The U.S. government is starting a generation-long battle against the threat next-generation computers pose to encryption … ignoring its own efforts in that regard.
BY:
Eric De Grasse
Chief Technology Officer
PROJECT COUNSEL MEDIA
28 June 2022 – While they wrestle with the immediate danger posed by daily hackers, U.S. government officials are preparing for another, longer-term threat: attackers who are collecting sensitive, encrypted data now in the hope that they’ll be able to unlock it at some point in the future.
The threat comes from quantum computers, which work very differently from the classical computers we use today. Instead of the traditional bits made of 1s and 0s, they use quantum bits that can represent different values at the same time. The complexity of quantum computers could make them much faster at certain tasks, allowing them to solve problems that remain practically impossible for modern machines – including breaking many of the encryption algorithms currently used to protect sensitive data such as personal, trade, and state secrets.
While quantum computers are still in their infancy, incredibly expensive and fraught with problems, officials say efforts to protect the country from this long-term danger need to begin right now. In a presentation made last week by Dustin Moody, a mathematician at the National Institute of Standards and Technology (NIST), he noted:
“The threat is that they copy down your encrypted data and hold on to it until they have a quantum computer. The threat of a nation-state adversary getting a large quantum computer and being able to access your information is real. Adversaries and nation states are likely doing it. It’s a very real threat that governments are aware of. They’re taking it seriously and they’re preparing for it. That’s what our project is doing”.
And if you still did not “get it” he’s talking about the Chinese.
He went on to say that faced with this “harvest now and decrypt later” strategy, officials are trying to develop and deploy new encryption algorithms to protect secrets against an emerging class of powerful machines. That includes the Department of Homeland Security, which says it is leading a long and difficult transition to what is known as post-quantum cryptography.
Now, to be fair, this is actually EXACTLY what the U.S. is doing with its PRISM program and what the UK is doing with its Tempora program – extracting Internet communications (including directly from fibre-optic cables) so these can be processed and searched at a later time when quantum computing becomes available.
Although there may be a slight difference between the West and the East. Western intelligence knows the Chinese authorities are recording everything said on the Internet, even if it is encrypted, for that future use, given we might be only a decade or so away from quantum computing capabilities that would decrypt traditional public-key encryption on the Internet. And, no, that suggestion is not too fanciful, given the current quantum developments.
But what might be different is that with current technology Western agencies can record up to 5 days of much of the world’s Internet traffic for analysis. The Chinese state’s willingness and capacity to do something way beyond that level shows they want to exceed the West’s ambitions.
When we were at the quantum computing summit in Zurich earlier this year, most experts said it could still be a decade or more before quantum computers are able to accomplish anything useful. But with the spike of money pouring into the field in both China and the US, the race is on to make it happen — and to design better protections against quantum attacks. The U.S., through NIST, has been holding a contest since 2016 that aims to produce the first quantum-computer-proof algorithms by 2024.
But as we noted after that conference, transitioning to new cryptography is a notoriously tricky and lengthy task, and one it’s easy to ignore until it’s too late. It can be difficult to get for-profit organizations to spend on an abstract future threat years before that threat becomes reality. If organizations aren’t thinking about the transition now, and then they become overwhelmed by the time the NIST process has been completed and the sense of urgency is there, it increases the risk of accidental incidents. Rushing any such transition is never a good idea.
But … ya gotta make a buck someplace. As more organizations begin to consider the looming threat, a small and energetic industry has sprouted up, with companies already selling products that promise post-quantum cryptography. Experts at the Zurich event screamed “don’t buy them” because there is still no consensus about how such systems will need to work. Organizations need to wait until strong, standardized commercial solutions are available that implement the upcoming NIST recommendations to ensure interoperability as well as solutions that are strongly vetted and globally acceptable.
But many experts are pessimistic about how the transition will go. If it takes a long time for quantum computers to get to the point where they can solve a useful problem, I think companies will forget the hype and implement the weakest thing that comes out of NIST until they are suddenly reminded of the problem in 30 years. And that is exactly the scenario U.S. national security officials want to avoid.
