McAfee’s chief technology officer warned that it’s time for companies to start worrying about quantum computing attacks that can break common forms of encryption available today, even if quantum computing isn’t going to be practical for a while.
Steve Grobman, CTO of the cybersecurity firm, made the remarks in a keynote address at RSA, the big security conference in San Francisco this week.
Is it important to protect today’s data from attacks that may be completed in the future?, Grobman asked. He noted that National Archives files related to national security from the Kennedy assassination nearly 60 years ago still have redactions for current national security risks today.
“We need quantum-resistant algorithms as soon as possible,” Grobman said.
Cloud computing is sweeping through the industry, and it will enable the use of quantum computing. And that’s a problem, as quantum computers may be able to break encryption techniques such as RSA encryption much faster than traditional computers can. Typically, encryption techniques make it easy to encode data but hugely difficult to decode it without the use of a special key. The security is possible only because of the huge amount of time it takes for a classical computer to do the computations.
Binary digits — ones and zeroes — are the basic components of information in classical computers. Quantum bits, or qubits, are built on a much smaller scale. And qubits can be in a state of 0, 1, or both at any given time. These computers can handle extremely complex calculations in parallel, but they require a huge amount of manufacturing precision just to be accurate. Quantum computers could be used to achieve breakthroughs in biology, chemistry, physics, and even cybersecurity.
Companies like Intel and IBM are working on improving the speed, accuracy, and cost. But it may take years before the improvements take hold and give quantum computing a chance to beat classical computers. If the quantum computing speeds up dramatically and arrives sooner than expected at practical prices, then the safety of today’s encryption techniques will be compromised, Grobman said.
“I’m realistic enough to know that nation-states will use quantum to break our public key cryptography system,” Grobman said. “Now I know what you are thinking: Quantum is not coming anytime soon. But we can’t think of quantum in terms of eventually or tomorrow. Because quantum is a real risk today. You must assume that adversaries are already accessing your most sensitive data. It’s encrypted, but they still find it valuable. They’re not worried about [decrypting] it today. They’re counting on quantum to do that in the future.”
Grobman said cybercriminals can siphon off data today and unlock it when quantum cryptoanalysis becomes practical, he said. So companies have to consider the sensitivity of their data and how long it must be protected. For names matched to social security numbers, that’s a long time, as an example.
Grobman noted that the federal budget for quantum computing research is just $30 million. That’s 0.006% of the federal budget to solve a problem that is a threat to national security. Selecting the right algorithm isn’t easy, as 69 replacement algorithms have been proposed and 12 were broken or attacked within three weeks. After three years, the field has been narrowed to 26. Government and industry need to work together to retool systems that are based on quantum-vulnerable attacks, Grobman said.
“Let’s all commit to build post-quantum action plans that measure time and impact sensitivity so we’re ready to migrate systems,” Grobman said.
Meanwhile, Grobman also said that companies have to be aware of “cloud-native threats.” These are designed to attack the unique technical nature of the cloud. Cloud computing architects snap together new building blocks that build sophisticated technologies. But configuration errors happen, and since such systems are based on public networks, those errors open the door to catastrophic attacks. Some epidemiologists made this mistake, he said, and it exposed their data to the whole internet.
Grobman also compared how fast computer viruses spread to biological viruses such as the flu. He noted how, just a few years ago, the EternalBlue computer virus spread around the globe infecting a quarter of a million machines in 150, going “from an epidemic to a pandemic in one day.” But like the flu, those infections come back every year because a significant number of machines still aren’t patched.
The ability of computer malware creators to create variants exacerbates the severity of attacks. The CurveBall vulnerability this year can be exploited with just 10 lines of code. That makes it easy to use and create variants. The barrier for causing havoc is far lower today, exacerbating the challenge of fighting off the attacks. One attack, SHA-1 collision, in 2017 took 6,610 years of processor time to orchestrate an attack. Today, it can be done in less than 60 seconds. That puts digital signatures using hashes are at risk, Grobman said. Patching against such problems helps, but the implementation of patches across an entire user base is difficult.
On Monday, McAfee acquired Light Point Security to bring its browser isolation technology to its cloud security solution.