Last week Russian scientists presented a new quantum computer, proclaiming this machine is the "most powerful in Russia today." Should we be worried?
Perhaps not if we’re talking about the tiny 16-qubit system from Russia. But, on the other hand, the quantum race is gaining momentum, and some quantum computers are already quite advanced. While artificial intelligence (AI) stole all the thunder from the quantum revolution, post-quantum cybersecurity and privacy threats require our attention.
Keep in mind that every new development in the field of quantum computers triggers cybercriminals' interest in data that is now safe under encryption.
Eagerness to harvest now
First of all, let me highlight that despite the growing capabilities of quantum computers, current encryption systems are still hard to break. This is why they are beneficial for ensuring your privacy and will remain essential for our cybersecurity for years.
Nevertheless, seeing the development of quantum computers and the high potential to be able to crack cryptographic keys in the long term, cybercriminals are intensifying what is known as "harvest now, decrypt later" attacks. Simply put, they are trying to accumulate huge quantities of encrypted data and decrypt them once quantum technology is developed.
The question is: where are we now and how can we prepare?
Marijus Briedis, CTO at NordVPN
The good news (if I may say so) is that most cybercriminals are looking for a fast profit, so stealing encrypted data is not among the most prevalent cybercrimes. At the same time, "harvest now, decrypt later" attacks are usually delivered by high-profile hackers and target long-term-use information holders like state actors, the military, prominent enterprises, or other highly valuable targets.
However, with the development of quantum technology, interest in encrypted data will only rise, and the scope of potential targets will increase. The question is: where are we now and how can we prepare?
Services go quantum
Encrypted data can be stolen via transmission or from storage. Both ways should be addressed, and cybersecurity companies are looking for solutions in both directions.
In terms of transmission, a virtual private network (VPN) encrypts transmitted data and is sufficient technology at this point. But in post-quantum cybersecurity, more than the current encryption is needed. It should be based on post-quantum cryptography with unique algorithms that enhance encryption to a level that makes the tunnel between the sender and receiver challenging to break even for quantum computers.
NordVPN is one of the top VPN services on the market, boasting great commitment in data security with features like Double VPN, strong AES-256-GCM encryption, and perfect forward secrecy to regularly change keys. Read our full review to know more.
Quantum-safe VPN is going to be a reality soon. We are now testing our technologies to make it work, and we believe that soon we will have adequately working post-quantum encryption on VPN.
The same challenges await us in terms of data storage. All data storage, servers, and cloud services must adjust to the post-quantum reality.
There are some new directions technology companies are experimenting with quantum-safe storage services. One of the perspectives which we are exploring is having “truly random” encryption keys that would ensure post-quantum encryption.
Recipe: Combine traditional and post-quantum algorithms
Even though quantum computing is still the future and the quantum level of encryption is already on the way, it will take years until the global community adapts to the new encryption standard, so we have to plan the transition to quantum-resistant algorithms now. What should we keep in mind while designing this significant change?
Firstly, there is a harmful approach that strengthening traditional encryption now is unnecessary because we should wait for quantum-safe encryption. Transition does not mean that we have to switch from current to post-quantum cryptography overnight. At this point, the right approach would be combining both traditional algorithms and post-quantum algorithms into a single mechanism instead of replacing existing ones with questionable and underdeveloped new alternatives.
This is why organizations that store data on trade secrets, medical records, national security, or other high-value information on far-horizon projects should strengthen encryption algorithms even if they will not reach the level of post-quantum resilience.
Secondly, we should take steps towards crypto-agility. Adapting infrastructure will be a considerable part of mitigating post-quantum cryptography. Increasing crypto-agility now will make this adaptation simpler.
Finally, to increase long-term resilience towards "harvest now, decrypt later" attacks, you have to minimize the risk of breaches of encrypted data. This risk can be minimized by using micro-segmentation and rotating encryption keys for each data classification, keeping software up to date, and increasing resilience to phishing and other social engineering attacks.
The less cybercriminals harvest now, the less they will decrypt later.
