An extraordinary technology is on the horizon that could reshape the world. Quantum computers are predicted to revolutionise many areas of industry from artificial intelligence, engineering, and pharmacology. In the realm of cyber security security they represent a threat.
Cryptography is an indispensable tool used to protect information in computing systems. It is used everywhere and by billions of people around the world every day. It is used to ‘protect data at rest and data in motion’.
The world is now racing to develop quantum computers that will be able to break the cryptography we all use to protect our intellectual property, our secrets and our Facebook updates. Many of the world’s leading tech companies have active quantum programs. Over the last three years, venture capital investors have placed $147 million with start-ups and governments worldwide have provided $2.2 billion in support to researchers. Some predict that a universal quantum computer is now only a decade away.
“A universal quantum computer with enough qubits would be able to handle the types of algorithms that could break cryptography”
Jaya Baloo is the Chief Information Security Officer at KPN Telecom. A global authority in cybersecurity and an expert in quantum computing, Jaya has worked in the information security arena for the past 20 years, working for global telecommunications companies such as Verizon and France Telecom. In 2015, she won the Cyber Security Executive of the year award. Now Jaya leads an information security team made up of highly driven specialists monitoring the online world. Their objective is to keep KPN reliable and secure for pretty much everybody – “customers, partners, and society”.
KPN B.V. is a Dutch landline and mobile telecommunications company. They operate in mobile and fixed line broadband services in the Netherlands. Today KPN provide services to millions of customers in every segment – from mobile callers to interactive TV, from internet users to business customers. Their objective is to provide reliable and future-proof networks and services, enabling all of their customers to be connected anytime securely.
Analysing Cyber Security Threats Today
Cybercrime is relentless and unlikely to stop. It is too easy and too rewarding and the chances of being caught and punished are perceived as being low. Cybercrime activity includes hackers searching for sensitive information, cyber attacks that shut down websites and criminals who steal money online.
The problem for many businesses today is that they lack the most basic security infrastructures and don’t encrypt all their data. This makes them vulnerable to attacks. The UK government found that nearly seven out of ten large companies identified a breach or attack in 2017. The average cost to large businesses of all breaches was £20,000 and in some cases reached millions. In a variety of ways, the cost can be more than just financial and can be detrimental for brand association and customer loyalty. TalkTalk, for example, incurred £60m in costs related to their cyber attack in 2015 – as well as 101,000 customers!
KPN 2012 Cyber Breach
In January 2012 KPN Telecom had to rethink their entire cyber security strategy after a 17 year old hacker broke into their network. Jaya was brought in to fix the situation. It was fortunate the incident was only a wake up call.
“We basically got hacked by a teenage kid. He managed to hack us through one vulnerability that he found – a single vulnerability. By exposing that single vulnerability, he managed to get access to hundreds of systems at KPN. The reason this was so bad was that he was just kid. He wasn’t intent on doing any real damage. He didn’t try to take away all the files or modify any data – it was just a game for him to get into the different systems.”
“Our CEO expressed it very basically at the time – it’s too far to actually thank the hacker for hacking us but in essence it opened up our eyes. In reality that’s actually what happened. I got hired on the basis of that hack and they did a lot afterwards to try to get their positions stable. So we set up a programme to illuminate our vulnerabilities. I was able to set up a team of over 80 people devoted to both defending and attacking our network.”
KPN Security Strategy
KPN now has teams for each phase of the security lifecycle – prevent, detect, respond, and verify.
Jaya explains that after the 2012 breach KPN developed a security cycle model that enables them to take action as soon as there is a risk of danger. “Because our team hadn’t existed, I based the new formation on this model instead of having a traditional corporate approach to it.”
“Prevent, Detect, Respond and Verify”
“So we prevent security from happening with a strategy and policy team; we detect proactively and reactively with an ethical hacking team and a security operation centre. Whatever we detect we go to rapid response with a computer emergency team. All those things – prevent, detect, respond – we verify throughout the entire organisation with senior security officers that are in place to make sure they can follow up and learn from whatever happens in the field and put it back through to prevent.”
How Can Organisations Improve Their Security Strategy?
Jaya reveals that KPN are unique in that they update their security continuously through a 12 month cycle. Furthermore, she believes that their example can be beneficial to others: “Leaders should download our free app. We have an iPad app called KPN CISO”
KPN CISO enables leaders to draft their own security policy, make a statement about the severity of vulnerabilities in software, and the potential damage of a security incident.
“This is basically our entire policy. There’s a renewal of the content of the policy every three months. So on a quarterly basis we look at the newest attacks out there to make sure that we can keep innovating securely: as a telecom operator we have a lot of legacy. We are a big company, there are millions of devices on this network, there are terrabit of data going through the network everyday. As a result of that we have a very flexible architecture and flexible policy that can cope with all of the new attacks that we’re seeing.”
The Quantum Threat
Universal quantum computers could be upon us by the end of the 2020s. Some claim that a quantum computer with only 256 qubits could destroy the basis for all modern day encryption methods. “Part of our mission at KPN is to not just look at the security threats that are impacting our customers and network today but those things that are coming up. It’s all about a long term intrinsic need for privacy and security preservation for not just the next 5 years but the next 45 years”, Jaya claims.
“Today we’ve engineered our current cryptography on some very difficult maths problems. The two fundamental maths problems that we’ve based it on are called integer factorisation and discreet logarithms. Both of those problems, or one way functions, will be reversed and wreak havoc on asymmetric cryptography when quantum computers arrive.”
Jaya explains that a lot of cryptography is based on the multiplication of very large prime numbers. “Those very large prime numbers result in a large product. Our current computers are built to multiply those numbers together to get the resulting product. If you can factorise or reverse that one way function then you would be able to find the original plain text – before the crypto occurred.”
“Today, with our current computers, we have a very hard time figuring out and reversing that! However, this is not a problem for quantum computers whose fundamental architecture and scale is so different. With a universal quantum computer you would effectively break the things that are relying on discreet logarithms and integer factorisation.”
“It would be the difference of a classical supercomputer taking billions of years to tackle a problem, compared with a quantum computer taking seconds and minutes.”
“The Future Is Closer Than You Think”
Although we may have some time before the arrival of universal quantum computers, it is axiomatic that business leaders act now. Jaya points to her three phase plan to prepare your business today: ‘Bigger keys, QKD, and Post Quantum’.
Increase your current key length: Stretch the timeline by extending the key length – make it harder for intruders to break in! “The first thing you can do is even if you’re using AES or another algorithm is increase the key length of the algorithm that you’re using. You’re basically just stretching the amount of time you can use the algorithms to prevent a live attack. Extend the key length that you’re currently using!”
Quantum Key Distribution: “The second thing that you could do is look at Quantum Key Distribution (QKD) – You need make sure you’re looking at QKD for your absolutely vital links! QKD is the idea that the actual physical aspects of a quantum communications link would allow you to test for the presence of an intruder on that link; thereby allowing you to verify the validity of that link subject to interception of any kind. KPN announced a partnership with Swiss cyber security firm and QKD provider ID Quantique in the Spring of 2016 to implement a quantum key distribution (QKD) trial. [for more information on QKD check out our interview with ID Quantique here] “Last May we did a pilot of a link between the Hague and Rotterdam Data centre. This was a single a QKD link on our telecom fibres.”
Post Quantum Algorithm: Jaya admits that currently QKD does not work well across the scale of the entire internet – therefore other alternatives need to be approached. “As a result we will also need to look at post quantum cryptography. You need to figure out your strategy to find the best post-quantum cryptographic for application on devices, software, as well as networks. We are currently closely following the work of NIST as well as conducting our own trials for Post Quantum Cryptographic algorithms , which I believe is the future proof solution for internet scale applicability.”
Welcome to Quantumbusiness.org. The first news portal dedicated to exploring the quantum computing revolution and its forthcoming impact on global industry. For more information on content creation and the opportunity to share your story with the world, please contact our lead editor Hal Briggs [firstname.lastname@example.org].
Article written by Hal Briggs from Quantum Business