SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Why enterprises and governments should prepare for Q-Day
Fri, 24th Nov 2023

In today's hyper-connected world, as enterprises and governments accelerate digital transformation to boost the efficiency, sustainability, and safety of their operations, they must also ensure they are leveraging the best available safeguards to protect against digital-era cyberattacks.

Digitalization promises industries vast improvements and efficiencies that are simply too good to pass up, including substantial benefits for mission-critical industries. As these digital evolutions take place, new opportunities for cyberattacks will emerge – this is often referred to as an expanded attack surface. For example, as power utilities incorporate new and varied sustainable power sources into their grid and rely more on digital tools for automation, monitoring and management, they, too, increase their attack surface.

Data breaches are often accompanied by heavy fines, ransom payments and even more difficult-to-measure costs, such as loss of consumer trust and impact on brand reputation. When we couple this with the fact that Cybercriminals often target human-critical systems to disrupt our everyday lives – such as the mission-critical networks that support power grids and utilities, public safety, healthcare, financial systems, education, transportation, and other societal services, many organizations expect it is not a question of 'if', but 'when' they will be targeted.

In 2022, in the US, the FBI, NSA, Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy (DOE) warned that major US utilities were targeted in state-sponsored hacking attempts. Critical infrastructure sectors such as utilities and transportation are also closely linked to a country's economy, which compounds the impact of these attacks.

Logistics companies, too, are feeling the pressure as they implement more digital initiatives. Earlier this year, international post in the UK was disrupted for days when Royal Mail was targeted by ransomware. Governments and public safety agencies are also at risk and often a prime target for bad actors. Just recently, Japan's agency for defence against cyberattacks was found to be infiltrated, an attack that lasted nine months before the incident was discovered. And just this month, the personal details of UK Police officers in Greater Manchester were hacked in a ransomware attack.

Attacking at Quantum Speed

Today's encryption methods are designed to protect conventional computers, but what happens when attackers have access to more powerful capabilities? 

Governments and research organizations are investing in quantum computing to address sustainability, defence, climate change and other societal challenges. 

Enterprises are now using it, too. Mercedes Benz is shaping the future of electric vehicles; US banks are running advanced financial computations, and it was used to accelerate the study of COVID treatments. The mining and oil and gas industries can leverage the output of quantum computing studies to more accurately research where to drill successfully, and power utilities can gain a greater understanding of weather patterns and the impact of climate change and storms on their grid performance. Medical researchers are looking to quantum computing to accelerate treatments and drug development for conditions ranging from cancer to Alzheimer's. 

The potential to use quantum computing for good appears to be limitless, and progress demands that we leverage its capabilities. However, when bad actors use it to do harm, quantum-speed problem-solving could rapidly become quantum-speed cyberattacks. This will require a cryptographically relevant quantum computer (CRQC), which carries with it the capability and potential to impact economies, disrupt critical research or, worse, endanger lives. Cybercriminals could hijack millions of connected IoT devices to create distributed denial of service (DDoS) botnets that flood IP and optical networks with terabits of data and hundreds of millions of packets per second. 

Many experts predict this day could arrive by 2030 – or sooner. Another commonly held belief is that bad actors are not waiting for the arrival of a CRQC; they're preparing by harvesting data now and storing it to decrypt it on Q-Day in a mass attack.  

Preparing enterprises and governments for Q-Day with a secure, defence-in-depth, quantum-safe networking approach

So, if cyber criminals are preparing, then shouldn't critical industries too? We must prepare critical networks for the threat now. It takes time and careful expert work to upgrade and modernize these networks. In August 2023, the US CISR, NSA, and NIST organizations prepared a brief on Quantum-readiness providing guidance to critical industries and technology vendors. 

This will require network modernization, taking a multi-layer approach from optical core to edge and everywhere in between. This makes it possible to expand the scope of quantum-safe protection beyond the optical core to the IP edge and application layer and to encrypt in-flight network data effectively according to the transmission and network infrastructure.

The future is in embedding advanced cybersecurity protection and quantum-safe encryption into zero-trust-driven IP's and optical technologies.

IP/MPLS routing and optical switching networks that meet the highest level of security required for mission-critical public safety communications, power utility grids, transport infrastructure, logistics networks and more will be essential. 

This is part of the work we've been doing at Nokia, and our commitment to this demonstrates how we are already contributing to protecting our enterprise and government customers against 'harvest now, decrypt later' attacks and preparing them for the advent of Q-day.