What China’s Targeting of US Telecoms Means for Post-Quantum Security
Zhanna L. Malekos Smith explores what new security warnings may mean for the potential of advances in quantum computing.
Ceding the initiative to an adversary is a difficult position to recover from — even in cyberspace. Chinese state-sponsored cyber actors are seizing the initiative to exploit publicly known vulnerabilities to unpatched network devices, such as home office routers, to compromise major U.S. telecommunications companies and network service providers, the FBI and other agencies warn in the latest joint cybersecurity advisory.
These cyber actors are infiltrating victims’ accounts by “using publicly available exploit code against virtual private network (VPN) services, or public facing applications — without using their own distinctive or identifying malware — so long as the actors acted before victim organizations updated their systems,” the advisory explained.
While defending against common vulnerabilities is essential, the Biden administration must maintain the initiative against post-quantum cryptography threats. Post-quantum refers to the stage when quantum computers advance to “a sufficient size and level of sophistication” that they break the cryptography that secures our digital communications and financial transactions on the internet. These systems are cryptanalytically relevant quantum computers, meaning they could pose significant national, economic and cybersecurity risks to the United States by weakening the public-key cryptography we rely on to communicate.
It is not a question of if, but when cryptanalytically relevant quantum computers will be developed, according to the White House’s fact sheet on quantum technologies, which estimates this milestone is attainable “at some point in the not-too-distant future.”
Last May, the Biden administration enacted two directives to expand the 2018 National Quantum Initiative Act: an executive order establishing a committee to advise the White House about the National Quantum Initiative program; and the National Security Memorandum on Promoting United States Leadership in Quantum Computing. The memorandum warns that quantum information science presents significant security risks to cryptographic systems that safeguard critical infrastructure and secure military and civilian communications.
The White House cautioned that this class of computers could “jeopardize civilian and military communications, undermine supervisory and control systems for critical infrastructure, and defeat security protocols for most internet-based financial transactions.” Just as there is an eagerness to reap the scientific and commercial benefits of quantum information sciences and technology — a broad discipline of science and engineering — there is an equal sense of apprehension about the accompanying risks that “quantum supremacy” could bring to national and economic security. Quantum supremacy refers to a technological milestone when the computational speed and power of quantum computers could outperform that of classical computers.
Although the practical applications of quantum computing aren’t here yet, the technology holds tremendous potential for advancing the United States’ economy and supporting research in bioengineering, artificial intelligence and machine learning, and even financial market analysis.
Some companies are forming international quantum research partnerships to accelerate growth in the global market. In 2021, IBM helped Germany become the first European country to develop a quantum computer and plans to build quantum systems in Canada and South Korea by 2023. While commercial opportunities for collaboration abound, there is also an intensifying political competition amongst states to gain a competitive edge.
China, Russia and the United States are competing to become the leader in advanced computing before 2030. Other countries also are prioritizing quantum information sciences — France aspires to be one of the world’s leaders in quantum and supports the European Union’s Digital Compass project to produce its first domestic quantum computer by 2025. The United Kingdom is steadily investing in the National Quantum Computing Centre, following Prime Minister Boris Johnson’s call to “go big on quantum computing.” Japan’s government announced it will establish four quantum research centers and produce its first domestic quantum computer by March 2023.
The White House memorandum forewarns of “future attacks” against U.S. information technology infrastructure and emphasizes the need to begin updating systems to better protect against a post-quantum risk environment. Acknowledging these risks, it champions setting requirements for federal agencies to transition vulnerable cryptographic systems to using quantum-resistant cryptographic standards.
Preparation is a quintessential element of success. Transitioning infrastructure toward federally approved standards is not a small undertaking; iterative reviews will require discipline and patience. Thankfully, the National Institute of Standards and Technology is working with stakeholders in its call for proposals to produce quantum-resistant cryptographic standards by 2024.
By concentrating national resources on this complex challenge now, the United States will be better positioned to operate and thrive in a post-quantum environment.
Zhanna L. Malekos Smith is a senior associate with the Strategic Technologies Program and the Aerospace Security Project at the Center for Strategic and International Studies (CSIS) in Washington, an assistant professor in the Department of Systems Engineering at the U.S. Military Academy at West Point, and an affiliate faculty member with the Modern War Institute. The views expressed here are hers alone and not those of CSIS, the Department of Defense, or the U.S. government.
This first appeared on The Hill.
Images: IBM Research via Flickr (CC BY-ND 2.0)