How quantum cybercrime is already happening


21 May 2024

Image: © VectorMine/Stock.adobe.com

While quantum computing could bring hugely positive impacts, TCS’s Ganesh Subramanya explores the darker side when it comes to cybercrime.

Click here for more Cybersecurity Week stories.

When we consider the positive impacts quantum technology will bring and the rapid speed at which capabilities are advancing, there is already a strong case for organisations to start paying attention to their quantum readiness with this future in mind.

However, there is an even stronger case for organisations to be quantum cybersecurity ready as soon as they possibly can be.

The hidden world of ‘steal now decrypt later’

The advent of quantum technology is expected to significantly enhance the sophistication and complexity of cyberattacks in the future – a fact that has been pointed out several times by EU policymakers.

As well as super-charging the cybersecurity attacks themselves, quantum computation is likely to be able to break even the strongest of classical computing cryptography algorithms soon, particularly when coupled with the learning and data analysis capabilities of AI.

Though many European organisations are still getting to grips with this new incoming era of cybersecurity, some cybercriminals are already taking advantage of the technology with a ‘steal now, decrypt later’ (SNDL) approach. SNDL, sometimes referred to as ‘harvest now, decrypt later’, is the practice of gathering encrypted information now with the ambition of unlocking that information using future quantum technologies.

Such information can be sensitive business data, but also individuals’ health and financial records. In other words, it is the equivalent of stealing the safe, instead of just the money in the safe, and cracking the safe open later when you have the right tools to do so.

The pressing part about SNDL is that this strategy is already being deployed, and it is going undetected because cybercriminals are not using the stolen data yet, so companies and individuals sometimes do not know that their data has been stolen. Even if they do know that they have been breached, the fact that the data is encrypted gives organisations a false sense of security as the stolen data may not stay encrypted forever.

Putting these often undetected and therefore underreported cybercrimes into context, last year, European organisations collectively battled tens of thousands of cyberattacks. And attack numbers continue to rise, with around half of all firms in Germany, France, The Netherlands, Spain and Belgium experiencing a cyberattack in 2023. When we consider that undetected cyberattacks are often not included in reported statistics, these cyberattack numbers will be even higher.

For European organisations, this means that becoming quantum-ready is more than being prepared to embrace the new innovations and cybersecurity practices. It also means being prepared for a potential SNDL scenario, and adjusting your security set up for the future world of quantum cybercrime.

 How to become quantum-secure

Becoming quantum-secure is a process that requires planning and preparation. Starting early is key, as it allows organisations to conduct risk assessments based on comprehensive cryptography inventories before beginning any digital transformations.

With quantum algorithms such as Grover and Shor already capable of breaking some of the most widely used cryptographic algorithms among organisations, taking inventory enables businesses to prioritise their weakest, higher-risk applications or systems for transformation.

Once a risk assessment has been conducted, the next step towards protecting a business from attack is to become cryptography-agile by replacing potentially vulnerable algorithms with quantum-safe ones. Cryptography agility means that organisations can use both traditional and quantum-safe algorithms, enabling faster migration to new cryptographic algorithms and allowing them to run alternative algorithms should vulnerabilities be identified in a quantum-safe algorithm.

Organisations can also prepare for a quantum-powered world by decoupling cryptographic logic from business logic in applications to improve security for key business operations.

Once your algorithms have been made quantum-safe, it is then important to address the possibility that your security perimeters have already been breached by cybercriminals looking to decrypt your data at a later point. Planning is key here as this is a disaster-preparedness situation. Your first port of call is to ensure that your software architecture is safety backed up in a secure second-party location, such as with a cloud provider.

The role of cloud

Cloud services can help organisations transition to quantum preparedness in two ways. Firstly, through digital backup capabilities in case of a quantum breach, with organisations ideally keeping data in a cloud-based secondary location, and additionally through their support capabilities for organisations transitioning to a hybrid approach between quantum and classical cyber suites.

Many cloud providers are already working to implement post-quantum cryptography algorithms to secure their cloud services and are well positioned to help clients on this journey. Post-quantum cryptography libraries are also available from certain cloud providers, providing a suite of quantum-safe algorithms that cloud-enabled businesses can experiment with and integrate into their systems.

Moreover, many cloud providers are conducting trials for quantum key distribution, which uses a protocol based on quantum mechanics to securely transfer cryptography keys. This, in turn, ensures secure communication in a quantum-powered world.

Ultimately, prioritising adaptability and agility pays off. Starting with taking inventory, being conscious of the weak spots in your IT architecture from a quantum standpoint already provides valuable insight into future risks. Subsequently, adapting as needed to become quantum-ready, quantum-secure, and agile enough for a SNDL situation is essential in a world where a quantum revolution is imminent.

Cybercriminals are already prepared and working towards this future, European organisations need to be doing the same.

By Ganesh Subramanya

Ganesh Subramanya is the global head of data security and OT and IoT security practice at TCS.

Find out how emerging tech trends are transforming tomorrow with our new podcast, Future Human: The Series. Listen now on Spotify, on Apple or wherever you get your podcasts.