The interaction between companies and threats have always been cyclical. Threats and vulnerabilities are exposed and exploited, hackers attack and breach companies, and companies try to fix, patch, and plug their cybersecurity vulnerabilities. Cybersecurity, essentially, looks to stay one step ahead of hackers who are trying to stay one step ahead of cybersecurity efforts.
But every so often, a new technology completely upends this system, requiring drastic action, often on both sides. For example, cloud computing has completely changed how companies approach cybersecurity, a change many companies are still currently working through.
Quantum computing has the potential to change the way we work with computers and technology by offering us tremendous computing potential. However, in the wrong hands, this means quantum computing can also be disastrous for our security. If we’re not prepared, organizations will be exposed like never before.
Quantum computing represents a paradigm shift that we have to address much sooner and before any hackers gain access to the technology.
The promise of quantum computing
Quantum computing has been in development over the last few decades and is built on the principle of quantum mechanics. Where classical computing power has relied on the binary system of 1 and 0s, quantum computing is powered by quantum mechanics – instead of running on a binary system, it runs a Qubit system that can have quantum properties such as being both 0 and 1.
Without delving into the technical details which are still being developed and researched, quantum computing is exponentially more powerful than classical computing, which is what we have access to today, even by supercomputer standards.
Computing power is often measured by its ability to process data and solve major mathematical problems. A quantum computer would be able to process data and solve mathematical problems in a fraction of the time it would take a traditional or even a supercomputer.
This has tremendous potential in the field of medical research, finance, AI, and cryptography. For example, Goldman Sachs and QC Ware are making quantum computing as a service available in 5 to 10 years, promising a 1000x increase in mathematical calculations for financial decision making. However, it can disrupt some of the current cybersecurity technology we currently have in place and, if it falls in the hands of bad actors, can break the foundation behind our current security technology used all across the internet.
Traditional encryption can be rendered useless with QC
We rely on encryption every day, whether we know it or not. Encryption essentially hides data behind mathematical problems that are too complicated for any normal computer to solve. Decrypting the data is nearly impossible or would take hundreds if not thousands of years, practically locking it away.
We use encryption to keep our day to day traffic hidden from snoopers via HTTPS, which has slowly made its way on nearly every website. End to end encryption is also what keeps conversations secure in apps like Signal and WhatsApp. Companies also implement encryption in order to keep their data secure even if they lose it via a data breach, leak, or accidental exposure.
This can stop a hacker from accessing, selling, and leaking data, even if the hacker successfully infiltrated a company and exfiltrated the data.
Quantum computing can be used to invalidate the foundation powering current encryption standards. If we take the previous example, a hacker who successfully exfiltrates encrypted data from a company will have no problem decrypting the data if they had access to quantum computing power.
While quantum computing may not be readily accessible — well funded state-sponsored hackers and hacker groups might be the first to try to get their hands on one. As we saw with the rise of Ransomware as a Service (RaaS) — it may be enough for a single organization to have the option to use quantum computing to provide access to other malicious hackers who normally wouldn’t have the funds or resources.
Encryption standards need to be completely upgraded
While this nightmare scenario is very real, we do have time to prepare for it. Quantum computing won’t be readily available for another 10-20 years as the technology continues to be developed. This gives researchers time to develop new encryption standards and methods while giving companies time to implement these standards accordingly.
However, researchers have quite the challenge ahead of them. They need to develop new encryption standards that are secured against quantum computing but developed using classical hardware. This is already an uphill battle that needs to happen sooner than later as the longer it takes for a post-quantum secure encryption method to be released, the more time it will take for those standards to be accepted and implemented across all companies and the world wide web.
For example, HTTPS, which is an encrypted form of HTTP and much more secure, only had 50% adoption rate among websites in 2016, according to Google’s own traffic analysis (Google measured the number of HTTP vs HTTPS websites loaded on Chrome). As of 2021, this number has jumped significantly to 95%.
It’s hard to say how the post-quantum secure encryption implementation will proceed but the more time we have, the better. We’d much rather be in a proactive position that has these encryption methods in place by the time quantum computing can be leveraged by malicious attackers.
NIST recently announced new post-quantum secure algorithms
Fortunately, we’ve taken a major step in confronting this potential threat — NIST recently selected four algorithms that are considered post-quantum secure and will be part of NIST’s post-quantum cryptographic standard which is expected to be finalized within two years.
In the last few years, Bitdefender researchers worked on research topics related to the security foundations of the lattice-based proposals that were submitted to NIST.
These algorithms harden and strengthen the encryption used as the security foundation that secures TLS, which is an underlying encryption protocol used across most internet communications. The algorithms were also developed for the use of digital signatures which verifies identities and facilitates document signing remotely.
The algorithms selected use classical computing and were developed with classical hardware, meaning they are able to be implemented with today’s current computers and will still be secure even against quantum computing. This represents a major step towards being post-quantum secure and targets a foundational element of network security for businesses and individuals alike.
Our current encryption standards are sufficient but with quantum computing on the way, an upgrade is required. As NIST continues to develop and make their final choices for the algorithm standards it recommends, both security researchers and IT departments need to start planning how to implement these new cryptographic standards.
To learn more, check out this Q&A with one of our researchers working on post-quantum cryptography, Miruna Rosca.