At first glance, a quantum computer has very little in common with one of the hundreds of millions of diminutive Internet of Things (IoT) devices taking the Internet by storm — the two sit at opposite ends of the computing spectrum. But, in the perpetual arms race between service providers and those that seek to disrupt and breach service provider networks, the two technologies are equally responsible for disrupting a long-standing and fragile stalemate.
The quantum threat
The quantum threat comes from unparalleled brute force and the exponential advantage of quantum computers to solve particular classes of computational problems. The quirky behavior of quantum bits (qubits) limits quantum computers to a narrow set of use cases, but the unraveling of algorithms used in public key cryptography just happens to be something they’re exceptionally good at. Exactly when a quantum processor — or a network of quantum processors — will amass enough qubits to break these algorithms in a short amount of time is subject to much debate. But what is clear is that it’s a question of ‘when,’ not ‘if.’ The industry is so terrified of this eventuality that they’ve given it a name: Q-Day.
To avoid a Q-Day apocalypse, the National Institute of Standards and Technology (NIST) is overseeing the development of a new set of public key cryptographic algorithms that will take quantum computers an impractical length of time to crack. While this initiative, known as post-quantum cryptography (PQC), is making good progress, standardization and mass deployment is expected to take years. Who gets to the finish line first — sufficiently powerful encryption-breaking quantum computers or universal PQC deployment — is the subject of yet another unnerving debate.
Irrespective of this, the time to act is already here. Of increasing concern are so-called store-now-decrypt-later (SNDL) attacks; if malicious actors with adequate resources can intercept and store sensitive data flowing in today’s networks, then that data can be harvested on Q-day.
Making networks quantum safe today
Luckily, there are already ways to make networks quantum safe today. According to multiple authorities — including the NSA, NIST, ETSI and ANSI — symmetric encryption algorithms like AES coupled with highly randomized and large 256 bit keys are quantum safe.
These symmetric encryption algorithms can be used to introduce quantum safe encryption of traffic flows between routers or optical switches, safeguarding all data well in advance of Q-day. The symmetric keys can be distributed using quantum-safe encryption over traditional IP and optical links, or via quantum key distribution (QKD) mechanisms.
The rise of the botnet DDoS attack
Where quantum computers use massive compute to supercharge political or corporate espionage, legions of hijacked IoT devices can be combined in one botnet to unleash massive attacks on networks and the critical industries that depend on them. It isn’t that botnets are a new problem, it’s that they are now the problem responsible for the majority of Distributed Denial-of-Service (DDoS) volume.
Why? IoT proliferation is one reason — billions are now expected to roam the internet. Weak security is another. Many IoT devices currently run porous versions of Linux or out-of-date firmware, making them easy targets for hijacking. Add to this the trend towards high-speed symmetric consumer internet plans, and security leaders have just placed an order of magnitude of more DDoS bandwidth at the hands of attackers. All this glut has forced a collapse of botnet DDoS service prices to a mere fraction of what they were just a few years ago. They’ve become the tool of choice for everyone from extortion gangs to political activists, and even to nation-state actors in geopolitical conflicts.
How do security leaders thwart a botnet DDoS attack?
How do security leaders distinguish between hundreds of thousands of attacking IoT devices and valid traffic? How do they stop or limit just them, without impacting valid users and their service experience? This calls for special intelligence on IoT devices and their network supply chains. It requires the ability to quickly set up and tear down hundreds of thousands of IP filters — all without impacting network performance.
Despite the darkening threat landscape, protection against this full-court press on network security — from powerful quantum computers to the smallest IoT devices — is out there. Service providers just need to ask the right questions to ensure the requisite capabilities are an integral part of their new or upgraded network builds.