The next major threat to cybersecurity is quantum hacking
Yahoo, eBay, Equifax, Target Store and Uber. What exactly do these big businesses have in common? These six businesses have been the targets of the largest data breaches in the 21st century. 3 billion accounts were affected in Yahoo, 145 million users in eBay, Personal information of 143 million users from Equifax were affected, 110 million customers were affected in Target Store, 57 million Uber users and drivers were also affected by the breeches (Stage2Data, 2022). Even routine data breaches can be costly, especially when taking into consideration the loss of reputation and consumers, which can cost businesses hundreds of millions of dollars.
As terrifying as that may sound, the past might only have been the prelude. The RSA cryptosystem, which was developed in the 1970s and uses very high prime numbers to generate public keys that form the cornerstone of the security protocol for data transmitted between Internet apps, has shown to be comparatively efficient since that time. Although machines that can execute such an algorithm have not yet been constructed, Peter Shor of Bell Labs demonstrated in a study released in 1994 how a quantum algorithm may break the RSA cryptosystem. The RSA cryptosystem is therefore still functional because bigger public keys have been created faster than computers have become faster.
It is unlikely to persist in that state for very long. A quantum computer, a novel type of device that can perform calculations that take hundreds of years on the fastest conventional supercomputers, is becoming closer to being created by scientists. These tools will make it possible for hackers to decrypt public keys and compromise the security of practically any encrypted system or device. Uncertainty surrounds the precise timing when a Cyber Doomsday brought on by quantum computing will arrive, but it may be within the next ten years.
The development of quantum computing hardware is advancing swiftly; according to BCG studies, 75% of the $1.3 billion in private equity investment in the field since 2018 has gone toward hardware research. Governments have also announced investments totalling more than $20 billion since 2013 to create quantum systems. (The Sun, 2022) Because of this, the rate at which advances in the creation of quantum hardware are occurring has recently increased.
Mega data breaches will increase in frequency in the not-too-distant future. Because hackers would be able to utilise the technology to decode data they have previously taken, quantum computers will also revive the hazards from previous breaches. Post-quantum data security will be required by both B2B and B2C clients, and businesses that cannot deliver it risk losing their operating permits. Years to Quantum, or Y2Q, has been started because of this impending threat.
In reality, the Cloud Security Alliance has established a Y2Q countdown clock and has arbitrarily set April 14, 2030, as the date by which the global IT infrastructure must be upgraded to counter the Y2Q danger. The global Y2K effort, which encouraged the substitution of two-digit year codes with four-digit ones by December 31, 1999, to prevent computers from misinterpreting the year as 1900 and bringing the entire world to a standstill. Y2K and Y2Q are different: While Y2K was known but its impact was uncertain, Y2Q’s timing is unknown but its impact may be predicted.
Three different types of countermeasures against quantum hackers are already in the works:
• Post-quantum cryptography is the creation of fresh encryption methods resistant to quantum computing.
• Quantum key distribution uses a global network of optical links and quantum physics to randomly distribute keys among users.
• Air-gapping is essentially cutting off networks from the internet but is probably unfeasible.
The most practical choice for organisations will likely be post-quantum cryptography, which will replace current encryption techniques with fewer modifications to the computing environment. Businesses will face great challenges as it will be challenging to navigate through the new changes. The transition’s length and the need for continuous software updates will increase the difficulty.
Businesses must react now but doing so too soon could backfire as well. CEOs must balance the difficult trade-offs between the hazards of not taking sufficient preventive action and the expenses of spending excessively to guard against a future threat that is still in its infancy.
The ideal method for dealing with the Y2Q problem is to establish “crypto-agility,” the capacity to swiftly switch between cryptographic standards, put into practice the best solutions at any given time, and be ready for future modifications. Only crypto agility can assist businesses in limiting the impact of quantum assaults, preventing them, and recovering more quickly from them. Additionally, it will allow businesses to reduce the costs of addressing the issue, which could total hundreds of billions of dollars across industries and range from operational losses brought on by cybersecurity problems to investments in the replacement of vulnerable equipment and protocol upgrades.
Four steps are required for a business to develop its crypto agility:
1. Inform the board and top management of the Y2Q issue.
Businesses need to prioritise cybersecurity. They must entrust the task of monitoring quantum computing breakthroughs to a team that reports frequently to the board and top management and is managed by a senior executive like the CIO or CISO. This will guarantee that when quantum computing arrives, the emphasis will be on remedial rather than organisational difficulties. In industries like finance, where risks are higher because of the nature of the firm and its reliance on data, doing this will be crucial. While Nomura Group has developed a global organisational framework to handle security in a post-quantum future, BNP and JPMorgan Chase are already collaborating with quantum computing startups on risk mitigation techniques.
2. Establish priorities and make plans.
By creating a list of connected assets, frequently assessing the worth of its data pools, and assessing its vulnerability to new crypto standards, every organisation must map its Y2Q risks. It needs to create a roadmap of its priorities and strike a balance between the value of the data it has gathered and the cost of safeguarding it. For instance, the U.S. Department of Homeland Security has posted the blueprint for such a roadmap online along with additional resources.
3. Plan, test, and evaluate crypto agility.
Organisations must simulate Y2Q scenarios and create countermeasures, including the impact on their P&L. To ensure that the entire organisation has visibility into the difficulty from the start, they must coordinate these exercises with their business units. Executives must stress-test pilots in addition to developing them to better understand the issue and assess their crypto-agility. Companies would do well to use these simulations, which have been built by digital behemoths like Google, IDQ, and Toshiba as enhancements to Transport Level Security that any organisation may use to verify its preparedness against a quantum attacker.
4. Work together with competitors and the environment.
Leaders should take a cooperative approach to build crypto agility, engaging with peers, and involving stakeholders including academics, the government, and digital entrepreneurs. Y2Q will not discriminate between enterprises. With this strategy, businesses will be able to pool development expenses, adapt to the shifting business environment more quickly, produce more effective Y2Q plans, and offer solid policy advice. For instance, 24 Japanese corporations formed the industry council Q Star in September 2021 to comprehend, shape, and support business efforts to address the Y2Q issue.
Once quantum computers become a reality, dealing with cybersecurity will not be simple for businesses. CEOs have no choice but to begin planning how to handle an impending threat. Business leaders are likely to find methods to withstand the Y2Q challenge if they take swift and decisive actions. They must keep in mind, though, that the quantum clock is already running.
The Sun Daily. (2022, October 7). Biden hails IBM’s US$20B investment announcement. www.thesundaily.my. Retrieved December 6, 2022, from https://www.thesundaily.my/home/biden-hails-ibm-s-us-20b-investment-announcement-KM9934738
Stage2Data. (2022). Five of the Biggest Data Breaches of the 21st century. Retrieved December 6, 2022, from: https://stage2data.com/five-of-the-biggest-data-breaches-of-the-21st-century/