Threat actors are now stealing data to decrypt it when quantum computing arrives
Although quantum computing is years away from commercial availability, business leaders, CIOs, and CISOs must act now to prepare for the technology’s inevitable ability to crack RSA-encrypted data. Unless a post-quantum cryptography (PQC) strategy is adopted, all existing encrypted data assets are at risk of exposure, according to a stern warning from key technical cryptography experts released on Wednesday.
A peer-reviewed article chronicling this threat with a technical roadmap for transitioning to CQP appeared Wednesday in Naturea leading journal for the science and technology communities.
The cybersecurity experts who authored the article, titled “Transitioning organizations to post-quantum cryptography,” pointed to the fact that when large fault-tolerant quantum computers (LFTs) become available, attackers will be able to use them to crack most existing public keys. cryptographic systems, including RSA and elliptic curve cryptography (ECC).
The paper highlights three critical issues that the authors argue organizations need to address. The first is the existence of an active and critical threat called Store Now, Decrypt Later (SNDL), a practice in which attackers steal sensitive data and store it with the intention of decrypting it once IT quantum will be available.
Second, the authors warn that quantum computers will be able to crack those most commonly used on RSA and ECC to forge signatures. This would jeopardize all SSL-based websites, zero-trust architectures, and cryptocurrencies, among others, according to the authors.
And third, they highlight how the National Institute of Standards and Technology (NIST) is about to select a set of candidate PQCs that it will recommend as standards. Although the paper was written months ago before Wednesday’s release, NIST is poised to reveal the candidates within weeks and potentially sooner.
Dustin Moody, a mathematician from NIST, confirmed the imminent announcement of candidates for the PQC algorithm. Among cybersecurity standards, it is one of NIST’s largest undertakings since the development of the Advanced Encryption Standard (AES) and Secure Hash Algorithm-3 (SHA-3). The new PQC standard will likely include more than one algorithm, Moody told Dark Reading.
“Safety-wise, we want to make sure we’re not putting all of our eggs in one basket,” Moody says. NIST is considering public-key digital signatures as well as encryption or establishment of equivalent keys, adds Moody: “There will be at least one for each of them.”
NIST’s impending announcement was presaged by two directives last week from the Biden administration aimed at recognizing and treating PQC.
Impact on existing data assets
While the document provides a detailed technical breakdown of PQC issues, it also aims to raise awareness of the implications of quantum computing for existing information assets and highlight the need for a plan.
“For organizations that haven’t begun integrating PQC into their systems or even planning for it, we strongly recommend beginning their efforts now,” the document warns. “Organizations and businesses with sensitive data whose time value exceeds five years should consider PQC immediately.”
One of the paper’s co-authors is Jack Hidary, founder and CEO of Sandbox AQ, a software-as-a-service (SaaS) provider focused on combining quantum computing and artificial intelligence technology. to solve complex processing problems. The primary processing problem he is dedicated to is helping organizations understand the risk of quantum computing by identifying critical data assets that are encrypted and developing a strategy to protect them with upcoming PQC algorithms.
The first thing companies need to do is go through a discovery process to determine the value of all their data, especially encrypted information. For example, a large pharmaceutical company might own the intellectual property for patented drugs that bring in billions of dollars a year in revenue and royalties. If that data were to end up in the wrong hands, it could render that intellectual property worthless, Hidary warns.
“We realized that a whitepaper was needed to give CISOs, engineering teams, and other C-suite leaders context on how this migration would happen,” Hidary told Dark Reading. “And that’s the motivation for this article.”
Hidary points out that with SNDL, state-sponsored and independent attackers have already begun to exfiltrate RSA-encrypted data. “It’s happening right now – they’re storing this information, then they’ll decipher it in the future in a few years when they have additional computing power,” he said. “That’s the concern.”
PQC attracts powerful friends
Sandbox AQ might not be a well-known company today, having just come out of stealth mode. But it’s a well-capitalized startup incubated by Alphabet, Google’s parent company, which set up Sandbox AQ in March as a standalone company.
The company has a prominent advisory board consisting of former Google Chairman and CEO Eric Schmidt, former US Secretary of Defense Ashton Carter, former Senior Deputy Director of National Intelligence Susan Gordon and retired Admiral Mike Rogers, former commander of US Cyber Command and former director of the National Security Agency.
Before meeting Hidary in January, Ernst & Young Americas chief cybersecurity officer David Burg said he knew PQC was an issue his company would eventually need to address with customers. But Burg admits he was caught off guard by the need for EY to work with businesses immediately.
“We left this meeting realizing that this is actually an issue that our customers in the United States and around the world will have to deal with sooner than we thought,” Burg said. The two companies have formed a partnership to solve the problem together.
Protecting Health Information at Mount Sinai
One of the clients EY works with is Mount Sinai Health System, which has 43,000 employees across its eight hospital campuses in the New York area. Kristin Myers, who is CIO of Mount Sinai and dean of technology for her medical school, says cybersecurity is her No. 1 priority.
“When it comes to quantum computing, the reality is that with this innovation it will be possible to decrypt currently encrypted data in the future,” says Myers. “And as you can imagine for healthcare, unauthorized disclosure of sensitive PHI [personal health information] would really impact patients, whether it happens now, five years from now or beyond.”
Myers says she has signed Mount Sinai with Sandbox AQ and will begin conducting a review and inventory of all encryption methods currently in use. Sandbox AQ will then provide recommendations on how to move forward.
“We will do a feasibility study of some of the products that we will need to implement with them,” she says. “It’s going to be a multi-year journey with them, but just being able to start is going to be important for us.”