Share this article on:
Much of today’s sensitive data has a long “shelf life” — the health and identity data of the public, trade secrets (and so on), can be valuable for decades. We have to protect today’s long-term data against tomorrow’s threats.
One threat that is almost universally expected by experts and intelligence agencies alike is the arrival of the first quantum computers. The only point of contention may be how soon quantum computers will arrive. The Biden administration has dropped the biggest hint yet that quantum computers are not only a very real threat, but their arrival is on the horizon. They signed into law the Quantum Computing Cybersecurity Preparedness Act just before Christmas. It put in place several new laws and regulations that mandate the migration of federal agencies to IT systems that are quantum-resistant.
That’s not all: in November, the Biden administration asked federal agencies to share with it a list of quantum-vulnerable cryptographic systems, with a deadline of 20 May.
The reason the first quantum computers are so worrisome is that traditional encryption methods — public encryption key infrastructure — that are used to protect sensitive information are based on classical mathematical algorithms that are vulnerable to being broken by quantum computers. This means that sensitive information, such as personal data and national security information, is at serious risk when quantum computers fall into bad actors’ hands.
Australia’s quantum readiness?
We have sovereign, quantum-ready encryption solutions available today. As is often the case, we still have bureaucratic barriers to overcome first.
Australia’s government, at time of writing, has not yet taken any equivalent measures to face up to the looming threat of quantum computers to our government and commercial data. This may change with the much-anticipated updated quantum and national cyber security strategy. One thing is certain: this threat is coming. Continued revisions and delays to data protection legislation will lead to us being particularly vulnerable if we see a breakthrough in this technology — in the next couple of years rather than the next five to 10.
Being “prepared” will take time, as the US has made clear.
The transition to what is called “post-quantum cryptography” from our current classical encryption technology involves the adoption of a new family of cryptographic algorithms. Unlike quantum key distribution (QKD), which requires its own infrastructure (and therefore may be “off-puttingly” expensive for some), these post-quantum algorithms may be executed by conventional computers, across classical channels. This means they may be deployed across existing infrastructure for “quantum resilience”.
This kind of hardening of existing IT infrastructures, while certainly quicker, will still take time to implement. The Biden administration is taking proactive steps now to map out exactly where it is needed most. Clearly, it is well-informed by its various intelligence agencies. As a US intelligence and defence partner, this is an exercise that Australia must also undertake, sooner rather than later.
How soon? Most serious encryption vendors (including Senetas) have already built solutions that offer both classical and post-quantum algorithms — “hybrid encryption”. Over the next 12 months this will, if not should, become the de facto standard offering for enterprise, government, and other sensitive data applications requiring quantum resilience.
It is also worth noting hybrid encryption is just one of several solutions being developed to address the threat posed by quantum computers while a specific quantum-safe algorithm standard is finalised. Researchers and developers are continuing to explore new and innovative methods for ensuring the security of our information systems in the face of advancing quantum computing technology.
Vulnerable targets
As it currently stands, we’re doing all the wrong things when it comes to preparing for the quantum threat. For example, the use of cloud-based file-sharing and storage applications has become an integral part of the modern, digital organisation. There is a lot to like about these convenient cloud services: ease of access, flexible pricing, and familiarity.
However, not only does that mean we’re putting our eggs into one or two baskets, one area where almost all of them fall short is security. They are built on convenience rather than “security first” principles.
Take OneDrive for example. A very popular platform but lacking state-of-the-art encryption security. It also likes to gather metadata to “improve the user experience”. It’s not just Microsoft either — Dropbox reserves the right to access your information and does not feature client-side encryption. Often, customers do not have 100 per cent control over where their data is stored.
Reported data breach and vulnerability statistics suggest the IT industry is going out of its way to make big, vulnerable targets today, let alone for the first quantum computers.
Even without the aid of a quantum computer, breaches of sensitive information stored in the cloud happen. Dropbox has suffered a couple of well-publicised incidents, with another data breach confirmed as recently as November 2022, as the result of a phishing attack.
While OneDrive does come with ransomware protection (requiring a Microsoft 365 subscription), virus scanning is reactive (via Windows Defender) and relies on threats being known (signature-based). In August, Microsoft acknowledged that a Russia-based threat actor was exploiting OneDrive to compromise accounts and steal data.
Security and convenience are at loggerheads with each other. That need not be the case. “Secure by design” applications need not compromise user convenience. But when security is added as an afterthought, the battle between convenience and security begins. The post-pandemic era has seen the balance swing wildly in favour of “convenience’”
We must begin to see in 2023 both “security first” IT principles applied throughout enterprise and government sectors and mandated quantum resilience for the security of our economy, the public, and government agencies.
Andrew Wilson is the chief executive officer of Senetas.