Global Research Survey

In Global Survey

Cybersecurity Pros Fear a Surprise Quantum Attack yet Only 1 in 5 are Prepared

In a report issued by Dimensional Research for Cambridge Quantum, 75% acknowledge quantum attacks will defeat current encryption but only 13% have purchased products to fight the threat.

A global research survey of information security professionals released today found that most believe advancing technologies will break longstanding encryption standards within the next two years. Professionals said most organizations are currently unprepared to defend against encryption attacks but plan to be by 2023.

Conducted in October 2021 by Dimensional Research for Cambridge Quantum (now part of the newly formed company Quantinuum), the report evaluated the opinions of more than 600 cybersecurity professionals across industry and government.

 

Key highlights include

  • 70% of respondents expect new and evolving technologies will compromise existing encryption approaches
  • 75% acknowledged that quantum-enabled attacks will defeat current encryption techniques
  • 80% of respondents are worried that a quantum-enabled attack could occur “without warning”
  • 86% confirm they adhere to regulations requiring critical data protection for an extended period with nearly half needing to protect data for five years or more. Data that must be secured over time is vulnerable to “hack now, decrypt later” tactics currently being employed by adversaries who will use powerful quantum computers when available.

The report found that only 21 percent of security professionals surveyed feel prepared for advancing encryption attacks while another 38 percent say their organizations will be ready within the next two years. However, just one in five indicate any budget allocation to address the issue and even fewer have started researching quantum threats and possible solutions.

With nearly half indicating they are quantum security knowledgeable, the key challenges cited in building a quantum defense include lack of in-house expertise, immature solutions, and undefined post-quantum encryption algorithms. Just 13 percent have purchased a solution to start enabling a quantum defense.

“Cybersecurity professionals appear to appreciate the advancing threat to current encryption standards and say they will be ready in time. However, there appears to be little real movement within organizations towards preventing a potentially catastrophic loss of critical data, despite the associated financial and legal consequences,” said Duncan Jones, head of quantum cybersecurity for Cambridge Quantum.

Jones said the strategy being implemented by adversarial nations and other bad actors to steal encrypted communications today for later decryption with quantum computers should especially concern those organizations required to protect critical data over several years or more. 86% of respondents confirm they adhere to regulations requiring critical data protection for an extended period with nearly half needing to protect data for five years or more.

“Organizations with data in the cloud or IoT devices in the field should move quickly to strengthen encryption against existing threats as well as those posed by quantum attackers in the future,” Jones said. “Financial institutions, healthcare, governments and other entities protecting critical data should ensure their security foundation is as strong as possible today, as well as future-proofed for tomorrow.”

Jones said organizations can move towards using post-quantum algorithms, such as those being standardized by the NIST post-quantum cryptography process, as well as consider bolstering current encryption defenses by leveraging quantum-enhanced cryptography.

 

ABOUT DIMENSIONAL RESEARCH

Dimensional Research® provides practical market research for technology companies. We partner with our clients to deliver actionable information that reduces risks, increases customer satisfaction, and provides business growth. Our researchers are experts in the applications, devices, and infrastructure used by modern businesses and their customers.

For more information
DimensionalResearch.com

 

ABOUT CAMBRIDGE QUANTUM

Founded in 2014, Cambridge Quantum is a global leader in quantum software and quantum algorithms, enabling clients to achieve the most out of rapidly evolving quantum computing hardware. It is part of the newly formed Quantinuum, the world’s largest, integrated quantum computing company. Cambridge Quantum has offices in Europe, USA, and Japan.

The Threat and Promise of Quantum Cybersecurity

In Global Survey

Cybersecurity Pros Fear a Surprise Quantum Attack yet Only 1 in 5 are Prepared

In a report issued by Dimensional Research for Cambridge Quantum, 75% acknowledge quantum attacks will defeat current encryption but only 13% have purchased products to fight the threat.

A global research survey of information security professionals released today found that most believe advancing technologies will break longstanding encryption standards within the next two years. Professionals said most organizations are currently unprepared to defend against encryption attacks but plan to be by 2023.

Conducted in October 2021 by Dimensional Research for Cambridge Quantum (now part of the newly formed company Quantinuum), the report evaluated the opinions of more than 600 cybersecurity professionals across industry and government.

 

Key highlights include

  • 70% of respondents expect new and evolving technologies will compromise existing encryption approaches
  • 75% acknowledged that quantum-enabled attacks will defeat current encryption techniques
  • 80% of respondents are worried that a quantum-enabled attack could occur “without warning”
  • 86% confirm they adhere to regulations requiring critical data protection for an extended period with nearly half needing to protect data for five years or more. Data that must be secured over time is vulnerable to “hack now, decrypt later” tactics currently being employed by adversaries who will use powerful quantum computers when available.

The report found that only 21 percent of security professionals surveyed feel prepared for advancing encryption attacks while another 38 percent say their organizations will be ready within the next two years. However, just one in five indicate any budget allocation to address the issue and even fewer have started researching quantum threats and possible solutions.

With nearly half indicating they are quantum security knowledgeable, the key challenges cited in building a quantum defense include lack of in-house expertise, immature solutions, and undefined post-quantum encryption algorithms. Just 13 percent have purchased a solution to start enabling a quantum defense.

“Cybersecurity professionals appear to appreciate the advancing threat to current encryption standards and say they will be ready in time. However, there appears to be little real movement within organizations towards preventing a potentially catastrophic loss of critical data, despite the associated financial and legal consequences,” said Duncan Jones, head of quantum cybersecurity for Cambridge Quantum.

Jones said the strategy being implemented by adversarial nations and other bad actors to steal encrypted communications today for later decryption with quantum computers should especially concern those organizations required to protect critical data over several years or more. 86% of respondents confirm they adhere to regulations requiring critical data protection for an extended period with nearly half needing to protect data for five years or more.

“Organizations with data in the cloud or IoT devices in the field should move quickly to strengthen encryption against existing threats as well as those posed by quantum attackers in the future,” Jones said. “Financial institutions, healthcare, governments and other entities protecting critical data should ensure their security foundation is as strong as possible today, as well as future-proofed for tomorrow.”

Jones said organizations can move towards using post-quantum algorithms, such as those being standardized by the NIST post-quantum cryptography process, as well as consider bolstering current encryption defenses by leveraging quantum-enhanced cryptography.

 

ABOUT DIMENSIONAL RESEARCH

Dimensional Research® provides practical market research for technology companies. We partner with our clients to deliver actionable information that reduces risks, increases customer satisfaction, and provides business growth. Our researchers are experts in the applications, devices, and infrastructure used by modern businesses and their customers.

For more information
DimensionalResearch.com

 

ABOUT CAMBRIDGE QUANTUM

Founded in 2014, Cambridge Quantum is a global leader in quantum software and quantum algorithms, enabling clients to achieve the most out of rapidly evolving quantum computing hardware. It is part of the newly formed Quantinuum, the world’s largest, integrated quantum computing company. Cambridge Quantum has offices in Europe, USA, and Japan.

A new method to efficiently perform factoring would defeat modern encryption systems.
And Shor had just provided the theoretical method for doing it.

The Threat from Quantum Computing

Despite such advances, there are varying opinions on when Shor’s Algorithm may pose a serious threat to cybersecurity, with estimates ranging from five to 20 years. One factor suggesting a shorter timescale is the faster-than-Moore’s Law trajectory of current quantum hardware. Honeywell, for instance, believes it can increase the power of quantum computers by a factor of 10 every year for the next five years, yielding an increase in power of 100,000x by 2025.

Does this mean you should wait until “Q Day” to become concerned? Absolutely not: The need to protect infrastructure systems is more immediate than that, for three reasons.

First, it takes time to upgrade security software, and massive infrastructure that corporations or governments utilise can require months or even years to make this transition.

Second, there are rumors that adversarial governments and other bad-faith actors are archiving data now in anticipation of future decryption capabilities, known as a “harvest-now, decrypt-later” attack. This means, for example, that the encrypted files of a future jet fighter could be stolen now and later decrypted.

Third, Shor’s Algorithm is a proof that efficient decryption of RSA is realisable but is by no means the most efficient way to accomplish this; there have already been substantial improvements upon the original algorithm.

It is entirely possible that tomorrow a clever researcher could develop a vastly more efficient method of decryption, placing us that much closer to cybersecurity vulnerability. Thus, enterprises should consider making the transition as soon as possible.

Fortunately, intense effort is already underway to develop new cryptographic algorithms resistant to quantum hacking.

In 2016 the National Institute of Standards and Technology invited submissions for such “Post-Quantum Encryption (PQE).” Intense study followed as mathematicians, computer scientists and physicists did their utmost to defeat such submissions using quantum technology, both existing and theoretical. From the original 82 submissions, there are currently seven finalists. The winners are expected to be announced between 2022 and 2024. There will likely be a few algorithms selected, with a tradeoff between security and power consumption.

Protection Using Quantum Technologies

While it has become well-understood that quantum technologies can be used to attack communications, what is lesser known is how they can be used to protect communications. In particular, their role in an often overlooked yet fundamental aspect of cybersecurity: randomness.

Randomness is most often associated with cryptographic keys or passwords. An obvious property of such keys is that their method of generation should be non-deterministic. Any mathematical formula or pattern in such supposedly random generation would render its usefulness null.

The other essential aspect is its security. After its generation, there should not be any means for an adversary to gain knowledge of what this key is. Both these number generation and security issues are directly relevant to quantum computing.

Let us first consider number generation. While we all have an intuitive sense of what randomness means, have you ever considered how to generate a truly non-deterministic random number? Your first instinct may be to toss a die. But consider that the die obeys the laws of physics, which are completely understood and completely predictable. If you measured the speed and direction of your toss, the air pressure, the weight of the die and so forth, and then performed careful calculations to compute the trajectory, you would predict the outcome with 100% certainty. The fact that such modeling is possible means that this outcome is not at all random.

If we generalise this concept, we realise that any method using classical (non-quantum) physics is deterministic. This includes asking a classical computer to generate random numbers. While they can certainly generate pseudo random numbers, the computer merely follows a formula based on internal, obscure data (such as the number of milliseconds to have elapsed since the last restart) to calculate numbers that only superficially appear random. All of this could be modeled by a quantum-powered attacker.

The answer to producing true randomness lies in quantum physics. Quantum physics is based on superposition, the idea that a system can exist in multiple configurations simultaneously. Measuring the system then forces it to choose one of these configurations.

To produce the quantum equivalent of a coin toss, prepare a quantum state in a 50% “1” state and 50% “0” state, and then measure it. This will result in a “1” or a “0” outcome with equal probability. Performing this operation several times results in a string of 1s and 0s corresponding to a random key.

There are a number of commercially available quantum random number generators (QRNGs) that attempt to measure quantum processes like this. While such QRNGs may be entirely viable ways of producing random keys, there is a shortcoming related to their security. If an adversary were to tamper with the quantum states, or at least eavesdrop, how would one know? The output is simply 1s and 0s, and so it would be impossible to determine if this were secure or not.

This is not merely a hypothetical: “Quantum Hacker” Vadim Makarov demonstrated that he was able to influence the output of quantum tunneling by shining a flashlight on the photodetectors. A similar issue would occur if the performance of the QRNG degraded over time – something that is quite feasible in a complex device that relies on mirrors and lasers.

Are we then cursed to have this theoretically random-but-insecure means of producing cryptographic keys? Fortunately, quantum mechanics comes to the rescue once again.

Quantum physics is based on superposition, the idea that a system can exist in multiple configurations simultaneously. Measuring the system then forces it to choose one of these configurations.

Playing Dice with the Universe

Albert Einstein famously commented, “God does not play dice with the universe.” Apparently, He (or She) does, and in 1964 Irish physicist John Bell proved it.

Bell developed a mathematical method to distinguish quantum processes from classical ones. This was based on quantum entanglement, the idea that the quantum state of one particle can be correlated with another, even if physically separated. Entanglement is a purely quantum property with no classical counterpart.

By focusing on entanglement, Bell provided a precise means of identifying quantum (and therefore random) processes from classical (and therefore deterministic) processes. And since any tampering or eavesdropping would require classical means, Bell also provided a proof of the outcome’s security. There is no longer any trust in devices required, only fundamental physics.

New approaches to cryptographic key generation are being developed that build on this trustless entanglement technique. These approaches offer guarantees (and proof) that the keys are perfectly random in nature and haven’t been influenced by any attacker, quantum or otherwise. As we move toward a quantum future, technology like this will be critical to maintaining the security we enjoy today.

 

Quantum Cybersecurity
Duncan Jones
Follow Duncan Jones on LinkedIn
Follow Mark Jackson on LinkedIn
Cambridge Quantum’s Technologies
John Bell