“The development of quantum technology has great scientific significance and strategic value. It is a major disruptive technological innovation that impacts and reconstructs the traditional technology system and will lead a new round of technological revolution and industrial transformation.” – Xi Jinping, President of the People’s Republic of China
Booz Allen Hamilton (BAH) just published a new report, Chinese Threat in the Quantum Era, analyzing how China’s emergent quantum-computing capabilities will shape its cyber operations and what steps CISOs should be taking now to guard against malicious exploits by the Chinese.
An adversary like China, having top-tier quantum computing capabilities, is a major threat to our national defense, economic stability, and the critical data and IP that runs our digital universe. Since Quantum Xchange’s launch back in 2018, we’ve warned that state-sponsored hackers in China will steal and stockpile encrypted data, then wait for the day when a quantum computer arrives to break its encryption – an attack known as “harvest today, decrypt tomorrow” or “harvesting.” Only now are we seeing major consulting practices and systems integrators like BAH begin to warn CISOs to the risks of harvesting attacks and what can be done to prepare for the quantum revolution.
BAH is far more restrained in their assessment of Chinese threat actors and harvesting attacks than Quantum Xchange, stating “China…will likely soon collect encrypted American data in hopes to eventually decrypt it when the advanced quantum systems go into operation.” Soon? We say, it’s already happening, and it’s been happening for some time.
Take for example the 2015 Office of Personal Management (OPM) data breach where state-sponsored hackers working on behalf of the Chinese government obtained and exfiltrated 22.1 million records, including records related to government employees, other people who had undergone background checks, and their friends and family. One of the largest breaches of government data in U.S. history, government information affected by the breach included personally identifiable information such as Social Security numbers, as well as names, dates and places of birth, and addresses.
The BAH report is a comprehensive view into China’s current quantum-computing capabilities and how the country’s long-term quantum goals will shape its near-term cyber-espionage targets and objectives. The more CISOs know about these emerging risks, the better able they will be to address them in strategic risk-mitigation plans.
Quantum Xchange has taken a similar approach with its Get Quantum Fit in 2021, an awareness campaign designed to educate stakeholders on the looming quantum threat – when a quantum computer breaks all popular current public-key encryption methods – and to provide useful materials to help kickstart quantum readiness planning and execution. The CIO’s Guide for Implementing Quantum-Safe Key Delivery: Positioning Your Business for a Quantum-Secure Future is one example. This informative and actionable guide provides expert advice on how best to keep data protected, business resilient, and network infrastructure quantum-ready from both present-day vulnerabilities and the quantum threat.
In an interview with NextGov, BAH’s Head of Strategic Cyber Threat Intelligence Nate Beach-Westmoreland shared, “While quantum may not pose a direct threat to most organizations for at least a decade, deploying certain critical mitigations like post-quantum encryption will also likely take at least a decade. This demands that strategies be developed and resources be aligned now in order to prepare.”
Acting now to ensure long-duration, persistent data is protected is especially true for federal government and its agency partners due to their unique data security requirements and challenges. Compared to other industries, government data has a much longer shelf life, up to 50 years in the case of official intelligence. The BAH report warns, “Encrypted data with intelligence longevity” i.e., biometric markers, covert source identities, Social Security numbers, and weapons’ design, “could be increasingly stolen with aims to eventually be decrypted.”
The report concludes with three overarching recommendations and roadmap to anticipating quantum:
- Conduct threat modeling to assess changes to organizational risk
- Develop a strategy for deploying post-quantum encryption
- Educate your people on quantum computing and maintain awareness
Beach-Westmoreland stresses in his final remarks, “The government is absolutely key in pushing this change across the federal and commercial space. Successful mitigation of this issue will be of vital benefit to core U.S. economic and national security interests.”
Luckily, there is an affordable, standards-based technology that can be dropped into your existing crypto infrastructure to make it immediately quantum-safe today and quantum-ready for the threats of tomorrow. Learn more about Phio TX here, browse the Government Resource Center, or check out the tutorial video on how to avoid TLS harvesting and SSL scraping attacks with Phio TX here.
