Arms vs. Armor: Security in the Era of Quantum Computing
The infusion of AI into IoT infrastructures shows it’s vital to take cybersecurity seriously.
Although like many of us in this industry, I am fascinated by technology and curious to explore its possibilities, I am no hacker, well-intentioned or otherwise. Yet I do own a couple of gadgets, of course, available through reputable channels, that can sniff for open Internet ports and probe access-control systems, like hotel room keys. It’s got me thinking about the power of tools available to serious-minded hackers who devote their careers and considerable brain power to finding and attacking vulnerable targets online.
In the real, above-board world, we are placing increasing trust in the software applications that enable our lives, infrastructures, jobs and economies. And with the infusion of AI into all these applications, we know less and less about the mechanisms controlling them, or the values directing those mechanisms.
Keeping bad actors out is extremely important, especially as an increasing variety of cyber-physical systems – IoT applications – assist our daily lives at home, on the roads and in factories. As consumers, we enjoy legal protection against many types of cybercrime. We may not know when a connected device like an IP camera has been taken over and used in a botnet. These threats are abstract and virtual.
In the IoT world, however, attacks can have direct and real consequences. We can suffer tangible losses or bodily harm when, for example, easily available devices and sourceware unlock the doors to our houses while we are out, or lock permanently to imprison us inside, take over our car while driving, disable safety systems at work, or sabotage the transport infrastructure we use every day. At the very least, such exploits can erode our confidence in technology and the way we live our lives. This, in itself, is a goal for some hackers like political activists and nation-state actors.
We may believe there is safety in numbers, that the law of averages should mean we are unlikely to be targeted. But hackers with sniffers can move around the Internet extremely quickly and attacks are happening continuously. When I scan my firewall at home using my beginner-level equipment, it’s surprising how much evidence of probing I can find. According to security studies, the first sniffs and opportunistic attacks on newly connected IoT devices come within five to 10 minutes of going online. In high-risk IP ranges – those belonging to organizations that are popular targets for hackers – it can start within seconds. The sniffers look for open ports, like port 23, often used for Telnet connections, or port 47808, typically chosen for smart-building protocols, and begin trying attacks like default passwords. This is why changing that default to a unique password is the minimum any user should do when setting up a new device.
Passwords have many weaknesses, however. They are often easily guessed, and poorly designed devices that place no limit on the number of login attempts can be vulnerable to brute-force attacks with automated tools. Long and complex passwords, on the other hand, are difficult for legitimate users to remember and time-consuming to key in. Biometric user authentication is not always a practicable option.
Passwords are also easily discovered if stored or transmitted in plain text, so encryption is a critical part of the defender toolbox. It’s another battlefield where mathematicians pit themselves against each other on either side of the ethical divide to create and break ciphers. Quantum computing is poised to change everything here, and the first usable machines are beginning to emerge from research and testing to show us what they can do.
Quantum computers need large numbers of quantum bits – qubits – to achieve an advantage over classical computers, and this has proved to be a major challenge for researchers. Last December, however, Google announced its latest quantum chip, codename Willow, that has 105 qubits. Willow demonstrated a benchmark computation in under five minutes that would take 10 septillion years using one of today’s fastest supercomputers. That’s a lot more than the age of the universe. Quantum error correction is another Willow strength, and key to its breakthrough performance, showing how far and how quickly the science is progressing. On the other hand, some claim that the benchmarks used to show off quantum computers’ prowess involve calculations conceived to favor their special properties.
But there is no doubt that quantum computers will soon become practicable and useful and that we will be able to accomplish work that would be impossible by classical computing. This point has become known as quantum supremacy. Frighteningly, from a security standpoint, quantum computers are coming that will easily break classical encryption and will thus quickly overwhelm any current cybersecurity. Although a significant step toward that point, Willow is not close yet. It’s reckoned that a 13 million qubit computer would be needed to break Bitcoin’s encryption in one day. When it happens, how will we redress the balance? Quantum encryption, of course. And so the battle of arms versus armor continues.
For now, many of us could, and should, be taking cybersecurity more seriously. Learning more about how hackers work, perhaps using our own scanners and sniffers to see the evidence of their activities, can be worthwhile and empowering. Perhaps shining a light on the dark web, where hackers share secret information about security vulnerabilities and can trade tools and malware apparently with impunity, could help us understand our opponents more clearly. On the other hand, that same light will likely expose many more unpleasant activities than we would want to imagine. We may learn enough to add an extra quadrant to the knowns-unknowns matrix, the analytical framework famously cited by former US defense secretary Donald Rumsfeld that ominously ends with the “unknown unknowns.” By learning more about the dark web, we will certainly discover things we wish we didn’t know.
is technology ambassador at Ventec International Group (venteclaminates.com); alun.morgan@ventec-europe.com. His column runs monthly.
