In an era where data security is paramount, the recent revelations about firmware backdoors implanted by Chinese government-backed hackers serve as a stark reminder of the evolving threat landscape. BlackTech is infiltrating routers to gain undetectable backdoor access to the networks of companies in the US and Japan.
This incident underscores the vulnerabilities in our digital infrastructure, specifically the risk that data takes when being transmitted across unknown and often adversarial networks. Data transmission itself is inherently vulnerable due to Harvest Now, Decrypt Later (HNDL), a threat that is relevant and imminent.
To secure data today from the risks of tomorrow, organizations need to take proactive measures in securing data against quantum risks.
Harvest Now, Decrypt Later attacks: A real threat
In the HNDL strategy, malicious actors are collecting and storing encrypted data with the intention of decrypting it later, either by capitalizing on advancements in today’s computers and new cryptographic attacks or by utilizing future quantum computers capable of breaking our current encryption standards.
Given the sensitive nature of the data—from personally identifiable information to state secrets that must remain confidential for years or even decades—the potential for breaking encryption through current or future advancements creates a looming threat that should not be taken lightly.
What type of data is at risk? All of it.
There is data with tremendous and obvious long-term value, such as DNA or other genetic data, weapons data, and intellectual property. The first to break cryptography will “benefit” from an unprecedented transfer of intellectual capital and associated wealth related to the data. Drug formulations, chip designs, and novel code architectures will immediately enhance the “wealth” of the first entity able to decrypt them. However, all data has value. When combined, even the most minor pieces of data provide intelligence and actionable insights.
In parallel with the growth of AI and ML technologies, along with fast, robust, scalable processing capabilities, we are witnessing an almost uncanny ability for advertisers to target us, seemingly reading our minds, knowing how we live and what we want. This is with only “legally” available data and the data exhaust we create. Consider all these tiny bits of data providing “signals intelligence” when combined – they could reveal intimate details about us individually, about our families, where we live, our health, and all aspects of our lives.
When and where does data harvesting occur?
Data harvesting typically occurs at points of high data concentration during data transmission. For instance, large data centers, internet exchange points, or major server hubs are all likely targets due to the vast amount of data flowing through them. The hack by BlackTech group represents a flavor of this type of attack, aiming to capture data at the highly trafficked network device.
Many players, from government entities to low-budget hackers, are already tapping into these data streams. For instance, Russia reportedly has submarines equipped to tap undersea cables, while hackers have found cheap ways to intercept satellite communications. In recent years, the percentage of intercepted encrypted web traffic has likely grown tremendously as tapping lines has become easier for cybercriminals, causing data storage costs to plummet.
Geopolitical situations also heighten the risk. Chinese telecom giant Huawei, for instance, has expanded its 5G network hardware across Asia and Africa. This expansion could facilitate data interception by the Chinese government. While organizations may maintain control over their IT security within their premises, the risk of data interception while communicating globally over unknown and potentially hostile networks is largely beyond their control.
The real emphasis of HNDL threats is on high-value, long-term data assets like trade secrets or intellectual property, which are passively harvested from large-scale data access points rather than personal WiFi hotspots. In essence, if a device is likely to possess important actionable information of near-term value, it’s more likely to be attacked immediately rather than be subjected to a longer-term HNDL strategy. Given the sensitive nature of the data at stake — from personal information to state secrets — the HNDL risk poses a severe threat.
Securing against quantum attacks and mitigating harvest now, decrypt later
Understanding quantum security is essential in mitigating the risk of HNDL attacks. Once asymmetric encryption, which is currently not quantum-safe, is broken, session keys and symmetric keys will be exposed. Therefore, mitigation involves either using quantum-secure encryption or eliminating the transmission of encryption keys altogether.
It’s essential to clear up a common misconception: While Advanced Encryption Standard (AES) is often touted as quantum-safe, the security of AES often hinges on the RSA mechanism — a type of asymmetric encryption — used to distribute its keys, which is not quantum-safe. If an AES key is delivered via RSA, the security of the AES encryption is only as strong as that of the RSA delivery mechanism.
In a harvest now, decrypt later attack scenario, any harvested data that was encrypted using RSA can be decrypted later, exposing all AES keys in the process. This is at the heart of the quantum risk.
As we navigate the complexities of this transition to a quantum-secure eco-system, it’s crucial to explore and implement potential solutions proactively:
1. Cryptographic inventory: Begin by conducting a comprehensive cryptographic inventory. IT leaders should understand where their keys are stored, how they’re managed, and where they originate and end, as well as identify any usage of quantum-at-risk algorithms.
2. Secure key transmissions: From there, IT leaders should evaluate opportunities to either eliminate key transmissions or make key transmissions quantum-secure leveraging quantum-secure solutions that complement NIST Post-Quantum Cryptography (PQC) standards.
3. Preparation for NIST PQC: Begin planning to migrate to NIST PQC standards, which provide a robust framework for quantum-resistant cryptographic methods.
The HDNL threat and quantum risk are already upon us. By taking steps today to adhere to PQC standards and ensure a resilient, future-ready cryptographic defense, organizations of all sizes can create a secure digital future.