Mike Brown | Chief Technology Officer, ISARA Corp
When was the last time you considered the cryptography in your organization? Perhaps you had to encrypt your data as part of a regulatory requirement, or you voluntarily understood the value of encryption, and deployed it as a safeguard. Encryption is one of those technologies that, once it is implemented, is typically fairly easy to manage, as most organizations use cryptography supplied through a vendor. Key management can be the challenge, but the encryption itself is a low maintenance affair. However, as with all things technological, change is on the horizon.
In the latest episode of the Security Sessions podcasts, we discuss a major breakthrough in the field of quantum computing. Recently, a company named Oxford Quantum Circuits announced that it was offering quantum computing as a service (QCaaS). OQC’s first customer will be their current partner, Cambridge Quantum, who will use the product to demonstrate their IronBridge cybersecurity platform.
It is interesting that one of the first use of commercial quantum computing will be a cybersecurity product. Quantum computing can bring about some great advancements, solving problems that have previously been unsolvable. This can be a huge benefit. However, quantum computing can also challenge some of the safeguards to which we have grown so accustomed, that we now take them for granted; specifically, public-key cryptographic technology.
Quantum computing running Shor’s algorithm has the power to disentangle math problems, which were once considered computationally infeasible. It is predicted that the strongest cryptographic algorithms can be deciphered with Shor’s algorithm running on a large enough quantum computer. Is this a cause for concern, or are we sounding a premature tocsin?
On the one hand, we should be very concerned, especially when we consider the scale at which we use cryptography. Whether it is the lowest level of protocols that we use, to the highest levels of authentication, cryptography is so prevalent, and seamless, as to be invisible to the average person. Yet, on the other hand, the destruction of public-key cryptography is not on the immediate horizon. That is, we have time to work on a solution, but that time is fairly short when plotted against a product with a long-term lifespan.
One example of such a long-term product that uses current public-key cryptography is the automobile. The amount of time that it takes from when a car is first engineered, then built, sold, and finally retired, can be up to 20 years. Considering that a car is now essentially software on wheels, coupled with the idea that current public-key cryptography may be undone in as little as 10 years, this shows the need for careful foresight. Everything from code-signing the vehicle control software, to the keyless entry and ignition mechanisms, all rely on the same algorithms that could be neutered while the cars are still on the road.
We have an excellent opportunity to prepare, but are we equipped to do so, and is the rest of the security community aware of how fast this future opportunity will become a present reality? The good news about this harbinger of the future is that, unlike the inaccurate doomsday predictions of the Year 2000 bug, there is time to prepare, without the panic scenarios.
This does not imply that this preparation will be easy. Consider first, the often arduous task of any inventory of digital assets in an organization. If an organization is to fully prepare for the quantum evolution, cryptography must also be added to that inventory. This reaches into the realm of risk management, as the value of the cryptography must be added to the organizational risk register, and the process must be worked into a strategic vision for the software development lifecycle as well. As with all things in security, preparation is the first step.
Another step towards anticipating the change is to shorten the lifespan of various systems that use cryptography. For example, digital identity expirations are often set in long intervals. Setting a shorter time for renewal can ease the burden as new cryptographic technologies emerge. Also, the hardware lifespan of many systems can also be planned, not just to achieve the benefits of a tech refresh, but to also include the predicted cryptographic developments.
Just as quantum computing presents a threat to cryptography, it can also usher in a new era of even stronger cryptographic solutions. However, a wise security professional will not await that development, and it may be projected that neither will lawmakers. As an extension of the new developments of cryptography which will be brought about through quantum computing, we should also expect that new regulations will transpire that address these changes.
With the announcement by OQC, it is clear that, even if quantum computing is not fully realized, it is closer than many had forecasted. This is the next evolution in digital transformation, and not only will it help up to leap forward in unpredictable ways, it will bring some challenges to address with our existing technologies.
Listen to the latest Security Sessions podcast to learn even more.