John Adams reputedly said, “one useless man is a shame, two is a law firm and three or more is a congress.” That this line was, in fact, spoken by the character John Adams in the musical 1776 does not diminish its essential truth: The US Congress has a difficult time getting anything done.
Unless they’re afraid.
The Patriot Act became law 45 days after the 9.11.01 terrorist attacks. The Quantum Computing Cybersecurity Preparedness Act (“Quantum Act”) was signed within days of Chinese researchers publishing a paper claiming today’s ubiquitous RSA algorithm could be broken with a quantum computer.
Congress and the President are rightly afraid. Although the Quantum Act was signed slightly before the Chinese paper became well known, our intelligence services have been raising the alarm about “quantum decryption” for years now, with 2022 seeing multiple presidential orders and the new law – sponsored by liberal Democrats and conservative Republicans. Whatever the accuracy of the Chinese paper — the subject of much internet debate — quantum decryption is coming. Yesterday, tomorrow, next year, next decade? No one knows for sure. But it is coming, and it will be devastating to our economic and national security if we’re not prepared for it.
So, what exactly is the quantum decryption threat and why is everyone so worried about it?
Much of our modern economy is based on the encryption of data via algorithms that cannot be broken within a reasonable time frame. These are referred to as “cryptographically secure” algorithms. All encryption, except properly implemented One-Time-Pad encryption (“OTP” – more on this later) can be broken. But with classical computers, like the one you’re reading this on, it would take decryption algorithms millions, or trillions, of years to break modern encryption algorithms like RSA. These algorithms underly the security of most banking, trade, personal data, and national security information. And the only thing standing in the way of blowing up modern encryption – and your privacy and economic security — are more massively more powerful computers.
Enter “quantum.”
Classical computers process all information into 1s and 0s – traditional computing “bits” are always 1 or 0. This creates firm limits on the speed and power of their information processing, e.g., using math to crack other math. Faster traditional computers, larger supercomputers, mathematical breakthroughs, and other factors are constantly increasing this power, and thus, the speed with which modern encryption can be broken. But not enough, as far as we know, to render such algorithms practically breakable – yet.
A quantum computer, on the other hand, uses the “qubit” (clever, no?) as the basic unit of computing. However, unlike a traditional “bit,” a qubit can be in multiple states simultaneously and, as a result, can enable calculations many orders of magnitude faster than a classical computer for some important types of problems. That is as far as I understand it (lawyer not computer scientist), but I understand the implications of this science: the encryption that underlies our economic and national security will be at severe risk as soon as a sufficiently powerful quantum computer is ready.
Our adversaries, e.g., the People’s Republic of China, are not waiting. They are putting massive resources behind a “snatch-and-decrypt later” strategy: Steal massive amounts of data right now and decrypt it in the future when quantum decryption has been industrialized. Translation: You cannot sleep on this threat.
So, what does the new Quantum Act do and what can you do?
First, the new law correctly identifies the quantum decryption threat as to the entire US economy, not just the US government and pushes the US Government and private industry to take the threat seriously. Second, the Quantum Act puts strict threat analysis current encryption and security resource assessment requirements on non-defense/intelligence agencies. This does not mean our intelligence and defense agencies are not reacting to this threat. It means they’ve been working it for years. The new law also requires these government agencies to create plans to counter quantum decryption technologies and to “prioritize developing applications, hardware, intellectual property, and software” that can be easily adapted to counter the quantum decryption threat.” Note that this is not focused only on quantum resistant algorithms but all of the security measures surrounding them.
The message, for government and industry, is that, if you have to err on one side, quantum decryption is such an existential threat to so much of our economic and national security, any responsible organization would be foolish not to err on the side of caution and aggressiveness in being able to fight the threat – whenever it arrives.
Whatever the future threat, businesses with large amounts of stored data (targets of “snatch and decrypt” attacks) today must do everything possible to protect against the quantum decryption threat. First, take all reasonable steps to protect your stored data from being snatched for future decryption. If they can’t steal it in the first place, they can’t decrypt it ever. Multifactor authentication and awareness of potential phishing attacks (don’t click on an unknown link), personal cybersecurity and employee training are all important basic steps.
Companies with significant amounts of sensitive stored data – whether stored on site or in the cloud — should begin to invest in emerging quantum-resistant data storage, key management, and multiple encryption technologies. More specifically, OTP-based capabilities, including newly powerful Random Number Generators, to create pattern-less non-repeating secret keys for encrypting stored data. That way, if your data is stolen, and future China is deciding what data to decrypt first, they will work on someone else’s before yours. Even the Chinese Communist Party has resource limitations, and you don’t have to outrun the grizzly chasing you, just the person running next to you.
