Hackers are having a field day, major corporations are reporting huge data breaches almost every day, CSOs are pulling their hair out trying to keep networks secure.
What could be worse for IT security?
Computing taking another technological leap forward, that’s what.
At a workshop in Ottawa this week, some leading researchers who have been working on quantum computing said thinking has advanced enough to believe there is a credible threat to the current state-of-the-art in information security.
Briefly, the worry is someone soon is going to be able to put together a system using quantum principles that can unravel the cryptographic algorithms that protect everything from credit cards to government security codes.
“For a quantum computer some of these problems are trivial,” Mark Pecen, technology industry consultant and a founder of the University of Waterloo’s Institute for Quantum Computing and a co-author of a paper presented at the session, said in an interview from the conference Tuesday.
With the right system, solving discrete logarithm problems – used in some public key cryptography products – would be a walk in the park.
“The purpose (of the paper) was to raise awareness, because quantum computing is pretty new,” Pecen said. “Although half the people in this room have been studying quantum computing for 20 years, your mainstream CEOs and CIOs don’t have the vocabulary, don’t understand it and don’t understand that it is a risk to information security.
“So we wanted to show it is a credible threat and here are some possibilities to do something about it, both with classical algorithmic cryptography — which relies on complexity to protect information — and also for quantum cryptography — which relies on basic physical properties to protect information.”
Some 100 people, mostly cryptographers, plus some government and business people, were at the workshop, which was co-sponsored by the European Telecommunications Standards Institute (ETSI).
It was the second annual Quantum-Safe Cryptography workshop, aimed at finding ways to standardize the next generation of cryptographic infrastructure to withstand quantum computing technologies.
One solution could be combining a conventional key-establishment algorithm with a quantum-safe key establishment protocol.
The idea of quantum computing isn’t easy to explain, but it’s something like this: The computers we use today process bits in zeros or ones. A quantum computer could use zeros, ones and both. The point is it could process a vast number of calculations simultaneously.
With every business and user wanting a faster computer, interest in the possibility of quantum computing is understandable. So every technology corporation from IBM to Microsoft is working in some way on large scale quantum computing.
The other side is also true: Governments, spy agencies and IT security researchers are looking for ways to protect systems from the potential threat.
It could, of course, be academic. The truth is no one knows how close we are to a practical, large scale quantum computer, Michele Mosca, deputy director of the Institute for Quantum Computing and co-organizer of the workshop, said in an interview. “But all the evidence suggests it could be much sooner than we thought, and it could be sooner than we are prepared for. It could take years and years to deploy the quantum-safe tools we need, and that’s about the time it would take to have a large-scale quantum computer.”
And, he adds, we want the data we create today to be protected for decades.
In the discussion paper Pecen, Mosca and other presented at the workshop, it was recommended organizations have to start thinking now about how long the information they store needs to be secure, and think about the consequences of it being exposed to a quantum attack.
They should also investigate quantum-safe products on the market now, the paper says. In addition, they should examine cost-saving strategies to reduce the cost of switching to a quantum-safe networking and security environment.
Enterprises with advanced research teams should document quantum safe use cases for their industry and publish within standards groups such as ETSI who maintain a standards leadership role in quantum safe technologies, it also says.
Meanwhile security vendors should think about adding quantum-safe features to their products.
Looked at one way, quantum computing is poisoned fruit. But, Mosca says, “the value and prosperity that a quantum computer could bring is too society is great to ignore. This threat to information security should be a footnote in the history of quantum computing because it’s a very fixable thing – especially because we’ve had over 20 years to fix it.
“What I’d like is the advent of a quantum computer to be a purely positive milestone in human history, and it can be that way as long as we have upgraded out information security infrastructure to be safe.”