Dark Reading Confidential: Quantum Has Landed, So Now What?

Becky Bracken, senior editor, Dark Reading

Hello and welcome to Dark Reading Confidential. It's a podcast from the editors of Dark Reading focused on bringing you real world stories from inside the cyber trenches. My name is Becky Bracken. I'm an editor with Dark Reading. And today I am joined by Dark Reading's editor-in-chief, Kelly Jackson Higgins for our new episode, “Quantum Has Landed: So Now What?”

 Hello, Kelly.

Kelly Jackson Higgins, editor-in-chief, Dark Reading  

Hi, Becky. Thank you.

Becky Bracken

So why don't you give us just a little overview? We've had many discussions in developing this concept. Tell us why you think that this is important for us to talk about right now.

Kelly Jackson Higgins

Absolutely, it is really important we take on this topic right now.

Even though quantum computing itself isn't really a reality yet in most organizations, obviously, but there are concerns in the cybersecurity community about how cyber criminals, nation states could sort of abuse the technology down the pike to crack today's encryption algorithms that we use for email, VPNs, digital certificates, et cetera, or even to crack stolen encrypted data later time using quantum technology.

Albeit futuristic sounding, we still think it's really important issue and there seems to be this sort of rare opportunity for defenders to kind of get ahead of the threat for once. So rather being reactive, being more proactive. I'm really looking forward to our discussion today and kind of digging into that.

Becky Bracken

I think that it's important for us to note that when we were prepping for this discussion, we were hunting high and low for a practitioner who was really actively working on this, and we came up empty handed. So, part of the issue I think is that the cyber community isn't really yet comfortable talking about quantum. It's not easy to understand. It's not really very easy to explain. And this is particularly true in shops that are constantly dealing with threats that are happening today rather than threats that may happen down the line.

So, this month we want to break this down to basics for cyber security practitioners, what you should be doing to prepare for quantum, and its promise to completely pummel our current cryptography standards. This month we are thrilled to welcome Dr. Matthew McFadden. He's vice president of cyber at GDIT and Thomas Scanlon who's professor at Heinz College at Carnegie Mellon University. Welcome to both of you.

Matthew McFadden, vice president, Cyber, General Dynamics Information Technology (GDIT)

Hey everyone, thanks for being here.

Thomas Scanlon, professor, Heinz College, Carnegie Mellon University

Hi, great to be here.

Becky Bracken

Thank you, thank you so much.

Okay now, before we turn Matt and Thomas loose on this issue, we have Jim Donahue, our managing editor of Copy Desk and Commentary. He is going to walk us through just a basic primer on quantum and why we care. Most of us know this, but I think it's worth a refresher. I could constantly use one myself.

So, Jim, you help us out with that?

Jim Donahue, managing editor, commentary and copy desk, Dark Reading

Sure. Thank you, Becky.

Quantum computers are currently being developed by teams of computer scientists, physicists, mathematicians, hardware and application developers across the globe with the intent to deliver on the promise of solving even the most complex problems in a fraction of the time of current classic computers. But what's the difference? Well, here it is in very basic terms.

Classic computers perform calculations with bits, which are processed as either 0 or 1. It's binary. Quantum computing uses something called qubits, which can process information as both zeros and ones simultaneously to very quickly calculate every possible outcome.

So, the current problem is that qubits are incredibly difficult to create, and they require lab conditions. In addition to something like a magnet or laser pulses to bounce those bits so quickly back and forth, they can start existing at both the zero and one position at the same time. Now, once it's pinging so hard, its position is indiscernible, the qubit is defined as being in “superposition.”

Scientists still haven't figured out a reliable way, though, to make those qubits or a way to keep them from flaming out very quickly once they've achieved superposition, but they are working on it, of course. Quantum promises to be a very powerful predictor of the best answer to the most complex problems. This quantum computing power will be used to smooth out supply chains, create life-saving drugs, and yeah, unfortunately, to break cryptographic algorithms.

In fact, quantum computing will be able to crack the foundational public key infrastructure upon which information security is built, including ECC and RSA, used to protect the security of every HTTPS protocol website.

So that leaves every instance of cryptography used in every instance, in every organization across the world, vulnerable to post quantum computing. And it all needs to be updated to new quantum resistant cryptography standards, recently released by the National Institute of Standards and Technology.

And this of course is a very simplified overview of an incredibly complex computing revolution. But I turn things over to our guests, Thomas and Matt, and do you want to correct anything that I said here or add to the basic understanding of quantum computing?

Matthew McFadden

Yeah, Jim, I guess a couple things, right?

So, you know, I think part of this is, you know, the algorithm's been that quantum computers use, right? I think the one that we typically have mentioned is Shor's algorithm, which is, I think was created in 1994. So, there's a little bit of optimization there. We don't know necessarily how adversaries have optimized the algorithms to be able to essentially crack those current encryption methods, such as RSA. So, there's an optimization challenge.

The other piece is quantum computers are here now. So, part of talking a little bit about the qubits, right? There is somewhere of an estimate of, they're going to need about 10,000 qubits to really be able to crack current encryption methods. Some of the latest quantum computers out right now are, are about 1,000 or so. But then again, it goes back to optimization. Do they really need 10,000, or do they need a thousand or five hundred? So, there's a lot of unknowns out there.

There's been a couple of recent articles showing where adversaries and researchers have been going through and actually doing proof of concepts of showing basically the cracking most recently with 22 bit. But the best practice standard right now is 2048 bits for RSA. So, there's a lot of, I guess, stuff that we don't know yet, but I think it expresses the urgency of why this is so important, why we need to migrate quickly.

Thomas Scanlon

Yeah, great points, Matt. I also like to highlight as we get into availability of quantum compute, is getting nearer, there's both threats and opportunities. And so, there's things the organizations need to do in terms of getting ready for post quantum crypto, which is we're going to talk about today. But organizations should also be laying out like quantum use cases. And what could I do with a quantum computer? How would I solve those?

challenges in medicine and pharmaceuticals that Becky mentioned in the open. You don't want the capability to be there and you're not ready for it. So now is a great time to start road mapping. What would I do for good with a quantum computer to help my business or help my organization?

Kelly Jackson Higgins

Yeah, let's jump into this a little bit for our listeners who typically are the security operations folks out there trying to figure out how to make sense of all this. I think, you know, really the catalyst to this whole conversation has kind of been the federal government, the US government's kind of forward thinking of how we handle this problem right down the future. And of course, this new post quantum crypto standards that were announced a few weeks ago, you know, more in a full not no longer just a draft.

Starting with Matt, Matthew, how would you kind of characterize for cybersecurity teams what they need to know about the standards and then just sort of how do they decide how they roll them out or how they plan to roll them out, that kind of thing? I'm hearing things about like hybrid approaches some organizations are taking, you know, how would you kind of help folks navigate that?

Matthew McFadden

So, this is a multi-threading question. So being a, you know, GDIT, you know, we're very focused, very focused on the implementation. You know, we support a lot of different agencies in that migration. So, one of the, one of the efforts I lead is our R&D around what's called our title, post-quantum cryptography, a digital accelerator. So, you know, we foresaw this coming.

We wanted to make sure that we could help accelerate agencies as quickly as possible to this. But the reality, right, is I think Jim or Tom mentioned, right, the standards just came online, right? So, the final standards were just approved in August. So, you know, they weren't quite there to implement. Most of the hybrid approaches were, hey, you know, they're going to use Crystals Kyber, and they developed a hybrid implementation of that — not necessarily the ML chem standard that was approved as part of FITS.

So, I think it's part of the, you know, there's a big importance of driving education, not only to like CISOs and CIOs, but I mean, broader system owners and understanding, okay, there are new standards out there. This is the risk. And this is how we need to go about the migration.

I think one of the things that at least I try to do with conversations is just having them understand like this now becomes part of compliance, right? It's part of the FIPS (federal information processing standards certification), you know, 203, 204, 205 standards to get a, you know, an ATO (authorization to operate), you know, we have to go through and begin to migrate. But I think it goes back to there. There's this much broader industry challenge where even if you wanted to migrate, you can't necessarily because basically the industry hardware and software has to basically retool their entire ecosystem —back to the question like hybrid, right?

Like you may have seen like where Google, you know, as part of Chrome, they implemented a hybrid implementation. Well, now ML chem got approved, and now they're working to, you know, take that standard and put it back into the browser, which isn't there yet. It's coming in the next few weeks.

Thomas Scanlon

Yeah, I think the good news is there's a bit of a blueprint for organizations how to approach this and I'm going to go back a quarter century, but there's some parallels to the Y2K problem, right?

And so, you had these Y2K calculations in disparate systems and pieces of code all over the place. And you had to go through and exercise as an organization to inventory them and decide which ones you wanted to change and which ones you're going to let go and exceed up the risk and those types of decisions.

That's reflective of the guidance from both NIST and DHS (Department of Homeland Security) on how to approach post-quantum crypto. They start with inventorying all the places you're using crypto and then doing some type of triaging step where you determine what are the high value things that you have to change either because they're just high value systems for you or they have sensitive data in there, maybe the rather classified data or PII or some other type of sensitive data.

And so, the sort of recipe, the procedures are fairly straightforward from this in DHS. Like most things though, the devil is in the details as Matt was just illuminating on. You can decide you want to change the crypto in a certain system, but you may not be able to because the hardware, the firmware doesn't support it. It could be that changing to the post quantum crypto algorithm changes the compute timing. And if you're in an area where you need real time responsiveness.

And now the algorithm is more complex. It may affect the timing of your compute. It may also be that your business partners aren't migrating. So, there's a lot of factors that go in. And it's easy to say inventory your stuff, decide what you need to change and change it. It's not that straightforward at all.

Kelly Jackson Higgins

So, it is sort of like a cyber risk analysis type thing you have to do, is that right? Would you kind of characterize it that way?

Thomas Scanlon

I say that's definitely part of it.

And so if you're in large organizations, be it in government or industry, where you're going to put a team on this, you definitely need people in the team that understand quantum or quantum experts, but you probably want some traditional software or cyber engineers and some cyber risk folks, because at some point you're going to have to make a decision such as, okay, we can't upgrade this thing we want to because the vendor is not cooperating.

Do we accept the risk and just use it with the RSA and not upgrade it? Or do we replace it and buy a whole new, which could be a costly decision, switch vendors and things like that. So, there are going to be business and risk decisions as part of this equation. It's not all just technical.

Becky Bracken

You're talking about all of this layer of complexity on top of the complexity of quantum itself and it's kind of making my head hurt a little bit. Is that maybe why we're having a hard time finding cyber shops that are working on this in real time? Is it just a difficult thing to even wrap your head around, much less get actualized, or what is going on inside enterprise cyber teams right now with relation to this? Matt, we'll start with you and then get Thomas's thoughts.

Matthew McFadden

Sure, so I think one of the things that you're seeing is the emphasis on really having a cohesive strategy. And I think governance is a key piece of that, like what we've seen with the zero-trust implementations.

So, I mean, if you're a large organization, you're a CISO or CIO, right? I mean you could have hundreds of thousands of systems. A lot of times they are decentralized. You have different sub-agencies and components. There's a lot of coordination to understand, well, where should I migrate first?

So, one of the things that we've seen in government with some of the OMB (US Office of Management and Budget) requirements is basically, hey, you must conduct a systems inventory. And generally, that inventory has been very manual, right? And it's been focused on, hey, here are my high value assets or systems, right? So, the reality, right, is there's that risk equation to this where ... you know, not everything's going to migrate at once.

You know, we must make a risk-based decision. What is the highest priority? So, you know, that could be, you know, high risk system, national security system, you know, let's, let's focus on those first. But with that, right, there's a lot of different complexities.

Like it sounds easy. yeah, just, you know, replace this encryption or certificate. But the reality that I found is like, I mean, there's so many different relationships between these different types of certificates and the different algorithms that they use, there's a lot of complexity to it. You may have vulnerable algorithms in identity, in your devices, in your network, as part of your applications, even as part of the source code that you're developing. We've seen a mixed strategy, where, you know, even as part of discovery, leveraging a certain set of core tools to help with that inventory and then even looking at, you know, more specialized tools.

So, one of the examples, right, we just did a research study where we surveyed 200 agency decision makers. And I think they found about 44 % of those were looking to leverage vulnerability management tools to at least begin to assess, you know, where their vulnerable algorithms are. And I would say most of that has been focused on like TLS (transport layer security), which is like web servers, websites. So, there's, I would say there's a lot of gaps and a lot of things that are missing.

Thomas Scanlon

Yeah, and I get a lot of inquiries. We mentioned there's not a lot of people practicing right now in doing this, but there is a lot of chatter and discussion. And so, I do get a lot of inquiries here at the university from different organizations, both industry and government, about what they should be thinking about, what they should be doing.

And I think part of what's holding some of them back is they're kind of waiting for others to go first.

And so, while we have this high-level guidance from NIST and then I mentioned DHS also has some about what you should do, we're not to the level yet where we have like best practices and lessons learned and these types of things.

And so, when you do get into those more in the weeds decisions that Matt and I talked about earlier, what types of dispositions do you have? What should you do? It's a lot easier to lean on a vendor to make a change when there's other organizations also leading on the vendor.

Even someone with as much buying power as US government, it's hard to lean on a vendor if they're the only one. But if they're leading on it and half of the Fortune 500 companies are leaning on them, then you get change. And so, I think some folks are a little hesitant to be the first ones out in front of this.

Becky Bracken

But someone's going to have to be (first). And so, who do we think that is? Are we going to reach sort of a maximum capacity where everybody (makes the transition); is there going to be a big breach? Like what do you think is going to be the catalyst of these sectors moving and which sectors do you think will move first? I'm thinking banking. They're usually out in front. I don't know.

Thomas Scanlon

Yeah, banking is a good call because they are usually on the front of cyber. They're under attack 24 seven, right?

But I think that's a good question you raise. You know, it may take some type of provable breach to be the catalyst to spark everyone out of fear, right? So right now, they can still keep it at arms distance and say, well, quantum's not really a threat yet. It's out in the future. Until something happens to somebody else, I'm not worried about it, right? And so, it could be even something proved in a lab or we haven't talked yet about what cyber criminals are doing today, which is harvesting data to break the encryption audit in the future, even though they know they can't break it now. Maybe some harvested data gets broken or something like that. I think some event that gets a lot of publicity and when puts a scare into folks will kind of be a catalyst.

Becky Bracken

Is that your assessment as well, Matthew?

Matthew McFadden

Yeah, like, I don't know, I think I'm going back to the original, right?

Compliance, I think, is a big driving factor to this now. there's ML Chem as a standard as part of FIPS, 203, 204, 205. Now to get as part of the accreditation, they have to go through this process. I would say generally, industry begins to adopt those standards. So really, that is the forcing function. Not to say whenever we have a significant event, that's always a driving force.

Then again, you know, I think net folks are at least aware, it's part of compliance. They're trying to work through that. I think one of the things we didn't talk as much about is like even in acquisition, like the hardware and software supply chain is even key with that. So, we may want to select vendors that are more likely going to meet these standards in the future.

Kelly Jackson Higgins

Thomas, you brought up something I was going to ask about, and that was this whole concern about adversaries that have or will already have or will download encrypted data today that they've stolen and be able to crack it in the future. Talk about that a little bit. Is that something that might spark some more activity from organizations or more, guess, I can't think of the word I'm spark some movement, I think, by organizations from the top to say, “this is something we need to worry about soon rather than later?”

Thomas Scanlon

Yeah, unfortunately, I would say I guess not. I say that because it's definitely happening today that folks are harvesting data to encrypt later. It's not like a theoretical thing. It's fairly well documented and understood. So, folks are doing that. And that hasn't triggered the kind of reaction that we've been talking about on this podcast.

I think part of the thing you need to think about when folks are harvesting that data to decrypt it in the future, a lot of that data probably won't have value when the time comes. And it's not like as soon as the decrypting capability becomes available that it's going to be ubiquitous and everyone's going to be able to decrypt everything. It's going to be expensive. It's still going to be a limited resource on these computers. And so it's going to be the most valuable data that they're going to go after decrypting first.

And so, it's gonna be a highly valued and limited resource, just like any other breakthrough in computing, it'll scale up over time. But all this harvested data, a lot of it's just never going to get decrypted, I don't think.

Kelly Jackson Higgins

What do you think, Matthew, on that topic?

Matthew McFadden

Yeah, well, it's like back to we don't know what we don't know, right? So, I think part of that strategy is why we're really trying to prioritize that highly sensitive data first. The other piece is, you know, there's some systems that we won't be able to migrate, right? There's a lot of legacy systems out there. I know in our research study, I think we found that, you know, for 40% (of cyber professional surveyed by GDIT) it was a big concern.

So, it's like, well, what do you do with those systems, right? Do you completely retool those and that’s a significant cost, you know, time and money, or, you know, is there some type of bolt-on solution that we can implement? I think the good thing is this conversation is really driving awareness. And I think that's what we need to continue to do.

At the same time, I think organizations need to drive that top-down strategy and it's not necessarily just the technical solution, right? It's having people, it’s having teams, and it's having a budget to allocate the resources to support that large-scale migration.

Kelly Jackson Higgins

I can think of so many challenges to the sum of things you both talked about. You know, we're already terrible at IT resource inventory and visibility, right? That's a huge problem, even more so now with the cloud and IoT. And it just seems like this is one of the things you must get visibility for. And it seems like it would be easier to wait since it's a narrower slice, but I don't know. Correct me if I'm wrong, is this an easier thing to get a full picture of or not of what you have out there in terms of encryption?

Matthew McFadden

No, but I think it's been a forcing function once again, because it's driving the importance of encryption. And I go back to the foundations, right? The most fundamental aspect of cybersecurity is encryption, right? We can't do zero trust and all those other great things of securing data in transit or at rest without encryption. So, we better get that right.

But now we really have to understand how it's being managed, where is it located, you know, what hardware and software is a part of it, and do we really have the right tools to provide that visibility and situational awareness? Most of the time, you know, most agencies and organizations, I don't think are quite there. But that's where we're working to help drive and understand, okay, how can we leverage a lot of their existing investments or their SOC tools or things and then supplement with specialized tooling where it makes sense.

Thomas Scanlon

Yeah, I going to say it may seem narrow at first blush, but a Matt hits on some of these points. In the cybersecurity world, we've been pushing encryption for years, encrypt your data at rest, use HTTPS, do full disk encryption, encryption, encryption, encryption is everywhere. And so, we've talked about RSA on this call, there's other encryptions too, right? And so, encryption is everywhere, and they will all be vulnerable in the future. so, that's why we’ve kind of come full circle now. That's why it is like a business risk decision to some degree because some of the places where you use encryption are going to have to wait. They're just going to have to. And so, you want to make sure you hit those high value places first.

Kelly Jackson Higgins

I keep thinking about how long it took for like, you know, SSH and TLS to be fully updated across systems. It just takes time, right? And that's going to be, it seems like another example of a new, you know, better technology challenge, but it won't happen overnight by any means.

So, I know we've talked about a lot of things. I kind of want to circle back to what you would recommend right now. The first thing that someone that organization should be doing right now, I think.

You touched on Matthew that compliance is going to force federal agencies, defense contractors, other folks who are regulatory driven a little more quickly than others. For those that may not have that pressure right now, what would you recommend that they start doing like to get the ball rolling?

Matthew McFadden

Sure. So, a couple things. I know one of things that we've been working on is like, what does a maturity model look like? And we broke it up into kind of three areas of: discovery, assessment and management. So, if you could do those three effectively, we're trying to move agencies towards what's called crypto agility. So, if any new standards come out in the future, and guess what? There are these are just the first three, we can be ready to change out those algorithms.

So, I would say a couple of things that we've learned. One, you should formalize your strategy and your governance from the top down. The second piece is really strengthening that technology foundation. So once again, you have to have the right tools to manage and understand that visibility. The third thing is workforce, right?

So, us cyber folks are talking about this. Those other system owners and businesspeople don't necessarily understand that risk and challenge. So, education is key. The fourth thing is it's about prioritization. It's not all going to happen at once. It's you know, it's how do you prioritize the high-risk high risk first.

And then the last thing is what we're really trying to get to is a better cryptography management. So, some of the organizations I've dealt with, they realize that if I can manage the issuance of these secure certificates and algorithms, lest I have to migrate down the line. So, let's really focus on the management using KSM (key management systems) and HSMs (hardware security models) that support some of this stuff. But anyway, back to really, it's the discovery, assessment, and management that really helps achieve that crypto agility.

Thomas Scanlon

Yeah, picking up on what said, in my experience, very few organizations have crypto management or view crypto as an asset that way. So normally you get to the crypto by looking at some other type of asset management. So, people know they have this hardware, these software systems, and then you say, okay, well, which crypto is it using? But they don't have a worldview that starts with crypto. Here's all the crypto my organization wanted to use.

But as far as things organizations should do now, I guess maybe I have two things. So, one is for sure, at least understand your attack surface, if you will, do some threat modeling. Even if you don't get to the triaging and prioritization phase, you should be able to understand all the places you're vulnerable for crypto attacks, where crypto is used, which algorithms are being used and things like that. At least understand that's something organizations can do now, like within a calendar year, is understand their attack surface and what they're vulnerable to. And then that can lead to filling out the triaging and the prioritization of what we're actually going to do.

The second thing is I would start paying attention now to contract language, putting in with your vendors in your supply chain language about their adoption and their plans for post-quantum crypto, maybe in some ways limiting your liability, but also just making sure that the folks you deal with have an understanding that this is a problem, that they also have a plan. It would be great if they had concrete plans, but they may not yet either, right? And so, you don't want to hold them to that, you ever get a contract done but have contract language in there talking about post-quantum crypto.

In the government space, we can create seed rules and things which are standard contract language that government agencies can use. This has been done for other areas of cyber and software engineering, where there's standard seed rules that can go into contracts. On the industry side, they have similar types of things. They don't call them seed rules, but standard template contract language. Start working on that now to see what you want to put in your agreements. So, in the future, when you call on those business partners you can make sure you kind of have a leg to stand on.

Kelly Jackson Higgins

Okay, I know this is a hard problem, but I feel better about it now. After hearing from you guys. Thank you.

Becky Bracken

I was going to say I feel the exact same way. I started out getting a little panicked, but they talked me back down with some practicalities. I want to thank you both, Matthew McFadden and Thomas Scanlon, so much for your time today and your deep expertise. I hope that our audience's blood pressure went down along with mine as you guys spoke about this.

Speaking of our audience, we want to thank you all for joining this month's episode of Dark Reading Confidential, “Quantum Has Landed: So Now What?” On behalf of Kelly, Jim, and the entire Dark Reading team, we hope you'll join us next time for another episode of Dark Reading Confidential. It's a podcast from the editors of Dark Reading focused on telling real world stories straight from the cyber trenches. Thank you all and see you next time.