a billion “qubits” to break RSA 2048. Based on the progress of real-world experimental quantum devices built in 2012 (factoring 143 using four qubits) and 2014 (factoring 56,163 using 70 qubits), reaching the billion mark could be possible, as these devices showed an average improvement of nearly 20 times per annum.
The latest research indicates that these previous estimates are out by orders of magnitude and that quantum systems require a qubit count of only 20 million rather than a billion to break the key. Identifying efficiencies that can be implemented using innovative cryptanalysis techniques means that it will be possible to deliver an industrial device that can break RSA 2048 codes in a matter of hours — all in a time frame likely to be significantly less than 25 years.
But what does this tell us about the likely timeline of quantum cyber security risks and technological development? It tells us that quantum technology is on a path to break current encryption keys that a classical computer couldn’t, but we don’t know exactly when this will happen.
A further barrier to our knowledge here is that if and when quantum computing attackers become successful in this technological development, it would be advantageous for them to keep this confidential. This means we should be taking the necessary precautions sooner rather than later to ensure we are prepared for and protected when the technology does develop and begins to pose a significant quantum cyber security threat.
Cyber Security: Building a Quantum Algorithm
Cryptography will be another key application. Right now, a lot of encryption systems rely on the difficulty of breaking down large numbers into prime numbers. This is called factoring, and for classical computers, it’s slow, expensive and impractical. But quantum computers can do it easily. And that could put our data at risk.
The only way to fight back is with quantum encryption. This relies on the uncertainty principle — the idea that you can’t measure something without influencing the result. Quantum encryption keys could not be copied or hacked. They would be completely unbreakable.
— Amit Katala, Wired Magazine.
The good news is that various quantum-safe methods of cryptography and algorithms are being developed. Notably the National Institute of Standards and Technology (NIST) competition selects future quantum algorithms sufficiently resistant to cryptanalysis. These methods come off the back of consistent and thorough algorithm analysis and threat intelligence and are used to create algorithms for a new foundation of quantum-safe cryptography worldwide.
Though we need these methods implemented across all the technology our organisations rely on, they are, unfortunately, likely to require a significant investment to introduce, potentially involving a high cost for at least the next few years. This gives both government and commercial businesses a dilemma as they struggle to protect themselves against today’s emerging quantum cyber threats.
Protect Your Cyber Security with Optimising IT
At Optimising IT, we might not have quantum physicists among our staff, but we do have cyber security professionals who know the industry inside out and can advise you on both long-term strategic decisions and short-term planning to ensure your company’s protection.