The Quantum Revolution, Plus The Trump Admin. Banishes Cyber Czar

[Photo: Shutterstock.com]

“Task Force 7 Radio” host George Rettas captured a number of recent cyber security headlines and developments in his episode entitled “Will Encryption Soon Be Useless?”

Topics throughout the hour included quantum computing and its effect on cryptography, the Trump administration cyber czar and a national deterrence policy.

The Quantum Revolution

To kick off the show, Rettas cited a piece from ZDNet’s Tom Foremski, which describes the emergence of quantum computing to handle complex algorithms and processes, and the resulting impact on today’s encryption tools. It’s likely that the proliferation of quantum computing could make data less secure – exposing trade secrets, business data and private information. Arvind Krishna, Director of IBM Research, was cited in the article suggesting that this shift could transpire in approximately five years. The quantum computers, then, could break the encryption of the strongest security tools. Krishna also said that if you’re looking to protect data for 10-plus years, you may need to move to alternate forms of encryption.

Rettas also cited a WIRED.com piece from Abigail Beall, which deciphers the “next generation of computers.” Quantum computers can solve difficult problems (e.g., modeling chemical processes). These computers take advantage of the ability of subatomic particles to exist in more than one state at any one time. The result: faster operations using less energy. In classical computing, a “bit” is a single piece of information that can exist in two states (1 or 0), a part of the binary digital world we operate in now. Quantum computing uses quantum bits (qubits), which can store more information than the 1s and 0s because they exist in any “super position” of the values.

According to the same piece, Alexey Fedorov, a physicist at the Moscow Institute of Physics and Technology, described quantum computing as an imaginary sphere. Whereas a classical bit can be in two states along the poles of the sphere, qubits can be on any point. The result: entirely more storage and less energy output. Quantum computers can help solve complex mathematical problems, including charting large prime numbers, which is used in cryptography. That said, Rettas pointed out, they can crack many systems that help to keep information secure.

See Related: Palo Alto Networks CSO Talks Risk Metrics, Algorithms & Automation

Researchers are attempting to develop technology that is resistant to quantum hacking. It’s possible that a quantum-based cryptographic system would be more secure than conventional analogs, Rettas relayed.

The “TF7 Radio” host said it’s “unnerving to think quantum technology will make data less secure.” He cited IBM in an encryption method called “lattice” which may be resistant to quantum computing attacks. Since some projections foresee widespread use of quantum computers within five years, efficient encryption techniques may be required.

Sean Hallgren, a Professor of Computer Science at Penn State University, is studying quantum computation and cryptography. The goal: to determine whether quantum computers can solve lattice problems.

If his research is successful, Rettas noted, it could be a major breakthrough in discovering what quantum computers can solve – and have a direct impact on cryptography.

National Security Council – Cyber Security

In the following segment, Rettas traced recent cyber security news. He said the National Security Council (NSC) is delaying the publication of a national cyber security strategy over the inclusion of offensive measures in the document.

Chris Bing of CyberScoop.com wrote that there have been internal disputes over retaliatory hacking measures. Rettas also outlined a federal statute which suggested external computers cannot be attacked (no self-defense provisions). That means NSC-level cyber security strategies are uncertain – in what the parameters are of an offensive attack.

NSC staffers are reportedly seeking edits to emphasize repercussions if adversaries attack the U.S. government or U.S.-based companies, Rettas relayed. Dissemination of the information was reportedly postponed due to defining what the “red line” is to trigger a response.

In an executive order from May 2017, the Trump administration mandated the creation of a cyber deterrence framework. According to some officials, the plan leans heavily on tech companies to combat threats. Several industry groups planned coordinated press releases about these measures. Some held off on releasing them due to the delay.

[Photo: Christopher Halloran/Shutterstock.com]

The Czar

In similar news, NBC News’ Daniel Arkin reported last week that the Trump administration has made the decision to eliminate the cyber security czar in the administration. Rettas said this has left people “shaking their heads” and wondering “who will become the (cyber) advocate in the administration.” John Bolton, Trump’s National Security Advisor, reportedly sought to have the job cut.

In response, J. Michael Daniel, of the Cyber Threat Alliance, formerly Cyber Security Coordinator for the Obama administration, said it’s not the right signal to send to allies and adversaries, Rettas noted.

Rettas emphasized that the position is important – in ensuring the NSC is on board with cyber initiatives and communicating issues. It is, however, Bolton’s prerogative to restructure the NSC.

See Related: Cyber Expert Breaks Down The EU's Sweeping Answer To InfoSec: GDPR

Rettas said: “I agree, that’s a little level-setting here. Let’s calm down with the hysteria before we level too much criticism.”

The N.Y. Times wrote that the elimination of the position was due to security being a core function of the culture already (even for lower-level staffers).

Rettas emphasized that the administration still likely has a handle on the importance of cyber security, despite the move.

Two-Factor Authentication

As the “TF7 Radio” host mentioned, KnowBe4 Chief Hacking Officer, Kevin Mitnick, recently displayed a video illustrating how to compromise two-factor authentication. As reported by TechCrunch, the new exploit allows hackers to spoof two-factor authentication requests by sending users to fake login pages and then stealing their credentials.

These social engineering tactics (whose aim is to weaponize websites) show that organizations cannot rely on two-factor authentication alone, to combat cyber-threats. Instead, organizations need to raise awareness about phishing and its potential harms (as well as other pressing cyber threats).

The "Task Force 7 Radio" recap is a weekly feature on the Cyber Security Hub.

To listen to this and past episodes of "Task Force 7 Radio," click here.

See Related: Insider Threats Are The 'Next Big Wave Of Attacks': Securonix CEO & CTO