How to move your org to a quantum-safe cyberarchitecture
By Jack Hidary
If asked what keeps them awake at night, most CISOs will talk about data breaches, malware and ransomware. Recent years have shown the disruptive potential of ransomware attacks such as WannaCry and Ryuk, or Ransomware-as-a-Service from hacker groups such as DarkSide on businesses, hospitals, financial institutions, and critical infrastructure. We’ve also seen significant data leaks of personal information, with social security numbers, banking and medical information harvested and sold on the dark web, including from such companies as Target (2013), the U.S. Office of Personnel Management (2015), Anthem (2015) Equifax (2017), and Marriott (2018).
The majority of the world’s data, from governments to energy grids to financial institutions, is currently protected using RSA, ECC and other similar cryptosystems that were developed decades ago. That data is often transmitted over public internet infrastructure, leaving it vulnerable to hackers. The day is approaching when quantum computers will be able to crack RSA/ECC encryption.
In the past, hackers didn’t focus on exfiltrating encrypted data – it was unusable and there was no market for it. But with the increasing capabilities of quantum computers, RSA/ECC-encrypted data has become an increasingly valuable target, with the potential for much more substantial disruption, through “store now; decrypt later” (SNDL) attacks.
SNDL attacks represent a critical threat to thousands of enterprises and organizations. State-backed adversaries will look to gain competitive advantages in pharmaceuticals, technology, materials science, energy and other industries by exploiting data with long-term value (e.g., formula for products, products in development and other IP). They could gain access to key information concerning infrastructure (e.g., energy grids, nuclear plants), defense (e.g., weapons designs, intelligence agents’ identities, biometrics), and communications (e.g., GPS and other satellite systems), which have broad implications for national security.
This previously stolen and stored data now exists like a ticking time bomb, just waiting for the quantum hardware that will set it off. While it’s too late to prevent those breaches, we can use quantum and AI solutions right now to protect against further damage being done.
The good news is that we don’t have to wait for large fault-tolerant quantum computers to secure our sensitive data. There are a number of quantum-safe algorithms that can run on classical computers and protect data that is at risk for SNDL attacks. These algorithms have gone through rounds of evaluation by standards bodies, with the cybersecurity community awaiting the imminent publishing of specs in the initial protocols accepted by NIST.
The process for migrating to PQC is both complex and is an opportunity to evaluate a company’s cyber architecture as a whole. The first step is the discovery process, which entails combing every inch of an organization’s infrastructure to determine which cryptographic algorithms and protocols are currently being used on each server, laptop, IoT device, mobile phone, website, mobile app and more. This process cannot be done manually - even using cutting-edge machine learning algorithms, it can take between four to six months to crawl a given infrastructure and catalog every possible node, port or endpoint. The outcome of this process is that CISOs and their teams get a full view of their encryption infrastructure, enabling them to plan for hardware and software upgrades, which could take three to four years.
It is estimated that more than 20 billion devices globally will need to have their software upgraded to post-RSA protocols: 7+ billion mobile phones, billions of laptops, servers and, of course, IoT devices.
Beyond that, hardware manufacturers who build security directly into their chips or products must also implement PQC as soon as possible to protect infrastructure and products that will be in use for decades, such as cars, airplanes and ships. Telco providers are also an important part of the PQC ecosystem – their networks constitute the foundation of secure communications.
We will see regulatory agencies in the US and abroad issue timelines and reporting requirements for the transition from RSA to quantum-safe protocols. This means that legal and compliance departments have a key role to play in this global transition.
The smoothest way to migrate to post-RSA is by adopting hybrid cryptographic protocols. To begin the PQC migration, rather than replacing existing algorithms altogether, traditional and post-quantum algorithms can be combined into a hybrid system. In this way, even if a vulnerability is later found in the PQC algorithm, the classical framework will still provide a key layer of protection.
SandboxAQ is working with companies like Softbank Mobile, Vodafone Business, Mt. Sinai Health System and other large enterprises to secure their digital infrastructure and ensure that they are “crypto-agile.” As we transition from a single-algorithm cryptographic protocol - RSA or ECC - to a multi-algorithm protocol based on the various upcoming NIST standards, AI can be utilized to assess which PQC algorithm is most appropriate for a particular use case. Doing this will ensure that SandboxAQ empowers organizations to achieve optimal levels of security with minimal impact on their business operations or user experience.
As large and fault-tolerant quantum computers get closer to fruition, we’re likely to see SNDL attacks increase significantly. It’s essential that organizations around the world start formulating strategies for evolving their security protocols as well as begin implementing hybrid RSA/ECC-PQC approaches while we continue to test and integrate NIST’s PQC schemes. While it’s not possible to protect data that’s already been stolen and stored elsewhere, we can protect vital current and future data and systems, but the process must begin today.