The Quantum Threat to Cyber Security — How to Prepare for Risk Mitigation
By Dr. Itan Barmes, Cryptography Expert, Deloitte Cyber Risk Services
A “new” threat in the security landscape
The cyber security landscape is becoming more complex with the regular introduction of new threat vectors. A cyber threat that is now gaining more attention is the potential ability of a large-scale quantum computer to break a significant part of the cryptography we currently use, undermining our digital security. This threat was identified in 1994 when Peter Shor introduced his famous “Shor’s algorithm”, but for many years was considered an academic discussion. Even though the realization of a large-scale quantum computer is still far in the future, recent progress in this field raises the question of how to deal with this potential threat.
Magnitude of the problem
Quantum computers are not the only threat to cryptography. New (non-quantum) mathematical methods and the increasing computation power of classical computers continuously reduce the security of cryptographic algorithms. However, this is typically solved by increasing the key length or migrating to more secure algorithms. The major challenge with the quantum threat is that it can significantly weaken the security of most crypto algorithms, even for very long keys. New algorithms, that are believed to be quantum-safe, are not yet fully tested and are not standardized. These algorithms also have drawbacks in performance, key length, and other properties which makes it difficult to utilize them in practice. NIST is currently in the third round of standardizing quantum-safe algorithms, however, this is a lengthy process that will take a number of years to finalize[i].
An adversary with a large quantum computer today would be able to break practically all asymmetric cryptography (digital certificates, key exchange etc.) and significantly reduce the security of symmetric encryption (3DES, AES). That would be a devastating outcome. Fortunately, quantum computers are still not developed enough to perform these attacks and it is estimated that it will take at least 10 years before such attacks are feasible[ii]. On the other hand, such a long-time scale should not tempt us to ignore this threat. Migrating to a new type of cryptography, whenever it is ready, will take a long time (e.g. think of all the cars, planes, and medical devices that will have to be replaced). Additionally, some data needs to stay confidential (such as personal information) for a time period close to or beyond the quantum horizon, so an adversary intercepting encrypted data today could compromise it when quantum computers are made available (known as a Harvest Now, Decrypt Later attack). In this event, a migration to quantum-safe cryptography should happen as soon as possible.
Don’t be emotional, be responsible
Due to the futuristic (and even magical) nature of quantum computers, many people react emotionally to the opportunities and threats this new technology presents. Some are fascinated by its great potential and believe that it will fundamentally change our world within a few years, while others are awed by its complexity and therefore distrust its applicability. Business leaders and decision makers should step past these emotions and take a pragmatic and responsible approach. Rushing into mitigating risks without properly evaluating them can unnecessarily exhaust resources that are better spent elsewhere. Alternatively, dismissing any potential risk without proper analysis is also irresponsible. Dealing with the quantum threat should not be any different than dealing with any other cyber threat. It should be thoroughly analyzed using common risk methodologies, which will then determine the appropriate mitigation measures.
Evaluating the risk
The first step towards understanding quantum risk is to create a full inventory[iii] of cryptographic assets. This includes the use of cryptography in the organization but also documentation regarding policies and procedures. This might sound trivial, but in practice it can turn out to be a complex endeavor (think of, for example, legacy systems with little documentation, high volatility cloud environments and SaaS solutions). It is also imperative to determine what type of information is protected by cryptography and for how long it must stay protected.
The second step is to perform a detailed risk assessment to calculate the risk to each item in the inventory. It is important to not only focus on technology but also consider other elements such as people and process. Lack of specialized personnel and specific company policies can influence the risk as much as the technology itself.
Mitigating the risk
After you’ve inventoried your cryptography and the data it protects, your organization’s security requirements determine whether the risk should be mitigated. Finding the optimal solution can also be a challenging task, as standardization of quantum safe solutions is still ongoing, and experience with these new methods is still limited. If it is not possible to wait until quantum-safe solutions are standardized, then a recommended approach is to use hybrid solutions where the level of security depends on both a classical and a quantum-safe algorithm (e.g. one of the candidates of the NIST standardization process). As long as one of the algorithms is secure, the overall security is maintained.
In general, an important element in the transition to quantum-safe cryptography is the introduction of crypto-agility. This design principle facilitates changes to the cryptography even after deployment. Even though crypto-agility does not provide by itself a solution to the quantum threat, it allows us to prepare for the transition to quantum-safe solutions once the NIST standardization process is completed. System design methodologies should incorporate crypto-agility to ensure long term security and privacy. In particular, implementing crypto-agility in hardware can result is significant cost savings as the need for future hardware replacement can be potentially avoided.
Some implementations of crypto-agility even centralize the rollout of cryptography over the entire environment. With such an approach, a system designer is no longer burdened with the details of correctly choosing cryptographic parameters and algorithms. If a specific algorithm becomes inadequate, it is managed centrally through a process that is ideally transparent to other systems. Such a platform is not only useful for mitigating quantum risk, but can ultimately also improve security by providing a centralized mechanism for cryptographic configurations.
Conclusion and call for action
No-one can predict how quickly quantum computers will evolve in the future and when they will impact cryptography. The plethora of opinions that sometimes incite fear, uncertainty and doubt should not divert business leaders from conducting responsible business and protecting their organization through proper risk management.
At Deloitte, we are committed to helping our clients safely navigate through the cyber threat landscape and ensure resilience of their businesses. Just like many other cases in cyber security, dealing with the quantum threat is a marathon, not a sprint. Businesses who rigorously analyze the threat and take appropriate measures will reap the benefits later. In particular, creating a cryptography inventory and implementing crypto-agility can also make your business more resilient to a broader range of cyber threats.
My advice is: Get informed, make a plan, and execute with conviction.