Rethinking cybersecurity for a quantum world

Author: Dr Vikram Sharma
Founder and CEO
QuintessenceLabs

Author: Emeritus Professor Hans Bachor AM FAA
Department of Quantum Science
Australian National University

• The power of quantum computing could threaten the security of our present communication systems.
• These threats could affect how we conduct everyday tasks such as internet banking, online shopping and private teleconference calls.
• However, quantum technology can also be used to mitigate the same threats that is poses, offering opportunities to defend Australians against cyberattacks.
• There are two defence approaches being developed to mitigate the threat of quantum computing: post-quantum cryptography and quantum technology itself. While both approaches are expected to be complementary, this feature focuses on the second option.
• Around the world, research and development in quantum cybersecurity technologies has made considerable progress. A handful of companies have successfully tested and are deploying their technologies.
• The quantum cybersecurity industry is predicted to be worth $820 million in Australia by 2040 and result in the creation of thousands of jobs.
• Australia is well placed to be a global leader in developing quantum cybersecurity technologies.
• For Australians to realise this opportunity and benefit from the advancement of a robust and flourishing quantum cybersecurity industry, we must collectively act to develop quantum literacy amongst decision-makers and consolidate differences in technical standards.

As the Fourth Industrial Revolution dawns, strong cybersecurity to safeguard our digital lives is more critical than ever. In contrast to the first three industrial revolutions, which were largely enabled by single technologies—steam, electricity, and digital technology respectively—the Fourth Industrial Revolution is powered by a combination of several significant scientific and technological innovations. It leverages developments in artificial intelligence, 5G communications, the Internet of Things, quantum computing and other technologies, and promises advances in many facets of our lives.

The Fourth Industrial Revolution is rapidly and dramatically transforming our everyday experience, from enhancing how we connect and interact with each other, to operating enterprises in more sustainable ways. It may even remedy the environmental damage of previous revolutions and allow us to rethink how we organise our societies.

However, as with previous advances, these new systems and processes must be developed while developing community trust. Trust is crucial for maximising the adoption of new technologies and for society to reap the benefits. Gaining and sustaining such trust requires assurance that these new systems are secure enough to protect our sensitive information, such as personal details, commercial transactions, intellectual property, and national security secrets.

Increasing cyberattacks put us all at risk

Over the past decade we have seen growing threats from cybercriminals and malicious state and non-state actors to compromise valuable data. The diminishing costs of launching a cyberattack means there are larger potential economic gains to be made following a successful breach. The frequency and sophistication of hacking attempts has escalated dramatically in recent years, with 3800 data breaches globally during just the first half of 2019 exposing 4.1 billion records. Unsurprisingly, cyberattacks are among the top 10 long-term risks to global economic stability and social cohesion identified by the World Economic Forum in its 2020 Global Risks Report.

The COVID‑19 pandemic is amplifying these threats as much of the global workforce moves to working from home and we increasingly lead our personal lives online. As current organisational cybersecurity infrastructure has been primarily developed around traditional office-based work patterns, cybersecurity specialists are scrambling to respond to the challenge of a geographically dispersed workforce operating from less secure environments. It is already evident that this trend, which is likely to continue to shape work patterns post-pandemic, offers cybercriminals an opportunity to ramp-up malicious cyber activity.

 

Image adapted from: Raconteur Media; used with permission

Today’s secure communications technologies, such as data encryption, rely on mathematical complexity to protect data exchanges. Typically, they use mathematical processes that are easy to perform in one direction but hard to compute in the reverse direction. For example, if we wish to multiply two large prime numbers—say 165,181 and 417,953—we can compute the result in a matter of seconds on a simple calculator. However, performing the reverse operation, where you are given the number 69,037,894,493 (known as a semi-prime) and wish to find the prime numbers that multiply together to produce that result, is a difficult task. This process is called factorising. Most contemporary secure communication protocols rely on similar mathematical constructs for their security.

Could more powerful computers in the future break such codes? Yes they could, and this is one of the drivers to develop a new class of computers: quantum computers. Other drivers include the possibility of molecular simulations for drug development and materials design, or sorting and pattern finding in very large, complex and unsorted datasets.

Quantum computers deliver dramatic advances in computational power. They will enable once-unsolvable problems to be solved. For example, in 1994, Peter Shor developed an algorithm that can utilise quantum computing to rapidly factorise large numbers, such as in the example described above.

While large-scale quantum computers capable of factorising the large semi-primes used to secure today’s e-commerce and sensitive communications are still some years away, rapid advances are accompanied by a growing risk to secure communication. Quantum computers will challenge many of the technologies currently used to protect sensitive data. One foundational technology underlying current global e-commerce systems, public key infrastructure, known as PKI, will be significantly impacted and likely broken. The way we conduct our online lives and share sensitive information will be disrupted, putting the security of key industries such as financial services at risk.

Australia’s Chief Scientist, Dr Cathy Foley, stresses the need for timely risk mitigation measures. “Quantum technologies, and quantum computing in particular, will provide great benefit both economically and technologically. However, it will do this with significant disruption, including for current cryptographic algorithms. This will put at risk digital systems and security in key industries such as financial services.

“We are well placed to be prepared for the quantum revolution and introduce quantum risk mitigations early into our governance and business planning so that the quantum revolution has the positive outcomes it promises.”

Science: our defence against future cyberattacks

Analysts have coined the term ‘Q-Day’ to mark the date that quantum computers will compromise public key infrastructure. We have an estimated 5 to 15 years to prepare and implement alternatives.

We urgently need coherent strategies to address the looming threats. Action is required in two broad areas:

1. building a quantum cybersecurity ecosystem and developing quantum literacy among decision-makers
2. maturing quantum-safe technologies and consolidating different technical standards. We must collectively act to avoid systemic risks to the digital ecosystem.

CEO of the Cyber Security Cooperative Research Centre, Rachael Falk, says “Attackers often have the advantage of speed and agility. Quantum risk is real—that is why organisations need to invest in how to counter threats in ways that are going to make a real difference.”

There are two approaches being pursued to prevent the potential threats of quantum computing. The first is post-quantum algorithms. This cryptographic approach can be implemented on current computers and is expected to be resistant to quantum attacks. A complementary method also being developed leverages quantum technology itself. While the misuse of quantum technology could threaten our ability to encrypt information and securely exchange it, quantum-enabled technology to mitigate these risks already exists.

Building on two decades of academic research, a handful of quantum cybersecurity start-ups around the world have successfully tested and are deploying technologies based on two fundamental concepts of physics: quantum random number generation and quantum key distribution. Quantum-generated random numbers are completely unpredictable and can be used to mitigate attacks that use less secure or imperfectly-generated random numbers. Quantum key distribution leverages the laws of physics and relies on the quantum property that the very act of observing a quantum state changes it—thereby revealing the eavesdropper (hacker).

Head of the Centre for Cybersecurity at the World Economic Forum, William Dixon, urges coordinated action. “The security community is facing a number of systemic challenges posed by next-generation technology. While the misuse of quantum technology could threaten our ability to encrypt information and securely exchange it, quantum-enabled technology which can mitigate these risks exists today.

“What we need is collective action at a global level, to build the right governance that can incentivise the development and adoption of quantum security technology across the global ecosystem.”

Science is the solution—how do we implement it?

To keep sensitive data secure, we must ensure we can migrate to new quantum-safe technology before ‘Q-Day’ arrives: that is, in less than 5 to 15 years. If we match the timelines on quantum-safe cybersecurity roadmaps with this guidance, we can effectively mitigate the threat of a quantum-enabled adversary.

Considerable progress has already been made. The National Institute of Standards and Technology (NIST) in the United States has been running a competition to find post-quantum cryptographic algorithms that are expected to resist both conventional and quantum attacks. Selection of one or more recommended algorithms is expected around 2023.

Technology to mitigate future cyberattacks is not the limiting step to a secure future. We need collective action at a global level to build the right governance that can incentivise development and adoption of quantum security technology across the global ecosystem.

Australia is well placed to grasp this opportunity

Quantum cybersecurity offers Australia the opportunity to develop a new, high-growth industry. CSIRO recently released a report on quantum technologies in which it forecasts an $86 billion global market by 2040, within which quantum communications and cybersecurity are expected to contribute $16 billion. Australia’s opportunity is predicted to be worth $820 million and result in the creation of thousands of jobs.

Commitment to growing this new industry sector could be showcased through a flagship science and technology initiative. Leveraging the NBN, a Sydney–Canberra–Melbourne quantum-secured network could be an exemplar of Australian-produced quantum key distribution—a world-first demonstration of this technology at scale. In contrast to most international cases, this type of quantum key distribution is compatible with existing Australian commercial optical communications networks and equipment. Harnessing existing infrastructure can deliver superior cost vs performance metrics.

Australia has the opportunity to strengthen conventional secure communications by combining them with quantum-resistant technologies today and into a quantum-enabled future. This would revolutionise the way we securely share information.

Australia is well positioned to contribute significantly to the development and growth of the sector by combining excellence in academic research, support from defence organisations and world-leading innovations from the Australian start-up community. This will provide important societal benefits and economic value. To achieve this, we must commit to growing our quantum technology industry and continue to support our high-quality research. As we seek to accelerate industries of the future, quantum cybersecurity offers a great opportunity for financial investment and policy support to create economic value and high-quality jobs, and to secure our digital lives.

This topic's links to the Sustainable Development Goals:

This article has been peer reviewed by the following experts: Professor Andrew White FAA Director, Australian Research Council Centre of Excellence for Engineering Quantum Systems (EQUS); Rachael Falk CEO, Cyber Security Cooperative Research Centre; Michelle Price CEO, AustCyber.