NATO, as an alliance of 29 nations, relies on knowledge about information technology advances from the individual nations themselves, their various industries and academic or research institutions. As the next generation of computing interests and concerns has shifted to quantum computing benefits and associated cybersecurity challenges, NATO’s Communications and Information Agency (NCI Agency) seeks to help incorporate solutions into ongoing and future capabilities.
NCI Agency’s role is to be in the forefront of scientific study, preparation and planning to ensure the IT benefits of quantum computing are recognised and employed in a practical manner to modernise and secure NATO’s networks and services.
So where are we now? In terms of IT infrastructure modernisation from 2018–22, the alliance is implementing network, data centre, core information services, cybersecurity, and service management and control capability packages valued at over €2.5 billion. These investments are made to realise specific business, operational and technical benefits. Overall, the creation of a ‘private business network’ or PBN helps consolidate and rationalise security domains. A by-product of this capability is to enable a fundamental change in how NATO holds secure consultations and conducts military operations. The aim is to strengthen the alliance through connecting its forces.
Since NCI Agency’s inception in 2012, major investments in cybersecurity incident response capabilities (hardware, software and personnel skills) were made and the alliance remains focused on sustaining a strong defensive posture. Looking internal to NATO, we seek to improve cyberhygiene by quickly implementing software patches, and continuously assessing and repairing vulnerabilities. We are raising the bar in this area, to ensure our processes and procedures are matured to reduce risks at the edges of the enterprise. In the near and mid-term, we are leveraging multinational capability development teaming to incorporate improvements in cyberdefence situational awareness, artificial intelligence, big data analytics and other technological advances. It is through multinational projects and capability development programmes that NATO can take advantage of the speed of quantum computing, effectively getting more computing power in the same space. Our quest is to discover how this new thrust of computing strength can give NATO new tiers of power to analyse IT systems at a more granular level for security vulnerabilities and protect us through more complex layers of quantum cryptography.
Complex solutions
Indeed, quantum computing is a gamechanging technology, because of the major speed increases it offers to solve complex mathematical problems. Cryptography still relies on the factoring of large prime numbers to stop hackers who are attempting to use brute-force methods. Conversely, quantum computing of these factors is simplified and thus threatens the defences we rely on to protect important information systems. It becomes a punch and counter-punch situation that involves risk management and having the ability to detect, respond and recover from attacks. Nonetheless, judging from some of the recent cybercrimes, human persuasion is the greatest risk we face, not necessarily technology.
Cryptography operating at quantum speed to prevent detection of cryptographic keys is ineffective when humans are persuaded to divulge secrets. Quantum effects offer strong protection, but in the wrong hands also threaten key sharing mechanisms. The quantum computer requires climate controlled (absolute zero temperature) and isolated environments or its mechanical state is impacted by interference from radio waves and noise. Fortunately, the encryption algorithms believed to be virtually unbreakable today are not threatened by hacktivists and cybercriminals, because this technology is not yet widely affordable. The old and reliable advance encryption standard (AES) and public key algorithms believed to be safe today could be vulnerable to brute force attacks using quantum computing. Quantum computing could potentially provide that tipping point to be able to brute-force the AES and public key algorithms currently considered safe.
As a threat, quantum computers can simultaneously process exponentially larger numbers of calculations than possible today and will threaten the status quo for security infrastructure and symmetric cryptography.
Conversely, there are exciting times ahead for medical and other scientific research. Some standards organisations estimate that mature quantum computers will be able to break into our public key infrastructure in the next decade, but others seem to think it could be sooner. We face a race for time; upgrading infrastructure takes years and is an expensive investment. In the meantime a lot of sensitive data must be protected from harvesting attacks (captured and stored for later decryption when quantum computers are available). Therefore, any organisation handling military operational, personal or financial information with a long shelf life should be getting ready now.
Positive notes
On the positive side, quantum technology also delivers capabilities that can be used to enhance data security from today’s attacks using quantum cybersecurity. The technology’s use of the quantum physics randomness principle – a lack of patterns or predictability – has been harnessed into commercial quantum random generators that produce fully random numbers at high rates and in a cost-effective manner. These devices are starting to be integrated into security infrastructure for cloud and other implementations. The use of longer, higherquality keys by security agencies is a good strategy to protect data from the quantum computer threat, allowing companies to stay ahead of those who would try to use this technology for nefarious reasons.
An inherent protective measure in quantum mechanics is that measuring a quantum system disturbs the system, so an attacker trying to intercept the key exchange will inevitably leave detectable traces. This is a developing technology, but companies are beginning to roll out commercial implementations, and an evolution could be under way to move beyond point-to-point capability and even enhancements in mobile devices. Although it is not household technology today, the threat is real, so our network architectures and designs must be able to assimilate these capabilities.
NCI Agency’s digitisation vision aspires to provide mission assurance throughout the NATO IT enterprise and information domains. Software-defined technology will be integrated throughout our deployed architecture (points of presence or POPs), from network and boundary protection to virtualised computer and storage capability. There are also four lines of effort we’ll follow to raise the bar in our cyberdefensive posture.
Security policies are traditionally implemented in an overly restrictive manner that inhibits use of the intended capabilities. If policies were issued in a more prescriptive fashion, organisations could achieve a better balance between the use of innovative capabilities and cybersecurity risks. Also, leveraging NATO solutions can help reduce risk and time from design to fielding of capability. The network operation functions must stay closely aligned with the cybersecurity defensive functions for overall operational effectiveness. Finally, network and datacentre vulnerability assessment inspections will modify the charter to include actively assisting in fixing highrisk problems.
The way forward
NCI Agency’s director infrastructure services assesses the following:
- The search for algorithms secure from classical and quantum computing attacks.
- Quantum-resistant algorithm challenges can’t easily replace current solutions, due to requiring significant protocol changes (thus remaining vulnerable to new quantum algorithms as they emerge).
- Software-defined networking should be studied, because it allows for a fast path of innovation and opens up new opportunities for quantum key distribution (QKD).
- While acknowledging that wide spread use of quantum computers is still years away, we must begin now to prepare our information security systems to be able to resist quantum computing and reduce harvesting threats.
- It is important to stay engaged with private and public sector investors, and thought leaders in industry and research universities.
- Big data analytics, machine learning and artificial intelligence can help in addressing cybersecurity threats. Quantum computers will be helpful in substantially reducing the time it takes for such detection.
- Public Key Infrastructure – a set of hardware, software, people, policies and procedures needed to create, manage, store, distribute and revoke digital certificates – is planned as the main cryptographic-based authentication mechanism for NATO’s requirements.
In the race to protect our data from the power of quantum computers, it is likely that hybrid solutions will emerge. Keys will be stronger, using ‘full entropy’ or true randomness. Crucial links will be protected using a global, QKD network that is invulnerable to quantum computers.
For shorter, less exposed links, improved algorithms may provide some enhanced protection that can be regularly updated against growing threats. While the quantum computer threat is certainly a major challenge, other elements are coming in place to address it. NCI Agency’s task is to seek balance between being vulnerable and reaping the benefits of that technology.