Time to prepare for the encryption bug
Industries are recognising finally that the challenges of security in the era of quantum computing are as great as those of the millennium bug 25 years ago, writes Alan Burkitt-Gray
In data centres around the world a strange thing is going on, especially those that provide services to governments, but also to financial institutions, email services and social media companies.
According to people who know, international intelligence and espionage agencies are squirreling away encrypted files, document and data-streams, even though they cannot decode them. Meaningless megabytes and gigabytes of ones and zeroes that today, as we move from 2022 into 2023 will remain meaningless.
Yet. Because, of course, all this information does have a meaning. That’s why it’s running over the networks. But it runs using a technique called public key cryptography (PKC) that has kept the internet going for decades – as long as there has been an internet used by members of the public.
But 2022 was the year when people in the industry started to come to terms with the fact that this era is at an end. The meteorite is approaching and our world of relatively secure data transmission will be destroyed. The meteorite in this case is quantum computing, now being developed by start-ups and giants across the world.
A better parallel, that many of us remember rather better than events at Chicxulub, as the dinosaurs were 66 million years ago. This was the millennium bug, suddenly spotted by IT managers and what are now called CISOs – chief information security officers – in the mid-to-late 1990s.
That was when it dawned on a host of people that almost all computer programs and data would not survive past the end of 1999, because the first few generations of computers stored dates with years in just two digits – to save memory.
So if someone was born on October 10 1987, the computer stored this as 10-10-87. What happened when they turned 13 on October 10 2000? Utter confusion. Most likely, the system thought they’d achieved an age of –87.
With a mountain of work, the millennium bug was fixed, so effectively that conspiracy theorists believe, wrongly, it was a false alarm. It wasn’t, and neither is today’s encryption bug. And, today, governments, computer and telecoms companies, data centre operators and customers are becoming aware of this new bug.
White House alarm
Just in case anyone was in doubt, the White House put out an alarm in November 2022.
Shalanda Young, head of the Office of Management and the Budget (OMB), part of President Joe Biden’s executive office[BGA(1] , told Federal agencies to “prepare now to implement post-quantum cryptography”.
She told agencies that they have until April 2023 “to submit a prioritized inventory of information systems and assets” that contain quantum-vulnerable cryptographic systems.
The key phrase there is “quantum-vulnerable”. Anything transmitted or archived using PKC is quantum-vulnerable. Someone with a quantum computer, now or in 2024 or 2025, will be able to read every word, see every transaction, note any health report, consult any legal filing. And consult every political plan in every democracy – or dictatorship – in the world.
You might as well write everything down on a postcard and send it to the Kremlin or any political bugbear of your choice.
In that eight-page memo, Young warned agencies that they should be aware of the dangers “that encrypted data can be recorded now and later decrypted by operators of a future [quantum computer]”.
Each agency has to update that list in annual filings to the OMB, from now until 2035. Each year they must submit “an assessment of the funding required to migrate information systems and assets inventoried under this memorandum to post-quantum cryptography during the following fiscal year”. The information will go to OMB and to the Office of the National Cyber Director (ONCD).
Young specifically excluded the Pentagon and US intelligence agencies: this is a rule for Federal agencies in the civilian sector. Why not them? Probably because they know the dangers already. At least, one hopes so.
She also set out the procedure for testing post-quantum cryptography, including “web browsers, content delivery networks, cloud service providers, devices and endpoints, and enterprise devices that initiate or terminate encrypted traffic”.
And, in case of doubt, she appends a list of what the OMB considers to be vulnerable technology when quantum computing and communications arrives, including Diffie-Hellman key exchange and the RSA (Rivest-Shamir-Adleman) signature algorithm, technologies that were used for PKC and until now – or until a year or two ago – were the gold standard for encryption. That’s what telcos, internet service companies and government networks have trusted for decades.
Young and others have issued a call to action to the tech world that is unlike any other since the 1990s.
But the army of fixers has responded, just as it did 25 years ago when hundreds of retired Cobol programmers put aside their golf and gardening to search through thousands of lines of code to make them suitable for after January 1 2000.
David Williams, a former banker who founded satellite company Avanti, is now in the fifth year of his second creation, Arqit Quantum. You’ve known of it for only a couple of years, as it was being highly stealthy at first.
But now Williams believes his technology, called QuantumCloud, is a solution to the encryption bug.
In December he wrote that there is “era-defining innovation” on the way. He believes his engineers have “created a completely new class of cloud native cryptography”, that “makes limitless zero trust keys which cannot be broken even by quantum attack and needs no rip and replace to software, working seamlessly with existing standards”.
This is approved by a cyber centre of excellence, says Williams – he says the centre is accredited by GCHQ, the UK’s signals intelligence agency, directly descended from the World War Two agency at Bletchley Park. That used the world’s first electronic stored-program computer to help to decode Nazi communications traffic.
“This [accreditation] was transformational for our ability to gain the belief of hyperscale vendors,” says Williams.
“We are now deploying a provably secure post quantum cryptography service at global scale through hyperscale vendors. Next year we can look forward to increasing the depth of deployment and broadening our vendor partnerships.”
Arqit has announced deals with Amazon Web Services (AWS), Dell and Fortinet. “Next year we can look forward to increasing the depth of deployment and broadening our vendor partnerships.”