- With the dawn of the quantum computing age comes many new potential risks, including those related to security.
- Government agencies and industry groups have expressed a growing sense of urgency regarding the transition to a secure quantum future.
- Cyber security expert Jaya Baloo explains why and how we need to protect our economies in the event of a quantum future.
The privacy of online communications is currently protected by cryptography, which protects information as it travels over the Internet. It secures everything from online shopping to remote access to business emails. With the capabilities of quantum computing growing rapidly, industry experts estimate that it will be at least another 10 years before quantum computers with huge numbers of qubits are available.
Quantum computers could run algorithms that could break the public key encryption we use today. Researchers are doing intensive research to examine, select, and improve several dozen different algorithms to replace current algorithms to avoid this.
The technology is still at an early stage and will take several decades to reach full maturity, giving us a brief window to develop the current digital and IT infrastructure to prepare for a quantum future.
We discussed why and how the current cyber landscape might develop and prioritize certain areas to avoid the damage and potential risks of quantum computing developments with Jaya Baloo, Head of Information Security at Avast.
Jaya has worked in the field of information security, with an emphasis on secure network architecture, for over 20 years and serves on the advisory boards of the Netherlands National Cyber Security Center, PQCrypto and the EU Quantum Flagship Strategic Advisory Board. She is currently a member of the Global Future Council on Quantum Computing of the World Economic Forum.
For many years, the quantum threat to cryptography was considered theoretical. However, with recent advances in building a physical quantum computer, Jaya believes that we are not far from the breakdown of our currently used cryptographic algorithms.
What prompted you to develop your expertise in cybersecurity and become a leader in this field?
I think I’ve always been curious about security. When I was a child I was fascinated by telephone phreaking and my interest developed seriously when I was working as a network engineer at KPN. The point is that once you get into cybersecurity it is hard to stay on the sidelines and instead you get to take a stand very quickly because there are so many fundamental dilemmas that we deal with. in a day’s work. Global issues influence security teams at an incredibly operational level and include everything from the impact of geopolitics on supply chain security to policies on crypto as well as the use of certain tools to assess posture. network security.
What is the most misunderstood about your job? What would you like people to know?
What is most misunderstood about working in cybersecurity is how it is often visually characterized by Hollywood. It’s often described as incredibly fast and exciting, as a kind of cat-and-mouse game between hardened defenders and hooded attackers. Unfortunately, the truth is much more about making the regular, diligent, routine, and daily incremental efforts to prevent an attack or to analyze and respond to one when it occurs. In reality, it’s still a lot of dedicated people looking at their screens with very little car chases in between.
I want people to understand better how fragile our position on cybersecurity is and how much effort we need to put into improving the basics now in order to prepare for the future. We still rely on fundamental protocols that were developed in the 1970s and have not changed much since then for our main transmission communication layer. We have a lot of new tools developed with old classes of vulnerabilities. We are still not proactively testing and changing fast enough to scale with the new threats we face. Also, there is a huge interdependence from a critical infrastructure perspective as we rely on the same tools all over the world, so a single successful attack has a very big ripple effect.
What do you think is the most critical cybersecurity challenge executives face today?
Right now, I think the biggest challenge leaders face is understanding that we have excluded the cost of cybersecurity in our existing IT infrastructure. The sunk cost of these old investments means that repairing or upgrading is not always an easy decision and organizations have extensive risk management tactics to explain rather than adhere to best practices. When this is already a challenge, thinking of additional safeguards for new technologies often seems like a good thing to have rather than a need to have unless forced to do so by regulatory requirements. A good practice is to set aside about ten percent of the IT budget for your non-personnel expenses for information security. If all parties started to do so, our capacity for innovation would catch up with our old infrastructure. Then we would be slowly but surely more secure.
Why do we need to focus more on encryption as a guarantee of privacy and online security?
Cryptography is at the heart of our global internet economy, from online banking to the protection of intellectual property, as well as the more basic need for secure and private communications between individuals. It protects human rights but also supports national security. Sadly, that doesn’t mean we didn’t have challenges to this ability as evidenced by the crypto wars of the 1990s. It always reminds me of a quote from Benjamin Franklin, that “those who would give up an essential freedom for a little temporary security deserve neither freedom nor security, ”which reflects the tension between national surveillance capacities and individual privacy needs. We need good, strong, and well-tested crypto, without backdoors, in order to protect a free and democratic society. There are alternatives available for law enforcement to conduct targeted investigations without jeopardizing the common security available to all of us and our basic human rights.
How could developments in quantum computing disrupt this?
The promise of quantum computing is that long-standing and difficult scientific problems can be solved in new ways. Our current cryptography is based on difficult mathematical problems, such as integer factorization and discrete journals, which would take a long time to solve our current computers. However, a quantum computer of sufficient scale can speed up the resolution of these problems so significantly that it will effectively break our currently used cryptographic algorithms.
What actions are needed to enable a safe and sustainable transition to the quantum economy?
First of all, we need to know where we are using our current crypto and for what purpose. Most organizations have no idea what their crypto resources are and how they enable day-to-day operations. Once this inventory is complete, we need to figure out how to move on to new post-quantum algorithms, which are a new set of algorithms that will always be resistant to a quantum computer attack, while potentially looking for very specific opportunities to deploy something. called quantum communications (secure communication links based on the principles of quantum mechanics). Going through the supply chain of an organization, there may be suppliers who work in this area and will provide easy transition opportunities for an organization. Either way, they need to think about it, and understanding a vendor’s maturity in this area is critical to a smooth transition.
What advice would you give to policymakers and other cybersecurity experts to achieve this?
While it would be wonderful for everyone to voluntarily adopt best practices in the usual way, I fear that we need a regulatory framework and a national strategy to ensure that the most vulnerable and critical parts of our community. economy are quantum ready. My biggest concern is how long we have left to move to a secure post-quantum future. It is important to be able to take advantage of quantum computing and quantum technologies to move our society forward while dealing with the potential downsides of weakening crypto. Given that there is such a strategic and national security advantage in terms of surveillance capabilities, I am concerned that some infrastructure and software may end up in the Wassenaar arrangement on the control of exports of conventional arms and goods. and dual-use technologies.
I urge policy makers to ensure that there are no export restrictions against the export of quantum technologies, which would only worsen the digital divide. Because of our interconnected economies, we need the democratization of technology and need to ensure global participation to be collectively secure, a kind of digital version of collective immunity.