Quantum Power Play: Navigating the New Landscape of Cybersecurity and Defence

In a digital era, quantum computing threatens defence encryption. In defence, encryption isn't just tech – it's sovereignty. Are we ready?

In brief

• In the digital age, cybersecurity in defence is vital, with encryption ensuring the security and integrity of communication and classified data. Today, quantum computing threatens these systems, potentially compromising existing cryptographic systems.
• Defence operates on Strategic, Operational and Tactical levels, with each level's encryption implications differing. Given the vast number of devices and components at each level, securing data across these tiers using quantum-safe methods is challenging.
• For effective risk mitigation, defence entities should revise their methodologies. Process changes, such as adjusting procurement and project delivery, need to incorporate post-quantum security needs. Technically, understanding data comprehensively and staying updated with cryptographic advances is vital.

In an increasingly digital age, the defence and national security industries place a significant emphasis on robust cybersecurity, with encryption playing a pivotal role in securing communications and data. This importance is underscored by the paramount need for preserving confidentiality and safeguarding communication integrity to protect a nation's sovereignty, as evidenced by historical events such as the use of the Enigma machine during World War II.

Presently, quantum computing introduces a comparable challenge to the Enigma, driving the defence industry's reliance on trustworthy and effective cryptographic technology. The advent of quantum computing presents both intriguing prospects and formidable challenges. The superior computational capabilities of quantum computing can threaten the security of encrypted defence data, exposing potential vulnerabilities in current cryptographic systems. Such risks are not merely theoretical—consider the "harvest now, decrypt later" strategy, where adversaries stockpile encrypted data, awaiting the day when technology has advanced enough to decipher it. The defence industry's risk appetite, which is defined by the consequences of failure, does not leave room to keep risk unrecognised and not mitigated.

Defence operates at three levels of influence: Strategic, Operational and Tactical. The impact of changes to encryption will change depending on the type and level of communications being encrypted. Securing data at all these levels with quantum-safe solutions is a priority. It ensures that threat actors cannot exploit tactical, operational and strategic information to generate predictions about future engagements and reveal confidential information, thereby undermining national defence efforts. The sheer volume and variety of devices on the modern cyber-physical battlefield highlight the complexity and importance of this task.

To mitigate potential risks, it has become increasingly clear that defence organisations should undertake vital changes to their procedures. On a process level, they must modify their procurement and project delivery processes and incorporate post-quantum security requirements. On a technical level, it's crucial for defence organisations to stay proactive, understand their data in depth, and keep themselves updated with the latest cryptographic advancements. The adoption of Post-Quantum Cryptography (PQC) algorithms should be a priority. Another area the defence organisation should consider is the usage of innovative approaches like Quantum Key Distribution (QKD) and Quantum Random Number Generation (QRNG) to enhance the current cyber security posture. However, the adoption of these solutions must be approached with caution.

How is quantum computing different from today’s computers?

For centuries, people have sought to solve complex computational problems. The advent of classical computers has enabled the efficient resolution of many such challenges. However, classical computing has its limitations, and numerous problems of interest remain beyond its capabilities. Fortunately, classical computing is not the only possible model, and researchers have long sought more powerful computational frameworks.

Quantum computing is one such model, offering a means to address problems that are beyond the reach of classical computers. While there have been various models proposed that could theoretically outperform classical computing, many have stumbled when it comes to practical implementation. They've faced significant roadblocks such as scalability issues and an inability to suppress what is called 'noise' - pesky unwanted data alterations that occur during computation, leading to incorrect and unreliable results. After all, what good is a computing device if its results can't be trusted due to constant interference from random inputs? Quantum computing stands out because of its scalable hardware implementation and its robustness against noise compared to other computational models, suggesting it has the potential to provide useful results.

Numerous tech-focused articles often delve into the technicalities of quantum computing, touching on aspects such as qubits, superposition, and entanglement. These impressive scientific concepts, some of which have even been acknowledged with a Nobel prize¹, provide a fascinating insight into the intricate properties of reality around us. However, these concepts don't necessarily offer a holistic understanding of quantum computing's impact. Consider the analogy of trying to explain television's societal influence by starting the explanation from the principles of vacuum tube image formation or LED display properties. Such an approach might miss the bigger picture. Similarly, a deep understanding of quantum properties doesn't necessarily translate into clarity about the wider implications and advantages of quantum computing. Rather than dissecting the technical minutiae underpinning quantum computing, this article focuses on exploring the tangible consequences and benefits this technology can provide.

Quantum computers' ability to tackle complex computational problems presents both advantages and risks. On the one hand, they offer significant benefits and potential applications across various industries, from material design to financial portfolio optimisation. On the other hand, they pose considerable risks to cybersecurity.

Quantum computing is a double-edged sword for cybersecurity

Quantum computing's accelerated progress over the past decade, including through its technological by-products already in circulation, is transforming the cybersecurity landscape. As new quantum hardware emerges, it propels us toward a future where the traditional cryptographic systems we rely on today may no longer be considered secure.

But it's not just about the hardware; cutting-edge algorithms are continually being developed, requiring fewer resources to compromise conventional cryptography. As these developments evolve, in their speed to attack and scale of reach, all infrastructure, including cloud environments, are directly in the line of fire of this quantum revolution.

A particularly worrisome threat is the growing use of the "harvest now, decrypt later" attack by malicious cyber actors, including nation-states and highly organised criminal syndicates. In this approach, adversaries quietly gather a wealth of encrypted data today, patiently waiting until they possess the power of quantum computers to unlock its secrets and value in the future. This stealthy strategy is being applied across all sectors of the economy and in parts of the community as the enduring value of data and the decreasing costs of storage² make it increasingly viable.

The rise of this cyber threat is in part mirrored by the re-emergence of insider threat in its popularity among some adversaries, sometimes used as the means to access and exfiltrate the most secure of infrastructures in their design and operation as well as the most tightly held information.

The chilling truth is that even the most highly protected secrets could be revealed before they are not considered secrets anymore by those who own them.

The "harvest now, decrypt later" attack underscores the immediate risks quantum computing poses to cybersecurity. As quantum computing advances, attackers are increasingly motivated to execute this strategy, anticipating that at-scale decryption solutions will soon become available.

To maximise the effectiveness of such attacks, perpetrators typically target:

1. Structured data encrypted with a single key, as a successful decryption can reveal a large volume of information, increasing the likelihood of acquiring valuable data.
2. Data with a long shelf life, as delayed decryption and extended data longevity improve the chances of retaining valuable information in the future.

As quantum hardware continues to develop and the cost of attacks decreases, even short-lived and less structured data will face a higher risk of being targeted as the world gets closer to its first cryptographically relevant quantum computer. A cryptographically relevant quantum computer is a quantum computing device capable of performing tasks that compromise modern cryptographic systems.

The development of quantum technology not only introduces risks but also offers opportunities to improve existing security solutions. Two promising and increasingly used quantum-based approaches that can enhance current encryption methods are Quantum Key Distribution (QKD) and Quantum Random Number Generation (QRNG).

QKD enables the secure exchange of cryptographic keys between two parties, utilizing the fundamental properties of quantum mechanics to ensure the keys' confidentiality. In the event of eavesdropping and equivalent, the quantum states are disturbed, alerting the communicating parties and enabling them to respond accordingly. QRNG, on the other hand, leverages the inherent unpredictability of quantum phenomena to generate truly random numbers. These random numbers can be employed in current cryptographic protocols to bolster the security of encrypted data and make it harder and therefore more expensive for adversaries to break in.

While these two solutions alone will not eliminate the risks associated with quantum computing, they hold the potential to enhance existing encryption approaches. They also complement other forms of current cybersecurity methods and technologies as well as largely leveraging existing infrastructure. This means such options provide a bridge between today’s most commonly used forms of encryption and what will come next in a post quantum computing landscape and help ‘buy down’ the impacts of “harvest now, decrypt later” attacks.

Addressing the risks associated with quantum computing, downside and upside, primarily depends on classical approaches, with the development of quantum-safe cryptography being a central aspect of the ideal-case response. Cryptographic algorithms are founded on certain assumptions, with one of the most critical being the hardness assumption³. This particular assumption takes into account the estimated computational power an attacker might have and the level of difficulty they would face when attempting to solve a problem or by their definition, take advantage of an opportunity. As quantum computing edges closer to reality, the hardness assumption is effectively broken for many algorithms, particularly asymmetric ones.

To address these challenging problems, researchers have focused on the development of Post-Quantum Cryptography (PQC) algorithms⁴, which incorporate problems that are difficult for quantum computers to solve. While the development of PQC algorithms alone will not eliminate the risks, it does provide a crucial foundation for tackling the issue.

In response, organisations need to start developing a comprehensive strategy to mitigate the risks and take a whole of ecosystem approach in understanding the implications of legacy infrastructure and data as well as the implications for technologies that will be completely disrupted by the compute power of quantum-based infrastructure, applications and technologies.

The first step in this strategy involves gaining a thorough understanding of the data they possess, how it is currently protected, the regulatory requirements surrounding it and identifying which new algorithms are better suited for particular use cases. By being proactive and staying informed about the latest advancements in cryptography, organisations can effectively navigate the challenges posed by quantum computing.

What role does encryption have in National Security interests?

The defence and national security industries prioritise cybersecurity increasingly effectively. With the rapid development of digital tools, the importance of encryption has become more prominent, for data as much as it has for forms of communications and infrastructures. The severity of the challenges and consequences in this realm is extremely high, a key driver for why the Defence industry continuously invest significant resources to combat the latest threats as well as deal with legacy vulnerabilities.

The preservation of confidentiality and the safeguarding of communication integrity, whether it's in the field or between offices in the Defence Force, hold paramount importance for a nation's sovereignty. A glance back at history, particularly World War II and the use of the Enigma machine, underlines this truth. During that global conflict, the Enigma machines played a pivotal role, encrypting critical messages dispatched to the front line, essentially safeguarding strategic and operational secrets. The tide of war dramatically turned when Allied forces managed to decipher the Enigma's daily key messages and algorithms, fundamentally changing the trajectory of numerous battles. Fast forward to the present day, Quantum computing presents a similar scenario, albeit cloaked in modernity. It is as if a new Enigma machine has surfaced, with the same thrilling yet daunting challenges once faced. As history often has a way of repeating itself, the lessons learned from the past may very well dictate how successfully we navigate this new era of quantum encrypted communication.

It is essential for the Defence industry to rely on cryptographic technology that is both reliable and effective, in ways that can extend over decades and be subjected to constant risk of degradation. Stakeholders therefore remain vigilant in their efforts to ensure the most advanced and secure encryption methods are employed to protect their assets and interests.

By way of example, in military communications systems, cryptography plays a critical role, as it safeguards sensitive data and communications between military personnel and often between the militaries of allied nations, thwarting interference, unauthorised access and espionage. Consider a situation where a nation's military communications systems are dependent on outdated cryptographic technology, leaving it vulnerable to adversaries.

Opponents equipped with quantum computing capabilities could intercept, decode, and manipulate classified information to their advantage, jeopardising national security and military operations. Such a compromise could result in strategic failures, loss of life and lasting harm to a nation's global reputation.

This imbalance is not acceptable and severely affects a nations ability to defend its interests.

The impact of changes to encryption will change depending on the type and level of communications being encrypted. Continuing the example, Defence operates at three levels of influence, Strategic, Operational and Tactical.

Strategic

The strategic level pertains to national policy and theatre level movements, is defined by large scale, high importance information with both short- and long-term implications. This can include for example, long term strategies containing information such as capability planning and development blueprints; pre-planned response options to potential incidents stored in encrypted formats; communications between theatre level commands and the national support base; and inter-theatre communications during large scale conflicts. Such strategies often include intelligence agencies and their coalition counterparts as well as trusted defence industry capability providers. The balance of power in grey-zone and actual conflict circumstances is maintained or lost based on the ability of a nation and/ or its allies to secure its environments.

Strategic level encrypted communications and data therefore routinely have medium to long life spans with a high potential for exploitation if it could be accessed. The ability of threat actors to decrypt this information, even over lengthy periods of time, would have significant impacts on a nation’s ability to enact national policy and engage in conflicts at all levels. Securing strategic level communications, tradecraft and classified information with post-quantum cryptography is a focus of many governments and dominates the discussion on the challenges posed to a nation by quantum computing. While it is certainly an important consideration, it is not the only problem to be addressed with the development of enhanced quantum cryptography.

Operational

The operational is the level of campaigns and major operations to achieve a specific national objective in line with some given strategic intent.

Operational communications and data often have short- to medium-term life spans with decisions having the potential to impact both the tactical and strategic levels. Data associated with operational level movements has the potential to be exploited by threat actors in real-time if not effectively secured. This could include adversaries identifying in advance operational level movements such as large-scale offensives or changes in operational tempo such as a shift from offensive to defensive operations. These opposing forces would then be able to position themselves to best respond to these operational movements and cause significant disruptive effect, should they be military in nature, or for any threat actor to interfere with a conflict zone for a range of reasons related or unrelated to the conflict itself.

Tactical

The tactical is the level of small unit tactics, engagements and individual battles, it is defined by short-term communications with highly time-sensitive information and activities. The ability for threat actors to decrypt this information in real time would allow them to disrupt or prevent these tactical level movements or operations and could lead to casualties. The time sensitive nature of these communications, with data life on the scale of minutes or even seconds, means the impact of decryption will only be felt once processing speeds advance sufficiently to enable real-time processing.

Tactical level data may also be subject to “Harvest Now, Decrypt Later” attack to understand small unit tactics and deployment of high value assets. This would enable threat actors to act on tactical level information gathered in the past to generate predictions and assessments about future engagements, generating a potentially operational or even strategic level effect through the exploitation of tactical level data. Securing tactical level communications with PQC is therefore essential to ensuring threat actors do not gain complete access to tactics, techniques and procedures.

This presents a significant problem due to the breadth and quantity of devices carried at the tactical level on the modern cyber-physical battlefield, each with its own cryptography and communications band. The administrative and technical burden in identifying, updating and returning these devices to tactical level units should not be underestimated.

The quest for quantum-secure cryptographic solutions

Solutions to the challenges posed by quantum attacks on cryptography as a response require not only technical advancements but also improvement of the overall organisation’s cyber maturity. From a government perspective, response requires policy development and the establishment of new cryptography standards.

Post Quantum Cryptography algorithms

The most fundamental response to these challenges is the development of new cryptographic algorithms. These PQC algorithms, are designed to withstand attacks from both classical and quantum computers.

The US Government’s National Institute of Standards and Technology (NIST) is playing a central role in the development of PQC⁵ globally. Recognising the need for new cryptographic standards, NIST initiated a world-wide open competition in 2016 to identify and evaluate novel PQC algorithms. This rigorous, multi-phase process involves collaboration with experts from academia, industry, and government agencies. The development of new algorithms is approaching its final stage, with final recommendations expected in 2024. Only four algorithms remain on the selection path out of the initial 69.

NIST's primary goal is to standardise one or more PQC algorithms that demonstrate robust security properties, efficient performance and practical applicability. By establishing these new standards, NIST aims to facilitate the widespread adoption of PQC, ultimately ensuring the continued protection of sensitive information while we learn more about the granular level impacts across environments post quantum computing.

However, despite the promise of PQC, several challenges must be overcome before these new algorithms can be widely implemented.

• First, PQC algorithms tend to be more computationally demanding than their classical counterparts, which may result in performance bottlenecks.
• Furthermore, most PQC algorithms require larger key sizes, leading to increased storage and transmission overhead.
• The security of cryptographic algorithms fundamentally hinges on the assumption of complexity - the idea that there is no efficient method to solve a given problem using the resources at hand.

This is particularly relevant when discussing Post-Quantum Cryptography (PQC), where quantum computing represents an added resource. This assumption is continually challenged by making the design of these algorithms public, thereby inviting everyone to attempt to crack them. This is exactly the approach that the National Institute of Standards and Technology (NIST) adopts.

It is important to remember that trust in the security of cryptography algorithms is built over time. Thus, making a direct leap from classical algorithms to PQC ones could entail certain risks. Given that PQC algorithms are currently under rigorous scrutiny and recent studies have highlighted potential vulnerabilities⁶, caution is advised. Interestingly, one of the final contenders in a recent algorithm competition was broken using just a laptop⁷, leading to its elimination at the final stage.

Therefore, the transition to PQC algorithms requires thoughtful deliberation. One feasible solution could be the "double-wrapping" method⁸. In this approach, a message is encrypted twice: first, with a classical algorithm to counter known threats, and then with a quantum algorithm to fend off attacks from quantum computing.

Governmental approaches – Australia and its closest allies

Governments around the world are taking steps to protect against the potential risks associated with quantum computing. These steps include investing in research and development, forming partnerships and developing regulations.

On December 21, 2022, President Biden signed into law H.R.7535, the Quantum Computing Cybersecurity Preparedness Act⁹. This act encourages federal government agencies to adopt technology that will protect against quantum computing attacks. The act also requires NIST to develop standards for post-quantum cryptography.

In addition, the United States government has outlined its goals to maintain the nation’s competitive advantage in quantum information science (QIS) while mitigating the risks of quantum computers to the nation’s cybersecurity, economic and national security in National Security Memorandum 10¹⁰. The memorandum aims to balance the competing opportunities and risks of quantum computers by maintaining United States leadership in QIS through continued investment, partnerships and a balanced approach to technology promotion and protection.

The United Kingdom government has been working on a new quantum strategy¹¹ to mitigate the risks associated with quantum computing. To date, the conversation in that nation has focused less on risk mitigation and more on the quantum research and commercialisation apparatus that will enable responses to risk.

The Australian National Quantum Strategy¹², launched on May 3, 2023, establishes a long-term vision for Australia to capitalise on the opportunities presented by quantum technologies. However, it currently lacks direct references to the cybersecurity consequences of current and emerging quantum technologies and quantum computing. Ideally, the Strategy should inform the next National Cyber Security Strategy¹³ due for release later in 2023; the requirement for articulating the intersection has not yet been slated.

Returning to the defence environment, the AUKUS trilateral security agreement between Australia, the United Kingdom and the United States is providing a driver for capability consideration and joint development of responses to risk. The nations will coordinate closely on developing joint cyber and joint quantum capabilities among other aspects of emerging technologies for military application. There will invariably be spill-over benefits for non-defence environments also.

Industry response

In response to the rapid development of quantum technologies and their cyber risks, many organisations have started to proactively pursue quantum-resistant solutions as part of implementing digital transformation or technology refresh strategies. However, developing technical solutions alone is insufficient to resolve the underlying risks. Businesses must implement proper management measures and treat the challenge as an organisation-wide project, also addressing implications for processes and workforces.

As mentioned above, a first step in the journey is gaining a comprehensive understanding of the data held and used as well as how it is protected. Following this is recognising quantum risk in enterprise-wide risk registers. At this stage, it is important to acknowledge that the set of quantum risks identified will lead to updating cybersecurity and IT strategies accordingly.

Risk registration is a good practice, as it enables better-informed decisions when planning remediation and properly prioritising resources, in much the same way as it does in cybersecurity. Strategically, these steps will culminate in developing an enterprise-wide timeline and allocating a budget for a post-quantum implementation strategy.

Raising awareness at different levels of the corporate hierarchy is equally important, as each level of stakeholders plays an irreplaceable role in remediation and should receive appropriate information to enable efficient mitigation.

As each organisation operates with multiple external providers and partners to achieve success, developing a quantum-safe business requires collaboration with third parties. Incorporating quantum-safe requirements, particularly cryptographic agility, into vendor agreements, assessment processes and vendor-provided applications is crucial. Larger vendors may already be working on quantum-safe solutions, while smaller or in-house developed applications might require closer management. In either case, it is important to acknowledge the intersection of a vendor’s use of artificial intelligence technologies against its application of quantum technologies to best track digital complexity and vulnerability.

Remediation cannot be achieved without trained resources. Investing in the training and development of skilled personnel to handle the unique challenges posed by quantum computing is vital. Through these efforts, an organisation can address the cyber risks associated with quantum computing, ensuring the long-term security and stability of our digital infrastructure and compliance with upcoming regulations.

Further reading

1. Beyond the hype: a critical look at quantum computing’s potential for business and society in Asia-Pacific - https://www.ey.com/en_au/technology/critical-look-at-quantum-computing
2. Quantum computers will break the existing confidentiality paradigm. The only question is when? - https://www.ey.com/en_au/cybersecurity/preparing-for-quantum-in-cyber-risk
3. Quantum in cyber risk is real — inaction is no longer an option - https://www.ey.com/en_au/cybersecurity/quantum-in-cyber-risk-is-real-inaction-is-no-longer-an-option