Analytics & Intelligence Cybersecurity Data Security Governance, Risk & Compliance Security Awareness Security Boulevard (Original) Threat Intelligence Threats & Breaches Vulnerabilities 

QKD: The Key to a Resilient Future

Avatar photo by John Prisco on January 30, 2023

One of the most imminent and pressing threats to organizations presently is harvest now, decrypt later (HNDL) attacks. According to a recent poll, half of responding professionals at organizations considering quantum computing benefits believe that their organizations are at risk for HNDL attacks. During an HNDL attack, threat actors will “harvest” encrypted data from unsuspecting organizations. The goal is to decrypt this data later when quantum computing reaches maturity to deem certain existing cryptographic algorithms obsolete. As these emerging threats persist, it has become crucial for organizations to be aware that they all stand to face HNDL threats at some point, which is why they must leverage quantum key distribution (QKD) as part of their security strategy. Post-quantum cryptography standards have been developed by NIST in a six-year program that is two years away from releasing its first standard encryption algorithm. Do we really have two more years to allow HNDL attacks to continue unchecked?

Harvest and Decrypt: The Most Immediate Threats

Cybercriminals are exploiting harvesting attacks by strategically storing encrypted data until quantum computer technology catches up with the decryption process. This is a prominent threat presently, as an incredible amount of sensitive data is being stored and most of our adversaries can store encrypted data and simply wait to decrypt the data in the future.

For example, countries including China, Iran or Russia may be harvesting data as we speak. The United States has already taken preliminary steps to slow China’s advances in the high-tech sector that pose an immediate threat to our national security. For instance, just this past October, the Biden administration established regulations to block Chinese firms trying to develop advanced chips from accessing non-Chinese factories that rely on U.S. technology to manufacture their products.

Certain industry sectors are at an increased risk for attacks. For example, there is an increased likelihood that the health care profession may fall victim to cybersecurity attacks due to the industry having sensitive information with a long shelf life and substandard cybersecurity tools to protect this data. This has begged the question of what next steps are needed to mitigate any future security threats that could be detrimental to our nation and its commercial industry.

Deploy QKD as a Mitigation Tactic

When it comes to the threat posed by powerful quantum computers, it’s not a question of what quantum computers can do today but rather what will happen when a quantum computer is powerful enough to break RSA encryption. To get ahead of this issue, there is one distinct application that should be deployed today, specifically in the realm of security, and that is QKD. In leveraging randomly generated quantum keys to transmit data that has been encrypted and transported through a fiber optic cable, only the intended recipient of the data can access and decrypt information.

Post-quantum cryptography (PQC) standards are mathematically safe. Still, QKD is protected by the laws of quantum physics, so it is much safer and not exposed to mathematical algorithms that can reduce security, as in PQC. Also, QKD functions efficiently because it can run on existing computer and telecommunications infrastructure.

Additionally, QKD offers a more simplified approach to data transmission overall. When used in tandem with the NIST post-quantum encryption standards, QKD can be the most resilient defense tactic against imminent attacks. So, what steps should companies be taking to ensure they’re adequately armed?

A preliminary step in the right direction is to create a QKD proof-of-concept trial. It’s key to start on a smaller scale to ensure that if there are additional areas to troubleshoot when deploying, they won’t compromise broader collections of sensitive data. When it comes to implementation, time is of the essence. From there, businesses should increase their network size gradually, so as not to overwhelm all critical data paths. Once network tests have been performed and things are running smoothly, QKD can be deployed to help keep sensitive data safe against HNDL attacks. So long as security teams are deploying QKD security across all critical data paths, it can eventually be implemented across a metro-scale network.

Implementing Solutions for the Long Haul

Presently, organizations may only be aware of harvesting attacks on data that is encrypted with public key RSA cryptography; however, over the next thirty years, we must anticipate harvesting attacks on sensitive data encrypted with post-quantum cryptography (PQC). All algorithm-based encryption has a shelf life.

In the meantime, organizations should take advantage of front-running technologies such as QKD. Those who adopt this platform early will be put in a strong position to be resilient going forward, as they remain at the forefront of innovations. Ensuring complete security against future harvesting attacks solely depends on the steps organizations take today to leverage QKD.

John Prisco , , , , , , , ,
Avatar photo

John Prisco

John Prisco is Toshiba partner and President and CEO of Safe Quantum. Throughout his 30-year career, John Prisco has demonstrated success driving revenue growth, implementing operational excellence, and bringing companies such as Triumfant, Penn Access, GeoVantage, and Ridgeway Systems to successful exits. His depth of experience in telecommunications, cybersecurity, and quantum physics led to his last venture-backed startup, Quantum Xchange, which he helmed through its initial product introduction. John provides expert witness testimony in the fields of telecommunication, cybersecurity, and quantum science.

john-prisco has 1 posts and counting.See all posts by john-prisco