Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

02:30 PM
Pankaj Parekh
Pankaj Parekh
Connect Directly
E-Mail vvv

Quantum Computing and Code-Breaking

Prepare today for the quantum threats of tomorrow.

With all the grand speculation and hype tied to quantum computing, the technology seems more like it belongs in the realm of science fiction rather than your daily tech newsfeed. But this isn't science fiction. Tech companies around the world are racing to bring quantum computers into the mainstream of business processes to unlock new capabilities, services, and revenue models.

However, as quantum computers are beginning to gain traction and soon will be moving out of R&D environments, government agencies and security experts are already sounding the alarm for the potential harm such breakthrough technology could be capable of wreaking in the area of data security.

A quantum computer is based on the superposition principle — that a qubit (a bit in a quantum computer) can exist in the state of a 0, a 1, or both states at once. Today, the largest publicly available quantum computer from IBM Q (an IBM initiative to build quantum computers for business and science) has 20 qubits — so it can exist in 220 or just over a million states at once. When technologists double this to 40 qubits, that becomes just over a trillion states at once. This could be a powerful tool for breaking data encryption; instead of trying one combination at a time sequentially, the quantum computer can try a very large number at the same time. Experts suggest that a computer with 2,000 to 4,000 qubits would be enough to defeat conventional strong encryption standards within a reasonable time.

Today's largest publicly available computer from IBM: IBM's Q System One, a 20-qubit machine, was on display at IBM's THINK Conference in San Francisco this February. It is shown here without the cooling required to get it to a fraction of a degree above absolute zero.

Source: SecurityFirst
Today's largest publicly available computer from IBM: IBM's Q System One, a 20-qubit machine, was on display at IBM's THINK Conference in San Francisco this February. It is shown here without the cooling required to get it to a fraction of a degree above absolute zero. Source: SecurityFirst

Luckily for the data security industry, a quantum computer is made of a collection of high-end refrigeration and other large-science experimental gear — because, well, it is cutting-edge experimental physics. When first invented, a 5MB disk drive was as big as two large vending machines. Now you can put a million times more data on a thumb drive that fits in your pocket. The constant in computing is that things get smaller, faster, and cheaper, but for now, quantum computing is a large, expensive, and finicky physics lab resident.

The security industry is gearing up to upgrade standards to protect against quantum attacks. But there are a couple of methods available to protect against this threat right now. Today, best practices in security require multiple levels of protection. Advanced persistent threats (APTs) involve malicious code being installed on a server inside the security perimeter, so once the hacker has defeated the firewalls, the malicious code is inside and looks for vulnerable servers. Every server should use encryption to prevent data extraction or corruption. You can't put a quantum computer onto a corporate server because, remember, it's a physics lab, not a piece of portable code. Therefore, you need to protect data right at the source — on the servers. It is important to protect data with proper access policies that ties to process, applications, and users with unique encryption for different data sets. This reduces APT-initiated process's ability to access data in the first place, and unique encryption makes it even more difficult to decrypt all the data together.

But what if a cybercriminal or nation-state hacker extracts data or keys and transports them to a quantum computer facility? IBM and others already have made small quantum computers available to the public. And if you compare an emerging technology such as TensorFlow for machine learning, you will see that you can already provision very large capacities of highly optimized TensorFlow on Amazon Web Services, so it's likely that a public cloud provider will offer quantum computing as a service once the technology has matured.

To face this threat, adopting a comprehensive approach to protecting data on servers includes:

  • Proper management of keys, including hierarchical keys to enable key rotation.
  • Applying firewall-like rules for data access, restricting access by user ID and application.
  • Reporting any unauthorized or suspicious attempts to access data. Good reporting and alerting can prevent loss of data after a single key or server has been compromised but before critical data is sent out for quantum-powered code breaking.

Encrypting and spreading the data across multiple servers or clouds provides additional protection, meaning that if one is compromised, the data is still secure and can be recovered from the uncorrupted servers, while the threat is being identified and neutralized.

Particularly, organizations need to have cryptographic agility, which is the capacity for an IT system to promptly shift from existing cryptographic methods without significant changes to system infrastructure. In fact, according to NIST guidelines, becoming crypto-agile is no longer optional. Here are a few steps organizations can take to become crypto-agile:

  • Implement a cryptographic control center that functions as an interface to manage cryptographic policies for every application.
  • Establish an abstraction layer that acts as an API to hide cryptographic information. This ensures that application programmers can continue development without any clear disruptions to cryptographic solutions. When a security team needs to update an encryption solution, all they have to do is update the abstraction layer, thus eliminating the need to educate programmers on complex details of cryptography.
  • Conduct a full assessment of cryptography used by various information systems, and implement a centralized crypto key management system. This gives administrators the flexibility to manage application keys through automated protocols.

Regular use of quantum mechanics in computing is still far from common, but according to a recent report from the National Academies of Sciences, Engineering, and Medicine, companies need to speed up preparations for the time when quantum technology can crack conventional defenses.

While there may not be an immediate danger of sensitive data being breached by someone with quantum computing technology, all organizations should have the beginnings of a quantum resilience data protection plan in place because the race to the first quantum computer is fierce. Fortune 500 companies, including IBM, Google, Microsoft, and Intel, are increasingly plugging away on quantum technology, and countries (including China) are investing billions of dollars into research and development, ensuring the era of quantum computing is quickly approaching. My advice: Begin protecting against tomorrow's — or 2029's — threats today.



Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Pankaj Parekh was appointed Chief Product and Strategy Officer (CPSO) of SecurityFirst in August 2018. He is responsible for the long-range vision to set the direction for the company's products, as well as running the development, testing, and delivery organizations for ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/29/2019 | 3:10:18 AM
Forward progress
Sometimes we need to bear in mind that breakthroughs do not necessarily provide solely benefit to us. When we are dealing with something great, sometimes the risks involved are even greater. We need to weigh in on what is more important to us before we progress forward.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-21
neos/forms is an open source framework to build web forms. By crafting a special `GET` request containing a valid form state, a form can be submitted without invoking any validators. Form state is secured with an HMAC that is still verified. That means that this issue can only be exploited if Form F...
PUBLISHED: 2021-06-21
Textpattern 4.7.3 contains an aribtrary file load via the file_insert function in include/txp_file.php.
PUBLISHED: 2021-06-21
Cross Site Scriptiong vulnerability in Typesetter 5.1 via the !1) className and !2) Description fields in index.php/Admin/Classes,
PUBLISHED: 2021-06-21
mongo-express is a web-based MongoDB admin interface, written with Node.js and express. 1: As mentioned in this issue: https://github.com/mongo-express/mongo-express/issues/577, when the content of a cell grows larger than supported size, clicking on a row will show full document unescaped, however ...
PUBLISHED: 2021-06-21
In memory management driver, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-185196177