The moment a computer is invented that is fast enough to break current cryptography, we, as cybersecurity professionals will have a whole new reality to deal with. Guess what? Quantum computing is here.
August 2nd, 1939 a man entering his later years of life sits at a typewriter in small shore town near the Peconic Bay off Long Island NY. The subject of the letter has been weighing on him greatly for several months. He has started and stopped writing the letter several times. The topic is so grave and dire that he has even enlisted the help of two friends to offer their advice and counsel.
Late in the evening the letter is done and the next morning, with hands shaking and a conflicted heart the man mails the letter to President F. D. Roosevelt. Weeks after the letter is read by F.D.R and the United States begins the Manhattan project. The letter was written to President Roosevelt by Albert Einstein. In the letter Einstein warns of critical research and progress being made by the Germans’ in developing atomic weapons.
“Certain aspects of the situation which has arisen seems to call for watchfulness, and, if, necessary quick action…” —Albert Einstein
In 2015, the United States National Security Agency (NSA) issued the Commercial National Security Algorithm Suite (CNSA). The CNSA was developed by the NSA to provide software architects and engineers who design national security systems (NSS) with sufficient time to plan and budget for new cryptographic algorithms and approaches. The CNSA memorandum creates an amazing amount of conjecture, appropriate concern and worry among those who develop NSS. Outside of the NSS community, few have heard of the CNSA, even though it is unclassified and released to the public. For many, the CNSA is as critical a warning as the one that Albert Einstein relayed to F.D.R in August 1939.
What was it that caused the NSA to release a general memorandum requiring that NSS developers rethink their approach to cryptography? Simply stated, quantum computing.
In May 1981, Richard Feynman published “Simulating Physics with Computers” in which he lays the early groundwork for the development of quantum computers. As time progressed, the work of Feynman and others led to a worldwide drive towards the development of not just simulating physics but the development of real quantum computers.
Today, Microsoft, Google, IBM, Intel and others have developed quantum computers. There is also a “black” underground of quantum computing companies funded by IARPA and others attempting to develop quantum systems that can help the United States gain a distinct advantage in the quantum computing race. Very much like the Manhattan project there is a global “technology” and “arms” race in the quantum world (pardon the pun).
Quantum computing will radically change our understanding of the world as well as how we interact with the world.
This may seem like an idealist statement, but even today we are seeing quantum computing change our notion of binary computing. In fact, binary computing is referred to by quantum researchers as classical computing. Suddenly, binary systems are feeling rather old.
But why did the NSA issue the CNSA? What is it about quantum computing that created such concern for America’s top technology agency to blink? To better understand that, we need to remind ourselves about the reality of cryptography and its place in the world of cybersecurity.
Cryptography is a bet that all of us have placed. We may not think of it in terms of a bet, but when we strip back the covers, there is trivial difference between the wager we have placed on cryptography keeping our data secure and our playing the lottery. In both cases, cryptography and the lottery, we are playing the odds. In cryptography the bet we place is that a computer will not be able to factor a prime number fast enough to make the security cryptography affords, useless.
Today’s fastest super-computers, even if brought together and focused on breaking RSA 2048, would take well over a billion years to crack the code. As you can see, the promise of cryptography is that things will remain secure if no one invents a computer that is fast enough to break the code – in this case find the numerical factors. The moment a computer is invented that is fast enough to break current cryptography, we, as cybersecurity professionals, have lost the bet. Guess what? We are about to lose our bet.
A single quantum computer, one that uses achievable clock rates, can break RSA 2048 in just over one-hundred seconds.
This is what caused the NSA to issue the CNSA. Basically, the NSA is placing a new bet. That bet is that quantum computing will evolve at a rapid pace in the coming years and that systems designed today, need to be designed with quantum resistive algorithms (QRA). QRA is simply computer programs designed to not be broken by quantum computers. The challenge is that implementing QRA with the same level of confidence afforded by classical cryptographic systems will take time.
You may be wondering just how real all of this is and what are the implications to you?
In terms of reality, quantum computing is here. It may still be in its infancy, but you can interact with quantum computer simulators today and in some cases actual quantum computers.
Microsoft has just released a free quantum programming language Q#, that makes it easy to begin writing quantum programs and running them on a simulator. In Microsoft’s vision you will use a quantum computer much like a GPU (graphical processing unit) is used today. A traditional computer program that requires extra horsepower will make a call to a quantum computer (hosted on Microsoft Azure) and derive the benefits.
For those of us in the attack side of cybersecurity, this is nirvana. Think of how you could use tools (Metasploit, hash tools, etc.) that make a call from Python to Q# or a quantum library to a quantum computer hosted in the cloud. That computer breaks encryption, runs through a rainbow table or carries out other computationally intensive operations within seconds. The results are returned to your script and you push out an exploit. There are other attacks that will benefit from quantum computing, including DDoS or what I am calling qDDoS (quantum Distributed Denial of Service) or quantum botnets.
Now before any of my fellow attackers and researchers get too excited, keep in mind that quantum computers will need to be hosted. This means that access to those computers can be vetted and safeguarded.
In writing this article one of my hopes is that those companies who are at the leading edge of quantum computing will implement security from the ground up.
One of the reasons that we as attackers are so successful today, is that in classical computers, security has always been an afterthought. This brave new world of quantum computing can differentiate itself by making security a critical part of the core design. This is not easy, specifically because of the way quantum mechanics and properties operate. Yet, if we fail to consider things from an attacker’s perspective, from the outset, then quantum cybersecurity attacks will flourish.
My second goal in writing this article is to create awareness and dialogue.
The decision by NSA to release the CNSA was not easy. It was a bold and gutsy decision that left them open to ridicule, criticism and second guessing. I applaud the NSA for their attempt to create awareness. Yet, as time marches on, it is critical that we all begin to better understand the implications of quantum computing on our designs and systems. There are surely vast implications to national security, but quantum computing also creates design and security challenges for medical devices, secure communications, smart systems, autonomous vehicles, blockchain and more.
Quantum computing is a fascinating subject and one that personally and professionally I will continue to explore, especially as to how it relates to the offensive side of cybersecurity and warfare. If you wish to discuss this topic further or attend a one-day workshop on quantum computing, please let me know (email@example.com).
In closing I want to remind us of one of the lines in Einstein’s letter to F.D.R. It went something like this “Certain aspects of the situation which has arisen seems to call for watchfulness, and, if, necessary quick action…” It seems that as cybersecurity professionals, we should heed Albert’s caution. When it comes to quantum computing, we need to remain watchful and depending on our charges, consider action.
By the way, this article was written in 2018, in a small town along the Jersey shore, on Albert Einstein’s birthday, March 14 (3.14)
October was National Cybersecurity Awareness Month which is meant to put a spotlight and focus on cybersecurity education and taking action to protect yourself and your organization from a cyberattack. Here’s a roundup of some of the top things we shared in October.
By now most healthcare organizations perform cybersecurity awareness training and their staff are on the lookout for phishing emails. Cyber attackers are getting more savvy, however and are coming up with new phishing techniques that are harder to spot. Below are some examples of these new tactics and how to spot them.
Healthcare organizations that are victims of a cyberattack are reported daily. Reviewing OCR findings to identify actions you can take to protect your organization from similar attacks is a good best practice. Here is a review of the OSU breach to use as an example.