Quantum computing is now real. While the technology is still in the early stages of development, researchers are making impressive progress in developing quantum devices and exploring early use cases in chemistry, finance and machine learning.

Besides research and development in the private sector and academia, big investments are also being made in the public sector. In the future, this could enable quantum computers with much greater computing power than they have today.

How Will We Protect Our Data From Quantum Attacks?

Quantum computers could potentially offer unprecedented capabilities to tackle problems that classical computers cannot solve today. These systems will also change the way we approach cybersecurity. In 1994, Peter Shor showed that a large-scale quantum computer would be able to break today’s most-used public key crypto algorithms, such as Rivest-Shamir-Adleman (RSA), Diffie-Hellman and Elliptic Curve Cryptography, by using Shor’s algorithm.

Since most of our communication (e.g., bank transactions, web traffic, remote connections, email, etc.) relies on such algorithms, in essence, all of it would be at risk. This extends to all data encrypted with secret cryptographic keys that are exchanged in one way or another using the aforementioned algorithms.

Not surprisingly, researchers have been working hard on alternative methods for protecting our data as quantum computing progresses.

One set of methods is quantum cryptography, which is mostly known for quantum key distribution (QKD) — e.g., the BB84 protocol. QKD is implemented by encoding the secret key in quantum states, which are sent in the form of photons (light particles) across optical fibers or free space. To protect against wiretapping by an eavesdropper, we exploit fundamental quantum mechanical properties such as Heisenberg’s Uncertainty Principle and the fact that, in the quantum world, it is impossible to observe something without impacting it (i.e., its quantum state). Even though distance limitations of QKD may be overcome today by launching satellites into space, we are currently constrained by low bit rates and the fact that initial authentication still requires a classically pre-shared secret.

Another method is quantum-safe cryptography, which involves a new set of classical encryption algorithms based on mathematical problems that are believed to be hard to solve on a quantum computer (as well as on a classical computer). Such algorithms are considered resistant to quantum attacks. The main advantage of quantum-safe cryptography is the possibility of implementing it on top of existing infrastructure (e.g., by updating the Transport Layer Security protocol), which is why it may be considered the most feasible way forward.

How to Prepare Your Organization for Quantum-Safe Cryptography

Multiple standardization efforts for quantum-safe cryptography are already ongoing. For example, the National Institute of Standards and Technology (NIST) is leading a quantum-safe cryptography standardization program and recently announced the candidates for the second round, including submissions from IBM that are based on lattice-based cryptography.

In parallel with standardization efforts for quantum-safe cryptography, there are plenty of things that companies should start doing today to avoid losing their competitive advantage when future standards of cryptography become widespread. Below are four of the most important steps to get started.

  1. Manage your data:
    • Identify and classify your most valuable data by defining your crown jewels.
    • Understand the security time value of your data, or how long you will need to keep your data protected.
    • Define data owners and a life cycle for your data.
    • Understand how cryptography protects your most valuable data.
    • Know where all your valuable data is stored, how it flows within your organization, and how it is transmitted to locations outside of your organization.
  1. Manage your crypto:
    • Create an inventory of your existing cryptography. Understand which protocols and algorithms are currently used in your organization.
    • Identify hardware and software components related to cryptography.
    • Understand how your applications use cryptography and to what degree cryptography is currently hardcoded.
    • Understand how cryptography protects your most valuable data.
    • Know how legacy components depend on cryptography.
  1. Improve your crypto-agility:
    • “Abstract out” cryptography to the extent possible.
    • Update your development life cycle to rapidly account for new cryptography standards.
  1. Upskill crypto and quantum resources:
    • Offer employees educational resources about cryptography and quantum computing.
    • Make use of external services that can keep your organization up to date on the latest technology trends in cryptography and quantum computing.

Even though quantum computers are still in development, the above activities can help prepare your organization for the long-term impacts these systems may have on cryptography. We strongly advise you to start this journey now to prepare for when new quantum attacks emerge, advanced crypto-threats arise and new crypto technology becomes available. Learn more about quantum risks and cryptographic agility — the key to successfully navigating the shifting landscape.

More from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Detections That Can Help You Identify Ransomware

One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

How to Report Scam Calls and Phishing Attacks

With incidents such as the Colonial Pipeline infection and the Kaseya supply chain attack making so many headlines these days, it can be easy to forget that malicious actors are still preying on individual users. They're not using ransomware to do that so much anymore, though. Not since the rise of big game hunting, anyway. This term marks ransomware actors' shift away from attacks against individual users and towards operations targeting large enterprises, noted CNBC. But attacks like phishing and…