In a 2018 study by the Ponemon Institute, the global average cost of losing one record to a data breach was estimated to be $148. For the United States, this cost rose to $233, giving it the highest average total cost at $7.91 million per incident. With the world experiencing a Cambrian Explosion of data growth, forecasted at 42% through 2020, minimizing the impact of malware is essential. What these statistics do not reflect, however, is the lasting effect of a data breach on public trust. Perhaps the most notable loss of trust in recent history occurred in early 2018, when Facebook leaked the data of 87 million users. Practically overnight, its public trust rating dropped 66%, instigating a market share loss of $134 billion, well beyond the intrinsic cost of the breach. If trust in high technology firms like Facebook is sensitive to data breaches, all businesses must constantly scrutinize the efficacy of their own cybersecurity landscapes to prevent intrusions into their own systems. Too often, cybersecurity frameworks are assumed to be holistically secure, only to be breached by a previously unknown threat. In this post, I articulate the importance of maintaining strict vigilance on cyber-threats by discussing one of the largest—yet relatively unknown—threats yet to come, namely how innovations in Quantum Computing may soon jeopardize RSA encryption.
RSA—colloquially known as public-private key encryption— is an asymmetric cryptosystem used to protect sensitive data during storage and transfer. Today, it is the single most popular encryption protocol in the world with over a billion customers. Yet, nearly 25 years ago, mathematician Peter Shor developed an algorithm with the ability to crack RSA encryption in polynomial time (i.e. very quickly with modern computers). Many have heard of RSA, yet few know of Peter Shor, who spelled RSA’s future demise before the release of Windows 95. Why is this? Shor’s Algorithm is a quantum algorithm. This means the only processors that can effectively run it are composed of quantum bits (qubits) and, as of this writing, do not commercially exist. No quantum computer today is powerful enough to run Shor’s algorithm. Yet, as quantum research progresses at a rate akin to classical computers in the 1990s, attention has refocused on the 1994 work of Peter Shor. Quantum computing and RSA encryption are on a collision course. With Shor’s Algorithm posing a distinct threat to RSA information security and quantum computing progressing rapidly, the world must advance its encryption protocols beyond RSA before the two converge. If the world simply reacts to the creation of a quantum computer that can run Shor’s Algorithm, it will already be too late to preserve data safety. Historically, it has taken around 20 years to adopt new encryption systems. The timeline for this convergence is debated, but optimists consider some form of quantum supremacy also attainable in the next two decades. Many feel we must act now.
Public and private institutions alike increasingly recognize the risks quantum computing may bring to information security. In 2017, the National Institute of Standards and Technology (NIST) launched an international, multi-year competition to create an encryption system resistant to quantum computers. Google, IBM, and other private firms are also funding similar research as they simultaneously race to evolve quantum computers into a commercially viable product. While Google is fervent about leading the charge to quantum supremacy, it recognizes the security implications of its discoveries. Leveraging a dedicated quantum team, since 2016 Google has been experimentally encrypting random Chrome sessions with different quantum resistant algorithms along with traditional cryptosystems. Through a previous fellowship with NIST, I was able to learn about post-quantum cryptography and its progress firsthand. Prior to joining West Monroe as a technology consultant, I worked as a research fellow and software developer for NIST. As a member of their quantum computing group, I was afforded the opportunity to meet with some members of the post-quantum cryptography judging panel and listen as they reviewed submissions. A collection of mathematicians, cryptographers, quantum physicists, and cybersecurity experts, the panel evaluates each cryptosystem across a variety of criteria. The assessment is extensive, but all members kept focus on the practicality of implementation, efficiency, and extensibility of each solution. Implicitly, they recognize that adoption of these protocols could be widespread and essential to maintaining global information security.
It may be years before quantum computers pose a direct threat to RSA encryption, but a greater lesson remains: Security threats can arise suddenly, sometimes from near-forgotten discoveries of the past. Malware and intrusion methods are evolving nearly as fast as the software created to prevent them, and the quantity of data at risk is only increasing. Often, the largest cost of a data breach arises from the long-term loss of public trust. Staying current on documented cyber-attacks, protecting data against Ransomware, and aligning your business’s cyber landscape with NIST’s cybersecurity framework are a simple but essential ways to demonstrate your commitment to data protection to the public.
Rivest, Ronald L., Adi Shamir, and Leonard Adleman. "A method for obtaining digital signatures and public-key cryptosystems." Communications of the ACM21, no. 2 (1978): 120-126.
A look inside the process: How to ‘shift left' security and compliance in financial services