Cybercrime , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime
Report: China to Target Encrypted Data as Quantum AdvancesResearchers Warn Network Defenders to Safeguard Data With Long-Term Value
Chinese threat actors may increasingly look to steal sensitive, encrypted data in hopes of decrypting it with quantum computing technology in the years ahead, according to a new report. Researchers say Chinese threat actors may target government, private sector and academic data with long-term value, including trade secrets, biometric identification markers, Social Security numbers, criminal records, weapon designs, and research and development around pharmaceuticals, biology, materials science, and chemistry, among other areas.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
In a 32-page report entitled "Chinese Threats in the Quantum Era," researchers at the IT consulting firm Booz Allen Hamilton call safeguarding critical data a cybersecurity imperative, noting that although quantum computing's benefits are largely far off, rapid advancement and a Chinese political realignment focusing on next-generation technologies make the threat active, with highly sensitive data held by state actors potentially decrypted by the end of the decade.
Quantum computing differs from classical computing in that it centers on quantum theory - and the ability of subatomic particles to exist in more than one state at a time - with related devices offering immense data analysis and simulation capabilities. Despite the promise of this computing method, it has yet to display commercial viability. Nonetheless, some computer scientists have predicted measurable progress by the end of the 2020s - on the more optimistic side.
"The threat landscape is changing in a very real way due to quantum, and organizations must begin to act now to ensure their infrastructure and data are protected," Nate Beach-Westmoreland, head of strategic cyberthreat intelligence at Booz Allen Hamilton, tells ISMG. "While quantum may not pose a direct threat to most organizations for at least a decade, deploying certain critical mitigations like post-quantum encryption will also likely take at least a decade. This demands that strategies be developed and resources aligned now, in order to prepare."
Other experts also focus on the timing. Ivan Righi, a cyberthreat intelligence analyst at the security firm Digital Shadows, tells ISMG that while this collection - with the expectation of eventual decryption - is a notable long-term threat, "It remains to be seen how long it will take for [it] to become a reality."
A Race to Perfect the Technology
The Booz Allen Hamilton researchers note that since approximately 2016, China has emerged as a major quantum-computing research and development center, backed by substantial policy support at the highest levels of its government. Still, the country's quantum experts have suggested that they remain behind the U.S. in several quantum categories - though China hopes to surpass the U.S. by the mid-2020s. While experts say this is unlikely, China may surpass Western nations in early use cases, the report states.
Advancements in quantum simulations, the researchers contend, may expedite the discovery of new drugs, high-performance materials and fertilizers, among other key products. These are areas that align with the country's strategic economic plan, which historically parallels its economic espionage efforts.
"In the 2020s, Chinese economic espionage will likely increasingly steal data that could be used to feed quantum simulations," researchers say, though they claim it is unlikely that Chinese computer scientists will be able to break current-generation encryption before 2030. "Still, the outsized threat of a rival state possessing the ability to rapidly decrypt any data using current public-key encryption generates high risk."
The authors say that because it will not be immediately publicly known when state actors break current-generation cryptography, "intelligence agencies will face a paradox" - and a threat to national and economic security.
The researchers write: "Ultimately, the anticipated cracking of encryption by quantum computers must be treated as a current threat. Any data stolen today that has been encrypted with a non-quantum-resistant algorithm will eventually be accessible to an adversary."
The U.S. National Institute of Standards and Technology, or NIST, aims to publish standards for post-quantum encryption in 2022, and those standards are expected to be finalized by 2024. Additionally, the U.S. Department of Defense is also conducting an assessment on quantum-computing risks, with an eye on national security.
"The theft of encrypted documents does change the risk calculation, particularly for government agencies, as quantum computers improve," says Ross Rustici, a former technical lead for the U.S. Department of Defense. "The takeaway here should be that encrypting data at rest for a select number of highly sensitive sectors will no longer be sufficient to ensure confidentiality of one's intellectual property. A higher standard of countermeasures is likely to become necessary if the corporation believes that the R&D time is the clear market differentiator."
The researchers offer several tips on shoring up security now to prevent the leak and later use of trade secrets, weapons designs, or critical medical data, etc. They include:
- Deploy continuous threat modeling;
- Develop an organizational strategy for deploying post-quantum encryption;
- Educate individuals on quantum computing and maintain awareness.
Maintaining awareness, they say, "may have the added benefit of revealing opportunities for strategic investments in new business enablers, ventures, and other greenfield opportunities."
Rustici, who is currently the managing director of the advisory firm StoneTurn, says, "Companies must take a much more nuanced approach to data confidentiality as encryption becomes weaker, but this ultimately represents incremental changes that can be dealt with by having a strong risk evaluation and mitigation program."
This story has been updated to reflect the correct timeline for publication of NIST's standards.