Quantum computers are still under development and seen as future technology, but they already cause danger to our encrypted data.
Seeing a high potential to be able to crack cryptographic keys in the long-term, cybercriminals are intensifying what are known as “harvest now, decrypt later” attacks to accumulate huge quantities of encrypted data and decrypt them once quantum technology is developed enough.
“Current encryption systems are still hard to break, so they are beneficial for ensuring your privacy. Nevertheless, cybercriminals already target encrypted data even if they cannot crack the decryption. Even though quantum computing is still in the future, it will take years until the global community adapts to the new standard of encryption, so we have to plan the transition to quantum-resistant algorithms now,” says Marijus Briedis, CTO at NordVPN.
While most cybercriminals are looking for a fast profit, “harvest now, decrypt later” attacks are usually delivered by high-profile hackers and target long-term-use information holders like state actors, the military, prominent enterprises, or other highly valuable targets. However, experts say that with the development of quantum technology, interest in encrypted data will only rise, and the scope of potential targets will increase.
Encrypted data can be stolen via transmission or from storage. Thus both ways should be addressed. As regards transmission, a virtual private network (VPN) encrypts transmitted data and is sufficient technology at this point. But in post-quantum cybersecurity, more than current encryption is needed.
“Quantum-safe VPN is a reality. It should be based on post-quantum cryptography with unique algorithms that enhance encryption to a level that makes the tunnel between the sender and receiver difficult to break even for quantum computers. We are now testing our technologies to make it work, and soon we can expect properly working post-quantum encryption on VPN,” says Briedis.
The same challenges are ahead in terms of data storage. All data storage, servers, and cloud services must adjust to post-quantum reality.
“There are a number of directions technology companies are experimenting with quantum-safe storage services. One of the options is having ‘truly random’ encryption keys that would ensure post-quantum encryption,” says Briedis.
While it will take at least a couple of years to adopt new quantum-resistant algorithms, users can take the following steps now:
Minimize risk of breaches of encrypted data. This risk can be minimized by using micro-segmentation and rotating encryption keys for each data classification, keeping software up to date, and increasing resilience to phishing and other social engineering attacks.
Increase the level of encryption. Organisations that store data on trade secrets, medical records, national security, or other high-value information on far-horizon projects should strengthen encryption algorithms even if they will not reach the level of post-quantum resilience.
“Transition does not mean that we have to switch from current to post-quantum cryptography overnight. At this point, the right approach would be combining both traditional algorithms and post-quantum algorithms into a single mechanism, instead of replacing existing ones with questionable and underdeveloped new alternatives,” says Briedis.
Take steps towards crypto-agility. Adapting infrastructure will be a considerable part of the work of mitigating post-quantum cryptography. Increasing crypto-agility now will make this adaptation simpler.