The Senate has passed a bill aiming to protect government networks against the threat of quantum-computing-based hacking, even if the real danger still is a few years away.
While quantum computing is in its infancy, the computing power it promises could make some of today’s encryption systems obsolete. When Big Tech companies or governments are eventually able to build super-powerful quantum computers, these machines could break some current encryption systems within hours or minutes instead of the thousands of years it would take for today’s most powerful traditional computers.
US MAY CUT OFF CHINA FROM QUANTUM COMPUTING AND AI TECH, TOP OFFICIAL SAYS
That possibility has huge consequences for data security, privacy, and surveillance, and the Quantum Computing Cybersecurity Preparedness Act aims to move the U.S. government toward a post-quantum security posture.
The Senate passed the bill in early December, and the House cleared it on Dec. 13 with a 420-3 vote. President Joe Biden is expected to sign the bipartisan legislation.
A handful of popular encryption methods used today, including RSA, Diffie-Hellman, and ECC, are vulnerable to hacks using quantum computing, said Roger Grimes, data-driven defense evangelist at cybersecurity company KnowBe4. “That encryption protects 95% of our online digital world, including credit card transactions, any internet site beginning with HTTPS, our WiFi routers, and much of our logon security,” Grimes told the Washington Examiner.
The bill, passed by the House in July, would require the Office of Management and Budget to prioritize federal agencies’ acquisition of IT systems using post-quantum cryptography. The legislation also would require the OMB to set post-quantum guidance for agencies after the National Institute of Standards and Technology creates the post-quantum cryptography standards it is working on.
Although the fears about quantum computing have not yet become a reality, the ability to crack some encryption systems within hours appears to be coming in the next few years, cybersecurity experts predicted.
Using today’s conventional computers, cracking 4096-bit RSA encryption would take thousands of years, said Bill Malik, vice president of infrastructure strategies at cybersecurity provider Trend Micro. However, a 6144-qubit quantum computer could crack RSA encryption within hours, and IBM has recently announced a working 433-qubit quantum computer, and the number of qubits seems to be doubling about every year, he noted. That’d mean RSA encryption would be hackable about four years from now.
“Today’s encryption algorithms rely heavily on solving very hard mathematical problems,” Malik told the Washington Examiner. “A quantum computer is able to reduce the solution time vastly.”
In addition, some cybersecurity experts predict that powerful quantum computers will be in the hands of hacking groups by the 2030s or earlier, with government surveillance agencies gaining access even sooner.
However, help is on the way for organizations that want to protect their data. In July, the National Institute of Standards and Technology announced four quantum-resistant cryptographic algorithms that had emerged from a competition the agency sponsored.
In addition to the methods announced by NIST, security researchers are working on other encryption models, such as lattice-based encryption, added Patricia Thaine, CEO of Private AI, a company that detects and redacts personally identifiable information.
Lattice-based encryption is “pretty darn cool” and is considered quantum-safe, Thaine said.
“Quantum-safe means that a quantum algorithm has not yet been discovered, which can solve the hard problem that the scheme is based on in any reasonable amount of time,” Thaine told the Washington Examiner. “Additionally, increasing the key length of existing schemes, like AES (encryption), can dramatically increase the time that it takes for a quantum computer to crack the encryption.”
NIST has recommended that organizations begin to shift to new encryption methods in anticipation of the failure of some current ones, Malik noted.
“The problem is no harder than migrating to a new hash algorithm — something that most organizations know how to do but don’t do that often,” he added.
CLICK HERE TO READ MORE FROM THE WASHINGTON EXAMINER
Still, migration won’t be easy for many organizations, said KnowBe4’s Grimes.
“Soon, within one to two years, every organization in the world will have to be undergoing a massive Y2K-like cryptography migration from quantum-susceptible cryptography to the newer quantum-resistant cryptography that the world is inventing and deploying,” Grimes said. “Most organizations aren’t even aware that this issue is coming, much less budgeting for a multiyear, expensive, cryptography migration project that will impact every single piece of software and hardware with electronics in their environment, without exception.”
