This silent cyber threat is a ticking time bomb

Sept. 21, 2023
How the "Harvest Now, Decrypt Later" attack and its chilling echoes of SolarWinds have changed the landscape

As a seasoned technologist and former intelligence officer, witnessing the SolarWinds attack unfold was like watching a thriller play out in real-time. But it was no movie; it was a stark wake-up call to the vulnerabilities lurking in our software supply chain. Now, there’s a new shadow on the horizon, akin to a ticking time bomb - the "Harvest Now, Decrypt Later" attack. But more than just an echo of the SolarWinds attack, this silent cyber threat is already here, with adversaries covertly collecting our encrypted data with the intent to crack it open in the future.

The SolarWinds Attack: A Wake-Up Call

The SolarWinds breach caused fear among security experts. The impact was staggering. A stealthy infiltration of a software supply chain, manipulated to compromise government and private organizations. SolarWinds reported that 18,000 of their customers downloaded the breached software, with thirty-seven defense companies reporting breaches to the Department of Defense (DOD). The attack laid bare a weakness in the nation's cybersecurity, and it was like someone had turned on the lights in a room we didn't know was dark.

The Quantum Computing Revolution

Fast forward to today, and imagine a similar attack, not on software but on encrypted information. Imagine the scope is not just the customers of one security company; all data and communications everywhere are at risk. It’s not fiction; it’s happening as you read this. Adversaries are harvesting encrypted data today and storing it for future decryption. What’s the magic wand that will unlock this treasure trove of data? Quantum computing.

Quantum computing evokes a sense of something futuristic, almost magical. But the magic fades when we realize the encryption methods we trust, like RSA and ECC, will crumble like a house of cards in the face of a quantum onslaught. The sheer power of quantum computers will render many encryption methods used today obsolete.

Unlike classical computers that use bits (0s and 1s) to process information, quantum computers use quantum bits, or qubits, which can exist in multiple states at once thanks to a property called superposition. The superposition of quantum bits allows quantum computers to process many possibilities simultaneously, potentially solving complex problems beyond classical computers' reach.

The Quantum Threat: A National Security Imperative

 Quantum computers are not a distant reality. Major tech companies like Google, IBM, and Microsoft are investing heavily in quantum computing research. In 2019, Google's quantum computer Sycamore claimed "quantum supremacy" by performing a calculation in 200 seconds that would take the world's most powerful supercomputer 10,000 years. Additional claims are arriving each year from different groups around the world, achieving quantum supremacy for specific experiments; it is only a matter of time before particular applications transition to general applications, just like classical computers progressed slowly at first. Now we carry mobile devices with power unimaginable even ten years ago.

You might think this is a future problem, but the clock is ticking. Data like personal identification, DNA, trade secrets, and national security information have a prolonged shelf life. Data harvested today will be decrypted and exploited in the future.

The U.S. Government has been increasingly concerned about the quantum threat to national security, and this mounting apprehension is evident in the growing cadence of warnings and publications in recent years. From the National Quantum Initiative (NQI) Act in December 2018 to the White House National Cybersecurity Strategy in March 2023, the urgency of addressing quantum security risks has intensified. In fact, the number of government publications around quantum has surged within a short timeframe. The number doubled from three between 2018 and early 2021 to six from 2021 to 2023. Informed by both public and classified data, the U.S. Government's accelerated quantum directives and legislation address the emerging threat.

Recent bipartisan efforts to fund quantum research and security highlight the seriousness of the situation. In a hyper-partisan era, politicians from both sides rallying behind quantum security initiatives underscore the need for swift, decisive action. This unusual consensus signals the U.S. Government’s commitment to addressing potential quantum risks facing its citizens and businesses.

Harvest Now, Decrypt Later: Understanding the Threat

Harvest Now, Decrypt Later (HNDL) attacks involve adversaries collecting encrypted data to decrypt it in the future when quantum computers become powerful enough to break current encryption methods. The core security risk lies in the transmission of encryption keys. Public Key Infrastructure (PKI), RSA, and Elliptic Curve Cryptography (ECC) are widely used for secure key exchange. However, these encryption methods are vulnerable to quantum attacks. Once these encryption methods are broken, the symmetric keys used to encrypt data and the data encrypted with those keys become exposed to quantum risk. Although these symmetric key algorithms are considered safe, they are primarily distributed using these insecure means.

The Road Ahead: Preparing for the Quantum Future

Security leaders must take proactive steps to prepare for the quantum future. This includes conducting a comprehensive cryptographic inventory to understand the current state of encryption methods in use within your organization. It's crucial to end the transmission of encryption keys and implement Harvest Now, Decrypt Later (HNDL) security measures for critical data transmission. Finally, implementing Post-Quantum Cryptography (PQC) standards developed by the National Institute of Standards and Technology (NIST) must be prioritized to ensure robust quantum-resistant security.

To evaluate quantum preparedness, organizations can follow these basic steps:

  1. Cryptographic Inventory: Identify all cryptographic systems in use and understand their vulnerabilities to quantum attacks.
  2. Key Management: Know where encryption keys are stored and how they are used. Identify critical keys used in data transmission and understand their rotation schedule. Keys should be regularly retired and replaced by generating a new cryptographic key. 
  3. Risk Assessment: Evaluate the risk associated with each cryptographic system and prioritize updates based on their importance and vulnerability.
  4. Eliminate Key Transmission: For critical workflows, eliminate encryption key transmission to mitigate current and future harvest now, and decrypt later attacks.
  5. Quantum-Resistant Algorithms: Start exploring and testing quantum-resistant algorithms recommended by NIST. Make your plan to implement once NIST finalizes its recommendations.
  6. Training and Awareness: Educate staff about the quantum threat and the importance of transitioning to quantum-resistant encryption methods. Assign a person or small team to track developments and adjust quantum planning.

The Quantum Clock is Ticking: Fortify Security Now

The gravity of this looming threat is not to be underestimated. We need a united front blending government policy, corporate responsibility, and individual vigilance. The time to fortify our digital walls is now.

Quantum computing holds boundless potential, but with it comes immense responsibility. We have seen the chilling echoes of what can happen if we let our guard down through SolarWinds. Let's not wait for another jarring wake-up call.

The countdown has begun. It's up to us to defuse the threat.

About the author: As Co-Founder & CTO of Qrypt, Denis Mandich drives the technology roadmap and secures the global expertise to achieve the company vision. Denis is also a board member of Quside, advisor to the Quantum Startup Foundry and NSF-funded Mid-Atlantic Region Quantum Internet.

Previously, Denis served 20 years in the U.S. Intelligence Community working on singular innovative technology essential to National Security. He speaks native-level Croatian and Russian.