Harvest Now, Decrypt Later? The Truth Behind This Common Quantum Theory
Is the Sky Really Falling?
To many, the term “quantum computing” equates to a world of new possibilities. What started as a theoretical curiosity is now touted as the future of IT. With quantum, there will be lightning fast processing of information and computers will be able to answer problems previously thought of as unsolvable.
But like the children’s fable Chicken Little, once you get past the hype, there is a significant level of trepidation.
One day Henny-penny was picking up corn in the rickyard when—whack!—an acorn hit her upon the head. “Goodness gracious me!” said Henny-penny, “the sky’s a-going to fall; I must go and tell the King.”
The sky is falling? Arguably, some would choose to take this to dispute.
The foundation behind this fear, uncertainty, and doubt (FUD) revolves around the future threat that quantum computers have for existing data. Commonly referred to as Harvest Now, Decrypt Later (HNDL), this theory centers on concerns that a nation-state will gain access to currently encrypted data and then decrypt it at a later time using a quantum computer.
According to a recent Deloitte poll regarding quantum computing, slightly over half of those responding believe that their organizations are at risk for HNDL cybersecurity attacks.
Digging deeper into this theory requires an examination of several basic assumptions:
The First Acorn: When will Functional Quantum Computers Exist?
There are a multitude of predictions, and to be clear, these are all opinions and theories. We simply don’t know when quantum computers will be usable for HNDL attacks (if ever).
Current groupthink estimates between 3-10 years. Accordingly, the U.S. government has issued a response. Said Dustin Moody, computer security mathematician at NIST. “The White House has put out some national security memos to ensure that government agencies are aware of the quantum threat and that they are making plans.”
Regardless of when these breakthroughs occur, it is undisputed that the overall value of quantum computing is driving research at an accelerated pace. In their quarterly report “A Game Plan for Quantum Computing”, Mckinsey & Company notes, “Quantum is not just an iterative technology that enables marginal improvements. It has the potential to be both transformative and disruptive.
The uncertainty around the timing of functional quantum computing is compounded by political agendas and a lack of information sharing. Nation-states driving innovation are not necessarily forthcoming in their research and progress. These entities and state secrets punctuate uncertainty, as we are not able to accurately predict when and if someone will have a quantum computer capable of brute-force decryption.
A Bigger Acorn: Will a Nation-state Use Valuable Computing Time on Decryption?
Undoubtedly, the first quantum computers will be extremely valuable. But as with any technology, the value will be owner-dependent and will vary according to context. In other words, what will quantum capabilities be used for and why?
World events and political landscapes determine where and how countries choose to align their resources. This type of purpose and its relevancy will likely be one of the drivers in determining if and how a nation-state chooses to employ its quantum resources for purposes such as decryption.
The decision to decrypt will also likely depend on the type of encrypted information held. In a nation-state focused on disrupting national security, encrypted data holding enemy secrets will take on a higher priority when determining how to allocate quantum resources.
Ultimately, it will be up to the owner of the technology to determine if and how they will use this computing power. Will it be used to solve complex computing problems or they will use it for malicious activities including the decryption of adversary data? We can hypothesize, and conjecture can cause us to spiral.
That said, would decrypting the location of the entire U.S. arsenal of nuclear weapons in 2022 be valuable to an adversary in 2026? We tend to believe so.
Which Acorns? What Data is Valuable Enough for a Nation-state to Use a Quantum Computer On?
Another critical factor governing where entities choose to deploy quantum capabilities is the relevancy of the data. In other words, how valuable is the information to the current climate given its type, age, and lifespan?
In a Presidential National Security Memo, the White House said that quantum computing could “jeopardize civilian and military communications, undermine supervisory and control systems for critical infrastructure, and defeat security protocols for most internet-based financial transactions.”
Clearly, this presents a massive amount of data for a potential attack.
Given this scope, an important question to consider is “will your data be useful to a nation-state in 3-10 years”? This will likely be industry-dependent. Yet although government and industry often differ in their definition of “important data”, the threat is evident in both. Again, looking at the type, age, and lifespan of the data will provide the necessary guidance on where these threats are most critical.
Would China like to know all the oil deposits in Africa or Asia? Probably. Credit card transactions from three years ago? Probably not.
Pattern Distribution of Acorns: Will the Data be Shared with Those Who Can Use It?
The user of this data is critical in determining its value. It is only by providing data to the appropriate personnel that it can be optimally utilized. Information maintained by someone who lacks the ability to understand and interpret it is generally considered irrelevant. Furthermore, information bias can occur when information is interpreted inaccurately.
Just because a state holds encrypted information does not ensure that it will ever be exploited. It must be provided and utilized by the appropriate entities for it to become a threat. If sensitive information is not shared with the group that can understand its purpose, it becomes difficult to ever use it for any purpose. The information simply loses its value.
It is unlikely that we will be able to predict with full accuracy the level and type of malicious activities nation-states may execute using HNDL data. Put another way, state secrets are only truly valuable if they stay secret. Looking at U.S. efforts in WWII to obscure that the Axis powers’ codes were broken, you’ll see that there’s a lot of effort to use code-broken intelligence effectively.
I’ve Got your Data: There’s Not a Lot You Can Actually Do.
The flip side of assumption 4 is that an adversary may already have all your data, and by the time it is decrypted, there’s not a lot you can do about it.
For some companies with heavy R&D investments, the future value their information holds can result in a serious loss of value. For example, a company creates a cancer drug and gets it through trials, and brings it to market with great fanfare. The same day, a generic is released in Asia, selling at 20 percent of the branded drug. The loss of intellectual property has a clear impact on the bottom line of the organization both now and in the future.
Government and its associated entities face a similar challenge. Losing strategic or proprietary information now can be quite costly a few years from now and can result in security setbacks that have long-lasting effects.
Both of these examples represent an ideal HNDL attack in that they affect a given nation and are valuable enough to warrant time on the quantum computer.
You Never Know You’re Nuts: Assuming Quantum Computer Time is Limited.
It is feasible to assume that quantum computer resources will be limited at first. However, the reality is that we have no idea whether or not this will actually hold true. Hardware limitations could likely impose constraints on the availability of quantum resources, but the evolutionary nature of technology and manufacturing has the potential to quickly redefine this rule.
The disruptive power behind quantum technology means that its boundaries are still being uncovered. Like all evolving technologies, there will be a series of adoptions that will flush out some of its initial limitations. The rate at which it evolves will change over time.
Will quantum be limited at its onset? We feel it is likely, but the unknown truth undoubtedly leaves higher risks.
To The Naysayers.
It is important to note, that although quantum computing is underway, the fanfare could be unwarranted. Each one of these assumptions may be incorrect and quantum computers may never break encryption or even become functional. The penalty for guessing wrong, however, has the potential to be steep.
Says Colin Soutar, managing director at Deloitte Risk & Financial Advisory, “It’s encouraging to see that so many of the organizations with quantum computing awareness are similarly aware of the security implications that the emerging technology presents,” “But, it’s important to note that ‘harvest now, decrypt later’ attacks are something all organizations — whether or not they’re considering leveraging quantum computing — stand to face in a post-quantum world.”
More importantly, spending the time, effort, and money to begin modernizing your encryption now is still a worthy goal.
The FUD Scale
So, coming back full circle. On one hand, there is the risk that quantum computers will exist within a few years and be able to break all existing data encryption within minutes. In this scenario, all encryption must change to crypto-agile solutions to secure data from these nation-states now equipped with massive amounts of computing power.
The flip side is that quantum computers will never exist in our lifetimes that can decrypt anything within a reasonable amount of time. Understanding your risk is key.
To err on the side of being prudent is a safer strategy for sure, but ultimately, it is up to you to decide.
On a final note: The story of Chicken Little ends where her oblivion results in all of her friends getting killed. Somehow, despite this, she still lived blissfully ignorant. How that applies here isn’t completely clear to me, but I just thought you should know.