What is the ‘steal now, crack later’ quantum computing threat?
The rise in quantum computing this decade is pushing cyber criminals into stealing encrypted business data with the hopes of cracking it in the future
The capabilities of quantum computing have been rapidly developing over the last decade, and are expected to mature over the next. By 2030, in fact, the industry widely expects commercial quantum computing offerings to be available in the mainstream.
While the business use cases of quantum computing are being contemplated, so too has the advent of this technology piqued the interest of cyber criminals who now prefer to retain – rather than discard – heavily encrypted data where possible. These groups are embracing the idea of ‘steal now, crack later’, which involves harvesting and storing encrypted data until quantum computing gives them the tools to access the information.
Although the cyber security industry doesn’t expect cyber gangs to get access to powerful quantum computers next week, or even next month, businesses must begin preparing for the prospect of these machines one day cracking the encrypted data they hold dear today.
How long will your data remain secure?
A recent Gartner report noted the Rivest-Shamir-Adelman (RSA) algorithm has been used in almost every aspect of security over the last 30 years, but that key cracking is one of the small set of mathematically approachable problems quantum computing can solve.
“Quantum computers are advancing steadily, gaining the power and stability needed to pose a realistic threat to the widely-used public key encryption currently in place to protect sensitive data, applications and transactions,” says Greg Wetmore, VP software development at Entrust Cybersecurity Institute.
“There’s some uncertainty about when exactly there will be a quantum computer powerful enough to break the cryptographic algorithms currently in use, however many are operating under the assumption that this can happen within the next ten years.”
According to Gartner, conventional asymmetric cryptography is set to become unsafe to use as soon as 2029 – and will require the support of larger key sizes in just three years. Gartner's senior director analyst and co-author of the report, Mark Horvath, says, though, there's at least a decade before something like 2048-bit key can be broken.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Steal now, crack later attacks likely won’t be feasible
There’s no need for full-scale panic and just because this is possible, it doesn't mean cyber gangs will be routinely cracking encrypted files. In reality, most organisations won’t have access to the very large data centres needed to store this information long-term, and then access the quantum computing power necessary to decrypt this information once (eventually) available.
“For most cyber criminals the cost of accessing the quantum computing power is going to put it out of their reach, plus the need to resort to such sophisticated tools is not currently there,” says Will Richmond-Coggan, a litigator at law firm Freeths.
This is because the majority of cyber criminals focus on low-hanging fruit, where information can be accessed using traditional methods like social engineering or phishing. Experts agree those using quantum computing for nefarious means will mainly be nation state actors or state-sponsored groups looking to access highly sensitive information that could potentially affect national security.
“This kind of attack only makes sense for nation-states, who can reasonably expect to have powerful enough quantum capability in the near to medium term,” says Dr Chris Heunen, reader in quantum informatics and director of the Cisco Software Centre of Excellence at the University of Edinburgh.
“It’s also more likely to be high-value data with a long useful shelf life, such as intellectual property if its enterprise data, or defence and government-related data and intelligence,” adds Heidi Shey, a principal analyst at Forrester, highlighting that only certain organisations will appeal to these attackers.
Security risks extend beyond ‘steal now, crack later’
It’s worth noting, however, that security risks from quantum computing extend beyond the nature of harvesting encrypted data now with a view to decrypting it at an indeterminate future date. Shey points to the fact that breaking existing public key cryptography will also have an impact on the encryption used for secure communications and digital signatures.
“It impacts critical infrastructure if the hardware and software on devices used in these environments rely on public key cryptography,” she says. “Blockchains are also technically breakable by quantum computing,” adds Horvath, “and so the major blockchain companies like Bitcoin and Ethereum are (already) working on quantum-safe protocols for blockchains.”
How to prepare for quantum-powered attacks
These cryptocurrencies aren’t alone in preparing for the dawn of quantum computing and its potential effect on cyber security.
In the US, for example, the National Institute of Standards and Technology (NIST) has been working on its post-quantum competition for standardising protocols since 2017. At the end of last year, too, President Biden signed the Quantum Computing Cybersecurity Preparedness Act. Shey adds a White House memo recently asked US agencies to perform a cryptographic inventory, alongside proposed legislation on post-quantum cryptography.
What do businesses need to do?
I’ll be many years before the wider cyber criminal community has access to the quantum computing tools necessary to hack heavily encrypted data. Only a handful of businesses, too, are likely targets for those most likely nation-state attackers. This means the majority of organisations have little to fear from the arrival of quantum computing.
It’s also important to remember the benefits will far outweigh any cyber security risks. Even so, it’s important for organisations to establish risk level clearly, and what steps they might, therefore, need to take to protect encrypted data.
Both Horvath and Shey agree the responsibility for this preparation starts with the CISO or CIO within the organisations, and that the first steps should be to look at the sensitivity and long-term value of an organisation’s data. Sensitivity will help you establish risk level, while lifespan will point to the steps you may need to be taken.
“If its lifespan is going to be two or three years you don’t have to worry about it,” says Horvath. “If it’s more like four to seven years, then you can extend the key lengths that you use today. Something like 3072-bit will extend the lifetime of your data security well into the 2030s.
“If you have data, such as mortgages, bonds or financial instruments, that have a lifespan of more than ten years, then you need to start thinking about what your strategy is going to be regarding the introduction of quantum safe encryption.”
Getting ready for the post-quantum world
In the end, all organisations will need to ensure they’re ready for a post-quantum world. Every business needs to begin working on its strategy to ensure post-quantum readiness, which should include building maturity into how cryptographic assets such as certificates, keys, secrets and crypto libraries are managed.
How to build a cyber-resilient business ready to innovate and thrive
Outperform your peers in your successful business outcomes
Organisational changes can take time to implement, so it’s imperative to get a head start. But Wetmore points out that previous cryptographic transitions, such as the migration from SHA-1 to SHA-2, resulted in disruption and proved costly and time-consuming for organisations to implement.
The transition to post-quantum encryption will be much more complex, as quantum doesn’t act like the cryptography we have today.
This means it’s not as simple as a drop-in replacement, as the post-quantum algorithms currently identified have completely different key generation, exchange, encryption and decryption properties from the ones they’re replacing. Each business will have different steps it needs to take to make sure it’s ready for the incoming quantum era, but there will be something for every organisation to do.
Keri Allan is a freelancer with 20 years of experience writing about technology and has written for publications including the Guardian, the Sunday Times, CIO, E&T and Arabian Computer News. She specialises in areas including the cloud, IoT, AI, machine learning and digital transformation.