The national interest: Preparation is key – How to get ahead of Q-Day
Referring to Q-Day, the day when quantum computers are powerful enough to break our current encryption, Arthur Herman, senior fellow at the Hudson Institute, once wrote the following: “Q-Day is the term some experts use to describe when large-scale quantum computers are able to factorize the large prime numbers that underlie our public encryption systems…” Ironically, the phrase “Q-Day” was also used for the testing of the first atom bomb in 1945.
How Can Q-Day Happen?
When a sufficiently powerful quantum computer comes online (these can be referred to as cryptographically relevant quantum computers or CRQCs), whoever has access to such a computer will be able to decrypt any previously encrypted data. As an example, if an attacker has stolen and locally stored encrypted military secrets on their local servers—a practice referred to as steal now, decrypt later (or SNDL) that we know is happening today—and these secrets are protected only by public-key encryption using the factoring that we discussed above, they will be decrypted by a CRQC. That attacker will now be able to decrypt all of that stored data and make use of it for whatever purposes they choose. Additionally, the same attacker could use that CRQC to attack communications that are currently occurring over the internet via the airwaves. The same powerful CRQC could be used to eavesdrop or steal data from radio transmissions, fiber transmissions, or any other communications that are using PKI. So, if that attacker has listening devices in a variety of geographic areas or regions, they could effectively unlock any data in transit moving over those communications lines.
When Will Q-Day Happen?
No one knows the exact date when Q-Day will happen. Some are predicting it will be around 2030, some say it will never happen, and others are estimating that we could have a CRQC in two to three years. We know that nation-states are investing billions of dollars in quantum computing, and it is estimated that China is spending upwards of $15 billion to build a quantum computer just to crack PKI. This effort utilizing over 1,000 programmers and scientists is formidable and should not be underestimated.
Our own government has been concerned and is now acting to mitigate the threat and consequences of a CRQC. The National Institute of Standards and Technology (NIST) has been studying and finalizing quantum-resistant algorithms. Recently the White House issued a “Memorandum on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems” which mandates that “Within 180 days of the date of this memorandum (Jan. 19, 2022), agencies shall identify any instances of encryption not in compliance with NSA-approved Quantum Resistant Algorithms…” Additionally, the United States Innovation and Competition Act of 2021 allocates over $12 billion, and contains specific language and funding for “quantum cryptography and post-quantum classical cryptography.”
Do not be fooled by what you see in the news or in public-facing articles. You can be sure that a nation-state attacker is not going to announce that they have a CRQC capable of dissolving PKI. Their incentive is to stay underground, harvesting as much data as they can before anyone notices.
Possible Q-Day Scenarios
So, what could happen if a global adversary fully utilized a powerful quantum computer? We could see massive amounts of data being stolen and decrypted, financial system collapses, energy grid hacks, and even control over major military systems. The fact is that we are all leaving ever-increasing digital footprints and every company and government agency on this planet utilizes increasing amounts of digital capabilities and assets.
Everything we do has a digital trace, and all data is now flowing and openly accessible though current standard encryption. Imagine if all that data was available to whoever had access to a CRQC? The power they would have would be so great that it is hard to imagine the damage that would be done and the global power that would be held.
Arthur Herman (mentioned above) conducted two formidable studies on what a single, successful quantum computing attack would do to both our banking systems and a major cryptocurrency. A single attack on the banking system by a quantum computer would take down Fedwire and cause $2 trillion of damage in a very short period of time. A similar attack on a cryptocurrency like bitcoin would cause a 90 percent drop in price and would start a three-year recession in the United States. Both studies were backed up by econometric models using over 18,000 data points to predict these cascading failures.
Another disastrous effect could be that an attacker with a CRQC could take control of any systems that rely on standard PKI. So, by hacking communications, they would be able to disrupt data flows so that the attacker could take control of a device, crashing it into the ground or even using it against an enemy. Think of the number of autonomous vehicles that we are using both from a civilian and military standpoint. Any autonomous devices such as passenger cars, military drones, ships, planes, and robots could be hacked by a CRQC and shut down or controlled to perform activities not originally intended by the current users or owners.
In their fictional book 2034: A Novel of the Next World War, Admiral James Stavridis and Elliot Ackerman portray a scenario where China can hack into U.S. military systems and shut down the global positioning system, weapon systems, and communications. This renders the U.S. military helpless and Chinese submarines simply destroy the U.S. Navy’s entire fleet in the South China Sea with uncontested torpedoes. In the book, all the U.S. military’s assets cannot communicate, and we are sitting ducks allowing China to create some significant destruction in the mainland United States. While not specifically mentioning a CRQC as the tool of destruction, it is completely within reason to think that a quantum computer powerful enough to crack all encryption and communications would be able to create this scenario.
Preparation Starts Now
So, with the above near-term threat, what can we do now to protect ourselves against such disasters?
First, I recommend that leadership, whether government, commercial or other, begin to look at existing cryptographic systems to understand where digital vulnerabilities exist. In many cases with large enterprises and government agencies, the cryptographic upgrade process from PKI to post-quantum cryptography (PQC) to protect systems could take years. PQC refers to the implementation of software-based cryptography and systems that are resistant to quantum attacks.
Even with CRQCs, both communications and data would be resilient to quantum attacks since they use much more complex algorithms and systems than our standard PKI, which uses factoring. This move from PKI to PQC will be the largest upgrade cycle in computer history, and all public-key encryption needs to change to provide a completely quantum resilient ecosystem. Data in transit and at rest, and all devices will need to upgrade to PQC, which will reduce or mitigate the ability for quantum computers to crack encryption. Enterprise and government agencies can start now by testing PQC to understand how it works in their environments.
Companies today provide PQC that can be tested in an enterprise or via the cloud. It is vital that all company leaders start the process of understanding how to move to a PQC world—the future of national security depends on it.
- Cyber security for SMEs: Don’t put yourself at risk
- Redefining cyber security with Zero Trust Network Access
- Addressing communication challenges in cyber security for business
- Bulletproof your business: The ultimate SME cyber security checklist
- CyberHive Connect 2.0 – Revolutionising network discovery and configuration
Get in touch
If you have a question or would like some more information, contact us today.