ArchiveOODA Original

Updated Executive’s Guide To Quantum Safe Security: Take these steps to make your enterprise quantum proof

Editor’s note: This is an update to our Executive’s Guide to Quantum Safe Security, based on a new round of research that has included interviews of OODA Network experts, technology providers and senior executives in enterprises. -bg

The steady progress in quantum computing is resulting in exciting developments that will one day bring new capabilities to a wide range of use cases. Quantum computers can also bring new capabilities to attackers. The mathematician Peter Shor has proven that quantum computers can be used to rapidly factor large numbers into their primes in a way that will break most forms of asymmetric encryption used today. The computer scientist Lov Grover proved another algorithm that will, among other things, enable incredibly fast invalidation of another tool for security, the security hash. There are certainly other ways quantum computers will be used by adversaries, but these two methods alone are cause for serious concern. Imagine all the data your company believes is important being read by an adversary that wants to put you out of business, and imagine that adversary is operating in a location untouchable by the rule of law. 

Our current estimate, based on interviews of experts in the field, is that although quantum computers are functioning now, the error rates on all current approaches to quantum computing are too high to perform the calculations required for Shor’s algorithm and will not be able to do so for another 3 to 5 years. But if your enterprise has data it wants to keep valuable for years into the future, the time to protect it from this type of attack is now. And if your enterprise is one that is slow to move, the time to plan on protecting data is now.

What follows provides more insights into why this is a threat and how to protect against it.

How serious is this threat? We asked OODALoop’s Junaid Islam, a technology leader with over 30 years of experience in the design, development and deployment of secure networks and author of “What To Do About Quantum Uncertainty” for his context. His reply:

“There is no “easy button” for this one, but there are things that can be done right now to start mitigating risks. The first thing for many leaders is to know the threat is one that will target the future value of your data. If you take steps now to protect your information, you can maintain the future value of your data. If you fail to prepare, you will lose.”

Even with recent breakthroughs proving quantum computers can solve problems that traditional computers cannot (see Quantum Supremacy is Here), estimates are we have at least 3 to 5 years before quantum computers will be able to run Shor’s and Grover’s algorithms. That’s the good news. The bad news is that adversaries are stealing encrypted data now and with storage so cheap they are able to retain that for future use. The data you have right now should be protected in ways that make it hard for adversaries to break, ever. 

Because of this, researchers in the security community have been creating, testing and validating new encryption algorithms and new ways of generating and managing keys all designed to harden protections against quantum computer based attacks. 

Regarding encryption methods, NIST has been coordinating with the research community to highlight the best methods for encrypting data in quantum safe ways. This field of study is sometimes called “post-quantum” or “quantum-proof” encryption. By 2022, NIST is expected to have helped the research community downselect to a handful of the best algorithms for quantum proof encryption. There are already many algorithms your team can put in place now (26 are being evaluated by NIST), however, picking an encryption method before it is fully vetted comes with significant risk. The art form here is to track what the community is doing and be ready to rapidly move, after a small group of fully vetted algorithms are announced by NIST.

Quantum proof encryption is also being built into common Internet protocols and open standards by groups like the Open Quantum Safe organization. Code on these and other solutions has advanced to the point where solutions can be put in place in your enterprise today. They are also available to be used as part of your communications so data in motion is better protected. 

New ways of generating and managing keys include leveraging quantum effects to ensure ultimate randomness in generating keys (like the QuintessenceLabs approach). There are also now proven, commercially available ways to transmit keys in ways that cannot be intercepted via Quantum Key Distribution (QKD). This is is the establishment and transmission of cryptographic keys using streams of single photons so that any attempt to read or tamper with the stream is known. The pioneering work here was done by DARPA and NIST and others. China has also been funding extensive research in these methods and has proven an ability to distribute keys this way. In one highly public example, a quantum cryptographic key was shared between Beijing and researchers in Vienna using a specially designed QKD capable satellite.

There are things business leaders can do right now to help reduce risks of your data coming under quantum attack. 

Our Recommendations:

  • Ensure you are up on the vocabulary of quantum computing by reviewing our Executive’s Guide to Quantum Computing. This no-nonsense guide presents key concepts at just the right level for a busy executive and will better enable you to have serious conversations with your technical team and external business partners on this topic. 
  • Ask your CIO and CISO what they know about NIST’s activities in post quantum cryptography. There are many technical topics they will want to track, including a new standard for encryption NIST is coordinating to be published by 2022. Doing this will help prepare your organization to move fast when NIST announces their pick for the best algorithms to use.
  • Initiate a discovery and mapping effort for your organization to ensure your team knows everywhere that encryptions being used in your organization and what types of algorithms are being used in those solutions. This will enable better planning for replacing those algorithms.
  • Start conversations with your service provider ecosystem, including your cloud providers. You now have quantum safe solutions and approaches available for traffic to and from AWS and Microsoft and soon Google, but you need to have the conversation to ensure you are suing them. 
  • Accelerate your move to the Cloud (meaning using highly reliable, hyperscale providers like Amazon and Google). Doing so will help you offload many responsibilities for engineering solutions to the engineering teams of hyperscale providers. You will still have to configure your solutions well and will still have to know how your on-prem data is protected, but the cloud move will help tremendously.
  • Ask your technical team to not just put quantum safe measures in place, but to test them. Good CIOs and CISOs will periodically check security by red teaming. This needs to be done for your quantum safe approaches as well (this, by the way, is the sweet spot of OODA LLC).
  • Consider the importance of trust in your business relationships and how quantum safe preparations can help ensure that. No matter what your line of business, you have customers, suppliers and partners in the ecosystem that want to do business with organizations that will protect their data now and in the future. Likewise, you will want those organizations to protect your data now and in the future. Starting your own preparations to be quantum safe is key, but when you do, ensure you are letting your customers, suppliers and partners know you are on this journey so they know you are to be trusted long term.

Special Series on Quantum Computing

The developments in the field of Quantum Computing are coming faster and faster. OODA analysts are focusing on what matters most to today’s business decision makers. Recent reporting includes:

For additional reading on related topics see:

Bob Gourley

Bob Gourley

Bob Gourley is the co-founder and Chief Technology Officer (CTO) of OODA LLC, the technology research and advisory firm with a focus on artificial intelligence and cybersecurity which publishes Bob is the co-host of the popular podcast The OODAcast. Bob has been an advisor to dozens of successful high tech startups and has conducted enterprise cybersecurity assessments for businesses in multiple sectors of the economy. He was a career Naval Intelligence Officer and is the former CTO of the Defense Intelligence Agency. Find Bob on Defcon.Social