By Nate Nelson
State sponsored cyber attacks hardly make for exciting news anymore. When Russia hacked SolarWinds, it sparked international headlines for weeks. A few months later China hacked Microsoft, and you’d be hard pressed to find anyone outside the industry who knows about it. Perhaps we’re verging on the point at which state sponsored attacks are too common, too repetitive to feel novel. But they remain as dangerous as ever–you can’t take your eye off the ball now.Here are just a few steps you can take to protect your enterprise against state sponsored attacks…
Training
Almost every single cyber attack that has ever occurred has been the result of some kind of human error. Maybe it began with a server left unprotected on the open internet or, more commonly, a software vulnerability left unpatched. Often, it’s a phishing email sent to a low-level employee. The weakest link in any cybersecurity setup is not the machinery itself, but the people who operate it. Thus, to protect your enterprise against any attack–state sponsored or otherwise–training employees must be priority number one. This applies equally to employees directly involved in security, and those otherwise not involved with it at all.
Zero Trust
It looked like an ordinary software update. It was a software update. How could anyone have known? The SolarWinds attackers took advantage of the trust that companies place in their partners. The assumption that if a third-party provider is trustworthy in and of themselves, that everything they do will also be trustworthy. SolarWinds was a large, established company serving many of the biggest organizations in the world, so of course they could be trusted with complete, unfettered access to your networks. Right? The rise in supply chain cyber attacks, in particular, has accelerated the push towards “zero trust” security. According to the philosophy of zero trust, an enterprise must sever every relationship, every mechanism in their network which relies on trust in an outside party. Only in isolation, with complete control over all inbound information flows, can an enterprise be considered secure enough.
Quantum Key Distribution
The Enigma machine was uncrackable until it wasn’t. Every advanced encryption algorithm ever created might have seemed untouchable, until some engineer discovered a loophole and unraveled the whole thing.
Enterprise cybersecurity relies on the security of information pathways. Even if an origin and endpoint are perfectly secure, any data in transit must also be resilient against spying and tampering. That’s why we have encryption. But encryption only works until it doesn’t.
Quantum key distribution, on the other hand, is provably unbreakable in a lab setting. It works like ordinary public key cryptography, except it goes one step further, leveraging the fundamental laws of physics to protect against tampering. Information takes the form of “qubits”: bits which exist in a superposition of two states–neither 0 nor 1, but some combination of both–until the point at which they’re read by a receiver. Because the act of observation necessarily collapses the dual state of the qubit, any two parties using QKD can know if their data in transit has been sniffed by an outside party.
The problem with QKD however is that it isn’t ready for prime time. It only works in lab environments using special equipment, and only works over short distances. According to the NSA, the limitations are as follows:
Quantum key distribution requires special purpose equipment. QKD is based on physical properties, and its security derives from unique physical layer communications. This requires users to lease dedicated fiber connections or physically manage free-space transmitters. It cannot be implemented in software or as a service on a network, and cannot be easily integrated into existing network equipment. Since QKD is hardware-based it also lacks flexibility for upgrades or security patches.
Quantum key distribution increases infrastructure costs and insider threat risks. QKD networks frequently necessitate the use of trusted relays, entailing additional cost for secure facilities and additional security risk from insider threats. This eliminates many use cases from consideration.
Securing and validating quantum key distribution is a significant challenge. The actual security provided by a QKD system is not the theoretical unconditional security from the laws of physics (as modeled and often suggested), but rather the more limited security that can be achieved by hardware and engineering designs. The tolerance for error in cryptographic security, however, is many orders of magnitude smaller than in most physical engineering scenarios making it very difficult to validate. The specific hardware used to perform QKD can introduce vulnerabilities, resulting in several well-publicized attacks on commercial QKD systems.
Quantum key distribution increases the risk of denial of service. The sensitivity to an eavesdropper as the theoretical basis for QKD security claims also shows that denial of service is a significant risk for QKD.
For these reasons, quantum key distribution won’t help you against state-sponsored attacks. But similar technologies–those that leverage the same quantum principles, without relying on perfect conditions–possibly can.
At Quantropi, we believe that every organization needs to harden today’s defences against attacks. We’re the only cybersecurity company in the world providing the 3 prerequisites for cryptographic integrity: Trust, Uncertainty, and Entropy (TrUE). Powered by quantum mechanics expressed as linear algebra, our patented TrUE technologies establish Trust between any two parties via quantum-secure asymmetric MASQ™ encryption (coming soon); ensure Uncertainty to attackers, rendering data uninterpretable forever, with QEEP™ symmetric encryption; and provide Quantum Entropy as a Service (QEaaS) with SEQUR™ – ultra-random key generation and distribution to enable secure data communications. All Quantropi’s TrUE technologies are accessible via our flagship QiSpace™ platform.
In the end, state sponsored cyber attacks will always leverage the most cutting edge technology–possibly that which isn’t even available to the private sector. They will be first to leverage the power of quantum computers. To protect your enterprise against state sponsored attacks, you’ll have to have quantum in your arsenal, too.