Quantum computing and the long game of cyber-crime

In the relentless arms race of cyber-security, a threat is here that challenges the very foundations of data protection: Harvest Now, Decrypt Later (HNDL) attacks. This sophisticated strategy, leveraging the anticipated power of quantum computing, represents a seismic shift in the threat landscape. 

 

This attack strategy poses a significant future risk to organisations worldwide, as threat actors collect encrypted data today with the intention of decrypting it when quantum computing capabilities become available. With forecasts predicting "Q-Day" earlier and earlier, and NIST guidelines emphasizing organizations begin their post-quantum cryptography (PQC) journeys sooner than later, it is crucial for Chief Information Security Officers (CISOs) to take immediate action to protect their organisations’ most sensitive data.

 

The HNDL threat

Unlike traditional attacks that seek immediate gains, HNDL attacks are playing the long game. Cyber-criminals have already started hoarding sensitive data, patiently waiting for the moment when quantum computers can break current encryption methods. This approach is particularly alarming because data harvested now may still be extremely valuable in the future, even if it’s decrypted years and years later.

 

The impact of quantum computing on cryptography is profound. Quantum computers will have the ability to break many of the encryption methods organisations use today - performing calculations in days that would normally take years with classical computers. This puts both asymmetric and symmetric cryptography at risk, potentially compromising a wide range of assets, secure email systems, and web browsing protocols.

 

Strategies for mitigating HNDL risks

To combat this emerging threat, CISOs must adopt a multi-faceted approach that focuses on identifying and safeguarding critical data, implementing robust security measures, and preparing for the post-quantum era. 

 

While CISOs are aware that full PQC solutions are the goal for protecting themselves, it may not be immediately possible for them as it can take time for the solutions to be fully implemented. Due to this delay in action, it’s essential CISOs understand other steps that can be taken now to prepare for the PQC era:

 

Identifying and safeguarding crown jewels

In the realm of cyber-security, "crown jewels" refer to an organisation’s most critical and valuable assets. These are the information, systems, or processes that, if compromised, would cause severe damage to the organisation’s operations, reputation, or financial standing and require the highest level of protection.

 

Data discovery and classification

CISOs must implement comprehensive data discovery tools to identify sensitive information across the organisation, then create a data inventory that identifies data types, their locations, access permissions, and ownership. Data should then be classified based on its sensitivity, importance, and regulatory requirements, with a particular focus on "evergreen" data that retains its value over time.

 

Mapping data transmission paths

Analyse and document the transmission routes of sensitive data, identifying potential vulnerabilities along these paths. This mapping process will help in prioritising security measures and implementing targeted protections for high-value data assets.

 

Aggressive segmentation and Zero-Trust architecture

Implementing micro-segmentation and dividing networks into smaller, controlled segments with specific security controls based on data sensitivity will majorly support security standings. This can be complemented with a comprehensive Zero-Trust architecture, which verifies and authenticates every access request, regardless of its origin. By doing this, there is an increased focus on implementing robust digital identity management solutions throughout the technology stack.

 

Enhanced encryption

While current encryption methods may be vulnerable to future quantum attacks, implementing additional layers of encryption for sensitive data can provide an extra barrier of protection. Considering a "castle and moat" approach will help by creating multiple layers of security around critical data. CISOs should explore and adopt cutting-edge encryption and authentication methods for both data in transit and data at rest.

 

Targeted DLP and MDR

CISOs should deploy Data Loss Prevention (DLP) solutions (where possible) specifically designed to protect critical systems and data. Implementing Managed Detection and Response (MDR) services to enhance 24/7 monitoring and rapid incident response capabilities is another useful action. These solutions should be tailored to address the unique challenges posed by HNDL attacks.

 

Preparing for the post-quantum era

Ultimately, CISOs will need to take it upon themselves to engage with security vendors to discuss their PQC solutions and stay informed about the latest developments in quantum-resistant algorithms. It’s essential they begin planning for the migration of critical systems to quantum-resistant cryptography and accelerate the implementation of PQC solutions where feasible.

 

Continuous improvement and adaptation

The fight against HNDL attacks requires ongoing vigilance and adaptation. Regular security assessments should be conducted to identify new vulnerabilities and areas for improvement. CISOs should perform thorough risk assessments to determine the potential impact of HNDL attacks on different data assets and prioritise protection measures accordingly.

 

Additionally, employee education and awareness programmes are always going to be essential to ensure that all staff members understand the HNDL threat and follow best practices for data protection.

 

As the quantum computing era fast approaches, the threat of HNDL attacks looms large. However, by taking proactive steps today, organisations can significantly enhance their resilience against future quantum-enabled decryption attempts. CISOs must lead the charge in implementing comprehensive data protection strategies, leveraging advanced security solutions, and preparing for the post-quantum cryptography landscape

 

---

 

Nick France is CTO at Sectigo

 

Main image courtesy of iStockPhoto.com MF3d