Building the Future We Deserve – A Cyber Success Story
- By Dave Krauthamer
- May 02, 2022
Consider a conventional computer. It uses a small (64-bit) processor architecture and is considered excellent for solving linear problems. Many past and present problems are linear, and 64-bit architectures have been sufficient to solve them (a 64-bit register can hold any of 264 over 18 quintillion [or 1.8×1019] different values). However, if you want to solve a much more complex problem such as those that occur in natural chemistry and physics, using a linear approach is not possible due to the massive numbers and variables that must be considered to reach a solution. Conventional computing and linear problem-solving approaches are quickly overwhelmed by this complexity.
Enter a quantum processor that harnesses bits that are atoms or subatomic particles. Because of the nature of quantum mechanics, those bits can represent anything (e.g., 0,1, or anything in between) and potentially exist anywhere in space. If you connect those bits with entanglement into a circuit, for example a 73 quantum bit (qubit) circuit, the word size is now 2 to the 73rd power (273). This works out to be a yottabit of data, which is equivalent to all the data stored in the world in the last year. Imagine a computer that can process all the data stored in the world in the last year in a single instruction.
This computational capability is amazing for operations such as molecular science, neural networks, and weather simulation. As another point of reference, you have about a trillion neurons in your brain. Think about interrogating the whole state of a complex neural network like your brain into one instruction. This is possible in the future using quantum computers. It is fascinating, and it will open us up to huge breakthroughs in technology, science and nature.
This fantastic computational power is a double-edged sword, however. The problem is that our current public encryption (think the entire internet) is based on a single transaction – factoring a large prime number. Quantum’s large word sizes are great for factoring large prime numbers, rendering much of our current cryptographic capabilities useless. Also, the current cryptography on nearly all electronic devices, whether a watch, phone, computer, or satellite, is based on the same prime number factorization. So far, factoring a significant prime number on a conventional computer is still extremely difficult. But quantum computers pose a threat because they can do it quickly.
Although cryptographically relevant quantum computers (CRQCs) are still a few years away, we understand that they have the potential to expose our most vulnerable information on all edges of the network. The Hudson Institute recently published a study demonstrating what a quantum attack would do to our banking system. They used an econometric model with 18,000 data points and concluded, "The first quantum attack against the top five banks could cost our economy up to $2 trillion and impair up to 60 percent of the US assets.” Also, in another study by the Hudson institute, it concluded that a single quantum computing attack on cryptocurrency would cause massive damage, “precipitating a 99.2 percent collapse of value, inflicting $1.865 trillion in immediate losses to owners, with nearly $1.5 trillion in indirect losses to the whole economy due to that collapse. All in all, we are looking at a $3.3 trillion blow to the U.S. economy.”
One foreign nation-state is said to have harvested up to twenty-five percent of the global encrypted data. We cannot imagine the damage that will be done when all of that data is decrypted by a CRQC. As we all have seen, digital warfare and cybercrime is coming to the forefront of the world’s attention. In the recent Russian invasion of the Ukraine, cyberattacks were the first salvo, not bullets or missiles. Quantum computers may be used as powerful weapons, and if cyberthieves exfiltrate data without post-quantum cybersecurity (PQC) protection they will be able to crack and decode it later. Alternatively, if data is protected with PQC, it may be safe for decades. The time to act is now. It is crucial to post-quantum fortify your data.
Producing a Post-Quantum Network
There are essential steps to converting existing networks to the next-generation post-quantum network. For example, NIST has been working on algorithms that are mathematically proven to be resistant to quantum attacks. As a result, we will go through a generational upgrade to our security that will have to use the NIST standards. In addition, it is necessary to use cryptographic resilient quantum keys with NIST algorithms to move toward a quantum resilient environment. Right now, the algorithms we use to secure or encrypt our data require a key. It is a non-starter for many enterprise and government customers to use non-NIST-compliant cryptography. Solutions are available that can use any of the final NIST algorithms, so enterprise and government don’t have to wait until NIST makes their final choices.
In addition to implementing NIST algorithms, a PQC solution must facilitate a zero-trust architecture. Zero-trust enforces secured communications between known devices. Only a small percentage of the current network conforms with zero trust, so we must upgrade the entire network as soon as possible.
Another critical element of the next-generation post-quantum network is the ability to actively monitor the communication channel. Post-quantum attacks will happen, and the future network must have active countermeasures to respond to changing threat conditions. This is not a one-and-done situation; we must continue to evolve and be diligent as threats change.
The networks we currently have are built on old technology, and all data on the today’s networks is vulnerable to attacks, including cryptoanalysis for keys, side-channel, or man-in-the-middle attacks.
Use Cases and Risks
Virtually all connected electronic devices use encryption, so the use cases for the post-quantum network are nearly limitless. We anticipate that the two earliest adopters of the post-quantum network will be the government and finance sectors. There are timely opportunities in these industries to create a secure network that ensures fidelity and privacy for all users of these critical systems.
Government entities have numerous stakeholders and diverse interests, but all share the crucial goal to protect citizens and sensitive national data such as social security numbers, tax records, classified materials, military secrets, healthcare data, and beyond. Juxtaposed to this hugely important and complex task is the outmoded network infrastructure used to hold this data. These current infrastructure systems are old and coded in legacy languages that are difficult to update. It is essential that the solution for these systems be able to easily and simply interface with legacy systems to transform them to post-quantum seamlessly and securely.
Recently, government organizations were required to comply with the Jan. 8 National Security Memorandum (NSM-8) from the White House identifying their post-quantum capabilities within the next six months. They recognize that they need to fill the critical gap between the open-source cryptographic libraries and the challenging network environment in which these entities in. This huge lift will undoubtedly require a seamless software deployment of PQC. The stakes are high, and the deadline is looming. Protection of government data is paramount as we see increasing threats from cyberattacks and ransomware. These networks are threatened as we approach the quantum computing era, but quick action will stem the tide and protect our most sensitive data.
Financial institutions represent a private sector reflection of the challenges faced by government entities. Here, they face similar challenges—critical information (bank account numbers, PII, etc.) that changes infrequently and thus is of extremely high value over the long run to bad actors. Additionally, these institutions are highly regulated and will likely need to follow regulations like the NSM-8 issued for government organizations in the near future.
Savvy, forward-looking financial institutions are already looking into post-quantum network solutions. As mentioned above, the Hudson Institute has estimated that the first successful quantum attack would cause a cascading financial failure. These institutions should secure their internal networks where the bulk of this sensitive data lives, including document-sharing systems, messaging, and more. They are also eager to expand this offering to all interactors with their networks, including individual clients who access their accounts via mobile apps or browsers.
Beyond these early-adopter industries, there are some other exciting applications of post-quantum cryptography. One particularly interesting application is in the Metaverse. The Metaverse focus is heavily on identity, which is the future of authentication. In the Metaverse, you can imagine if someone hacks your digital twin or the assets you own there, you would be faced with a very messy, expensive and even dangerous situation. PQC is badly needed to protect you in the Metaverse, and companies providing Metaverse infrastructure and systems would be wise to integrate PQC in the beginning, while the Metaverse is being formed.
In healthcare, there is risk in distributed hospital systems which secure PII or confidential healthcare data patient records. PII, especially as we turn toward the personalized medicine era and genomic sequencing, will be critical to protect with PQC over the long run—unlike web accounts, genetic information does not change over the life of the user.
There is a myriad of use cases for protecting our infrastructure and data via PQC. Bad actors could go after our banking systems, military secrets, sensitive government data power grids, water supplies, health care systems, and more. We must protect ourselves in the face of these threats and the ever-changing geopolitical landscape before us.
The post-quantum network of the future does not have to be complicated. All you need is a software-based post-quantum orchestration platform with zero trust, active monitoring, and network protocol switching that interoperates with today’s infrastructure. Approaches offering this technology are available now, we just need the collective will to create a genuinely safe future.