Quantum computing is now real. While the technology is still in the early stages of development, researchers are making impressive progress in developing quantum devices and exploring early use cases in chemistry, finance and machine learning.

Besides research and development in the private sector and academia, big investments are also being made in the public sector. In the future, this could enable quantum computers with much greater computing power than they have today.

How Will We Protect Our Data From Quantum Attacks?

Quantum computers could potentially offer unprecedented capabilities to tackle problems that classical computers cannot solve today. These systems will also change the way we approach cybersecurity. In 1994, Peter Shor showed that a large-scale quantum computer would be able to break today’s most-used public key crypto algorithms, such as Rivest-Shamir-Adleman (RSA), Diffie-Hellman and Elliptic Curve Cryptography, by using Shor’s algorithm.

Since most of our communication (e.g., bank transactions, web traffic, remote connections, email, etc.) relies on such algorithms, in essence, all of it would be at risk. This extends to all data encrypted with secret cryptographic keys that are exchanged in one way or another using the aforementioned algorithms.

Not surprisingly, researchers have been working hard on alternative methods for protecting our data as quantum computing progresses.

One set of methods is quantum cryptography, which is mostly known for quantum key distribution (QKD) — e.g., the BB84 protocol. QKD is implemented by encoding the secret key in quantum states, which are sent in the form of photons (light particles) across optical fibers or free space. To protect against wiretapping by an eavesdropper, we exploit fundamental quantum mechanical properties such as Heisenberg’s Uncertainty Principle and the fact that, in the quantum world, it is impossible to observe something without impacting it (i.e., its quantum state). Even though distance limitations of QKD may be overcome today by launching satellites into space, we are currently constrained by low bit rates and the fact that initial authentication still requires a classically pre-shared secret.

Another method is quantum-safe cryptography, which involves a new set of classical encryption algorithms based on mathematical problems that are believed to be hard to solve on a quantum computer (as well as on a classical computer). Such algorithms are considered resistant to quantum attacks. The main advantage of quantum-safe cryptography is the possibility of implementing it on top of existing infrastructure (e.g., by updating the Transport Layer Security protocol), which is why it may be considered the most feasible way forward.

How to Prepare Your Organization for Quantum-Safe Cryptography

Multiple standardization efforts for quantum-safe cryptography are already ongoing. For example, the National Institute of Standards and Technology (NIST) is leading a quantum-safe cryptography standardization program and recently announced the candidates for the second round, including submissions from IBM that are based on lattice-based cryptography.

In parallel with standardization efforts for quantum-safe cryptography, there are plenty of things that companies should start doing today to avoid losing their competitive advantage when future standards of cryptography become widespread. Below are four of the most important steps to get started.

  1. Manage your data:
    • Identify and classify your most valuable data by defining your crown jewels.
    • Understand the security time value of your data, or how long you will need to keep your data protected.
    • Define data owners and a life cycle for your data.
    • Understand how cryptography protects your most valuable data.
    • Know where all your valuable data is stored, how it flows within your organization, and how it is transmitted to locations outside of your organization.
  1. Manage your crypto:
    • Create an inventory of your existing cryptography. Understand which protocols and algorithms are currently used in your organization.
    • Identify hardware and software components related to cryptography.
    • Understand how your applications use cryptography and to what degree cryptography is currently hardcoded.
    • Understand how cryptography protects your most valuable data.
    • Know how legacy components depend on cryptography.
  1. Improve your crypto-agility:
    • “Abstract out” cryptography to the extent possible.
    • Update your development life cycle to rapidly account for new cryptography standards.
  1. Upskill crypto and quantum resources:
    • Offer employees educational resources about cryptography and quantum computing.
    • Make use of external services that can keep your organization up to date on the latest technology trends in cryptography and quantum computing.

Even though quantum computers are still in development, the above activities can help prepare your organization for the long-term impacts these systems may have on cryptography. We strongly advise you to start this journey now to prepare for when new quantum attacks emerge, advanced crypto-threats arise and new crypto technology becomes available. Learn more about quantum risks and cryptographic agility — the key to successfully navigating the shifting landscape.

More from Advanced Threats

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-ranking banking trojan Ramnit out to steal payment card data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today