Protecting data now as the quantum era approaches
Startup QuSecure is the latest vendor to jump into the field with its as-a-service offering
Analysis Startup QuSecure will this week introduce a service aimed at addressing how to safeguard cybersecurity once quantum computing renders current public key encryption technologies vulnerable.
It's unclear when quantum computers will easily crack classical crypto – estimates range from three to five years to never – but conventional wisdom is that now's the time to start preparing to ensure data remains encrypted.
A growing list of established vendors like IBM and Google and smaller startups – Quantum Xchange and Quantinuum, among others – have worked on this for several years. QuSecure, which is launching this week after three years in stealth mode, will offer a fully managed service approach with QuProtect, which is designed to not only secure data now against conventional threats but also against future attacks from nation-states and bad actors leveraging quantum systems.
"The current and near-term capability in quantum computing, which would allow for the decryption, is the big threat," Mike Brown, a retired Navy rear admiral and former senior cybersecurity specialist with the Department of Defense (DoD) and Homeland Security (DHS), told The Register. "That's what we've been talking about for years."
Brown, founder and president of security consultancy Spinnaker Security, who now onsults with QuSecure and other companies, said there has been steady progress in building up the capabilities of quantum computers in the US and abroad. He points out that nation-states with a checkered history in cyberspace, such as China, are spending huge sums and mounting massive efforts to develop such systems.
Steal now, decrypt later
A key worry is what is known as "steal now, decrypt later," QuSecure co-founder and COO Skip Sanzeri told The Register.
"This is the biggest problem, where data gets exfiltrated and it sits on servers waiting to be decrypted. If that data has 50 or 75 years of life left in its value [and] you crack it in 10 years, that's 40 to 65 years of value. This is the problem," Sanzeri said.
"This is why things need to happen. We're getting a lot of inbound inquiries from both federal and commercial [entities]. We've got pilots going across both sides of it. People are now starting to take it seriously."
Warning: China planning to swipe a bunch of data soon so quantum computers can decrypt it laterREAD MORE
The Biden Administration earlier this month issued a national security memorandum to address quantum computing and security, including ordering federal agencies to begin a multi-year process of migrating computer systems to quantum-resistant cryptography.
In addition, a bipartisan bill – dubbed the Endless Frontiers Act – calls for spending $100 billion on emerging technologies, including quantum computing and artificial intelligence, to close the innovation gap with China. The bill is moving through Congress.
Another bill, the Quantum Computing Cybersecurity Preparedness Act, is also finding bipartisan support to ensure that government systems adopt post-quantum cryptography by securing systems with algorithms and encryption that will be difficult for even quantum computers to break.
The USA's National Institute of Standards and Technology (NIST) is undergoing a multi-year process of setting such standards, with the hopes of publishing those by 2024.
The promise of quantum
Quantum computers promise to solve problems that are out of reach of today's supercomputers.
Classical computing elements are bits, which can be either 0 or 1. Quantum computing uses qubits, can be 0, 1 or any combination – what's referred to as a superposition. The concern is quantum systems will easily be able to break encryption methods that would take the most powerful machines today years to crack.
Like other vendors, QuSecure is working to address these challenges. It's QuProtect as-a-service architecture includes a software suite that combines zero-trust, post-quantum cryptography, quantum-strength keys and active defense. It leverages Quantum Random Number Generation (QRNG) to create truer randomness in the encryption keys, which is central to secure encryption because patterns in keys can often be detected by cryptanalysts.
The architecture also relies on a proprietary technique that enables QuSecure to get this protection out to the various endpoints, from on-premises servers and web browsers to the Internet of Things and the edge, while also ensuring the security of the networks that data traverses.
"We now have a way to create a quantum channel without putting software out on all these devices," Sanzeri said. "This method that we've discovered and are using ... allows us to create quantum channels rapidly between any end devices. If you think of IoT and edge, a lot of time those little sensors don't have any storage capacity, almost no compute capacity aside from doing the one job they do. But we can still secure those."
That said, if an enterprise or government agency needed to keep its data behind a firewall, QuSecure will manage it on-premises or in a private cloud.
QuSecure also built software interfaces, a UI and protocol switch and developed the ability to send encryption keys. It also partners with companies like Quintessence Labs and ID Quantique for QRNG.
In addition, it has what Sanzeri called "crypto agility." The architecture is optimized for all the algorithm finalists in the NIST program, so it doesn't matter which ones the organization eventually chooses, it will be supported by the QuSecure service.