What the New Federal Cybersecurity Act Means for Businesses
On December 21, 2022, President Biden signed the Quantum Computing Cybersecurity Preparedness Act.
The risk of quantum-powered password decryption is increasing exponentially. The new legislation is designed to help federal agencies proactively shift to a post-quantum security posture. Agencies have until May 4, 2023, to submit an inventory of potentially vulnerable systems, and the Act directs the Office of Management and Budget (OMB) to prioritize the adoption of post-quantum cryptography standards.
For businesses, government efforts to address emerging quantum risks are canaries in digital coal mines. There’s a real risk on the horizon, and the time to act is now.
Despite ongoing investment, research and development, quantum computing advantages remain largely theoretical. As efforts close in on practical applications, however, companies must understand how quantum technology could help — and potentially harm — day-to-day operations.
Put simply, quantum computers go beyond the binary states of 1 and 0 to vastly improve processing power. Unlike traditional computers, which store bits of information as either 1 or 0, quantum bits (qubits) make it possible for particles to exist in multiple states at the same time. This means that a qubit isn’t 1 or 0 or both — it’s somewhere in the middle. It’s also more about probability and particle interaction than high-level descriptions convey. But for the purposes of quantum computing power, the shift away from binary is the critical component.
While initial research focused on creating and sustaining these qubit states, recent efforts have scaled up the number of qubits a computer contains. For example, IBM researchers recently unveiled a 433-qubit computer named Osprey, a significant step up from the 127-qubit Eagle processor in 2021.
Passwords aren’t exactly known for their ability to defend against committed attackers. With many users still opting for passwords such as “123456” and the ever-popular “password”, enterprise IT teams are constantly searching for new ways to reduce security risks. Quantum computing adds a new cryptography concern. The issue stems not from passwords themselves but from the process of cryptography, which describes how passwords are encrypted. Current methods use mathematical algorithms to generate keys that are easy to verify but difficult to break.
How difficult? Current asymmetrical algorithms, including RSA and ECDSA, would require billions or trillions of years to break using a traditional computer. Armed with a quantum device, however, this same process could take just 8 hours.
Symmetric solutions such as AES, meanwhile, may be more resistant to these quantum attacks given their key lengths. That’s because quantum computers rely on what’s known as Grover’s algorithm, which reduces the time to crack a symmetric password by its square root.
This means that if the average time required to crack a key using traditional methods is one trillion years, a quantum computer could do in the square root of that time or one million years — which is still too long to be of any use. As the number of available qubits increases, however, so too could the ability of quantum computers to break even the best symmetric encryption.
Worth noting? The risk here isn’t about a quantum computer “guessing” the right password. The concern is in their power to break encryption itself. Also known as a brute-force attack, it’s more worrisome than simply stumbling on the right answer to a password problem since it renders the underlying encryption useless for future endeavors.
Quantum computers aren’t cracking encryption keys quite yet. But steady progress in both the volume of qubits and the stability of quantum devices means businesses should take action now rather than later.
Here are four things enterprises can do right now to reduce their quantum risk.
The federal legislation offers a solid suggestion to get started with post-quantum security: Create an inventory of at-risk systems. By taking stock of current password-protected apps and services that aren’t up to quantum security standards, businesses can prepare for the next phase of digital protection.
As noted above, symmetric standards such as AES-256 offer better protection against quantum attacks. Longer bit lengths are likely just a temporary fix as quantum processing power increases. However, it’s a good way to defend current assets as quantum security tools evolve.
Quantum protection isn’t something most companies have the time and expertise to implement themselves. As a result, it’s worth finding partners with expertise in this area to help make the security shift. For example, IBM’s Quantum Safe solution provides education, strategic guidance and custom program creation to help secure your digital assets.
Evolving quantum cryptography methods leverage the nature of quantum systems to help deliver improved protection. Put simply, the entangled nature of quantum particles means that even the act of observation creates a change in state. As a result, attackers attempting to eavesdrop on an exchange of quantum-encrypted photons would change the position of these photons. This, in turn, would alter security solutions to their presence.
Quantum concerns are no longer theoretical. As evidenced by new government legislation, there’s a real risk on the horizon for current cryptography methods.
With quantum computers still not up to the task of cracking best-of-breed encryption, the evolving state of security presents an opportunity for organizations. By taking steps before risk ramps up, it’s possible to establish proactive, protective perimeters that help companies build better security qubit by bit.
4 min read – As with many other aspects of life and business, 2022 held fewer overall surprises in cybersecurity than in recent years — thank goodness. Instead, many trends brewing over the past few years began to take clearer form. Some were unexpected,…
4 min read – Since 2009, the number of individuals affected by health data breaches in the U.S. has exceeded the country’s population of 331.9 million. As per federal statistics, this means many people have been victims of more than one incident. Unfortunately, the…
3 min read – Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses…
It’s no secret that cyberattacks in the U.S. are increasing in frequency and sophistication. Since cyber crime impacts millions of businesses and individuals, many look to the government to see what it’s doing to anticipate, prevent and deal with these crimes.To gain perspective on what’s happening in this area, the U.S. government’s budget and spending plans for cyber is a great place to start. This article will explore how much the government is spending, where that money is going and…
The Pentagon is taking cybersecurity to the next level — and they’re helping organizations of all kinds do the same. Here’s how the U.S. Department of Defense is implementing zero trust and why this matters to all businesses and organizations. But first, let’s review this zero trust business. What is Zero Trust? Zero trust is the most important cybersecurity idea in a generation. But “zero trust” is itself a bit of a misnomer. It’s not about whether a person or…
When it comes to data protection laws, the United States has long lagged behind Europe, whose General Data Protection Regulation (GDPR) came into effect in 2018 as the gold standard in data protection. Also, in 2018, California passed the California Privacy Protection Act, further expanding it to the California Privacy Rights Act (CPRA) in 2020. In August 2022, a new federal bill — the American Data Privacy and Protection Act (ADPPA) — passed Congress with a landslide 53-2 vote. The…
The White House’s National Security Council (NSC) is working on an ambitious project to improve consumer Internet of Things (IoT) security through industry-standard labeling. If successful, the labeling system will replace existing frameworks across the globe. Modeled after the EPA’s Energy Star labeling program, the IoT labeling initiative should have two effects: to educate and inform consumers, and to provide a strong incentive to manufacturers to make their products more secure. The government wants the program to roll out in…
Analysis and insights from hundreds of the brightest minds in the cybersecurity industry to help you prove compliance, grow business and stop threats.