How Quantum Computing Threatens SaaS

Posted by Jeff Phillips | September 12, 2023

The year is 2027. Quantum computers (QCs) have finally become a reality and are far more powerful than anyone could have imagined. AI-enabled QCs can solve problems that would take classical computers billions of years to solve, and they pose a severe threat to the security of our data. In the previous three years, companies like IBM, Google, and a couple of mischievous nation-state actors have made monumental improvements in qubit count (the measure of processing power for QCs) and vast advances in error correction. The advent of quantum computing makes any password vulnerable to cracking in seconds--no existing encryption system is safe.

This is the “Quantum Apocalypse” - the day QCs break traditional public key cryptography -, and it is a genuine possibility.

Startups and investors that use cloud services and collaboration tools should immediately take steps to mitigate the risk posed by quantum computers. This includes using post-quantum cryptography to resist future quantum computer attacks and migrate to self-hosted solutions.  In addition to strong passwords, enterprises should consider implementing multi-factor authentication, software patch management, and network monitoring to protect their systems and data.

I am Jeff Phillips, a corporate development professional at Code Siren, LLC. We are a deep tech startup founded by game developers, white hat hackers, and cryptologists. In this article, I will discuss the threat quantum computers pose to cloud security, the "steal now, decrypt later" (SNDL) tactic, and the steps you can take to protect your data on collaboration apps.

Table of Contents

Part I: The Quantum Apocalypse is Near

1. Quantum Computers Will Crush All Existing Encryption Systems

QCs work fundamentally differently from traditional computers.  They use quantum bits, or qubits, in a superposition of two states, 0 and 1.  This allows QC to perform specific calculations much faster than classical computers.  QCs are not limited by the speed of electrons or light. They are limited by the laws of quantum mechanics. In 2019, Google's Sycamore QC performed a calculation that would have taken IBM's Summit supercomputer 10,000 years, demonstrating the power of existing quantum computing.

Source: https://nickyoder.com

As QC process more advanced algorithms, there is a growing concern about the potential threats posed by universal or cryptanalytically relevant quantum computers (CRQCs). A CRQC is a quantum computer powerful enough to break the existing encryption algorithms currently used to secure digital communications and data by executing Shor’s algorithm.

Shor's algorithm, first proposed by Peter Shor in 1994, can factor in large numbers exponentially faster than classical computers.  This means that even if a classical computer would take millions of years to factor a large number, a quantum computer could factor it in minutes.

Another algorithm, devised in 1996 by Lov Kumar Grover, can be used to search for patterns in data and break other types of encryption algorithms at quadratic speed.  A quadratic speedup means that the time it takes to run Grover's algorithm is proportional to the square root of the time it takes to run the best classical search algorithm. For example, if it takes 100 steps to run the best classical search algorithm on a database of 100 items, then it would take only 10 steps to run Grover's algorithm on the same database.

This matters because current encryption standards are based on the difficulty of factoring large numbers (i.e., RSA, Diffie Hellman, elliptic curve, etc.). With the Quantum Apocalypse, every financial institution, government, cloud-based service, and the internet (at large) is exposed. At first, nation-state actors will use QCs to cyber attack each other. This will lead to a "quantum arms race." Shortly after, cyber-criminals will acquire QCs too, and the attack vectors will shift to corporate and personal data.

Source: Council on Foreign Relations, Cyber Operations Tracker

2. State-Sponsored Cyber-Criminals are on the Lookout

Advanced persistent threats (APTs) are sophisticated, often state-sponsored actors or well-funded criminal organizations that typically carry out skillful cyber attacks.  APT objectives range from espionage, data/IP theft, extortion, and network/system disruption or destruction. APTs are characterized by their cyberwarfare capabilities, long-term planning, complex techniques, and targeted attacks.

"APTs and nation-state actors are likely to be the first to obtain access to CRQCs [for nefarious purposes], and they will use these computers to attack critical infrastructure, financial systems, and other sensitive systems,”
- T
he National Institute of Standards and Technology (NIST)

Many APT actors have already been involved in large-scale credential phishing (aka credential harvesting), zero-hour/zero-day, man-in-the-middle (MitM), and social engineering attacks. Some of the most notable include:

  • APT29 (Cozy Bear): APT29 is a Russian state-sponsored APT known for its sophisticated hacking techniques and linked to the DNC hack in 2016. APT29 has been known to target Microsoft Teams and Slack.
  • APT10 (Stone Panda): APT10 is a Chinese state-sponsored APT known for its attacks on technology (specifically, startups). The group has been linked to the theft of IP and trade secrets. APT10 has also targeted collaboration apps, such as Slack and Microsoft Teams.
  • APT31 (Comment Crew): APT31 is a CCP state-sponsored APT known for its attacks on the defense industry. The group has been linked to the theft of military secrets targeting collaboration apps like Slack and Microsoft Teams.
  • APT41 (Winnti Group): APT41 is a Chinese state-sponsored APT known for its attacks on the gaming industry. APT41 has stolen game source code and player data. APT41 has also targeted collaboration apps like Zoom, Slack, and Microsoft Teams.
  • APT50 (MuddyWater): APT50 is a state-sponsored APT that is believed to be operating from Iran. APT50 has attacked Slack, Zoom, and Microsoft Teams to steal IP.
  • BlackMatter is a ransomware-as-a-service (RaaS) operation active since 2020. The group has targeted healthcare, education, and government institutions. They’re known to attack Microsoft Teams to gain access to sensitive information.
  • REvil is another RaaS operation that has been active since 2019. The group has targeted various healthcare, financial, and technology enterprises. REvil has been known to attack collaboration apps, such as Microsoft Teams, to gain access to IP.

Source: SlashNext

APTs are becoming increasingly sophisticated in their use of cyber attacks and zero-hour (never before seen) threats. Several high-profile attacks have been attributed to APTs, including the SolarWinds and Microsoft Exchange hacks in recent years. These attacks have shown that APTs are willing to invest significant resources in developing and using sophisticated techniques, usually through credential theft.

Source: PhoenixNAP

Now, the trillion-dollar question: What happens when APTs get their hands on quantum computers?

Source: MIT Technology Review

3. QC Unleashes the Threat of APTs over Collaboration Apps 

Collaboration apps are software tools that allow people to work together and share information: Microsoft Teams, Google Workspaces, Zoom, Asana, Slack... Collaboration apps are attractive to APTs because they offer several attack vectors:

  • Organizations often use collaboration apps like MS Teams and Slack to store sensitive data, such as intellectual property, financial information, and customer data.
  • Collaboration apps often have many users, making it easier for attackers to blend in and avoid detection.
  • Lastly, collaboration apps are often used to communicate in real-time, which allows attackers to exploit vulnerabilities quickly.

Source: Cloudflare, Inc.

The current APT approaches are well known and consist of the following:

  • Phishing emails trick the victim into clicking a malicious link or opening an infected attachment.
  • Social engineering: This involves tricking the victim into giving up their credentials, such as by pretending to be a legitimate employee of the victim's organization or a prospective employer. Most social engineering attacks involve LinkedIn profiles.
  • Malware: This software is designed to steal data, such as credentials. APTs often use bespoke malware specifically created for their targets.

Given these factors, one can only imagine the damage that could be done when nation-state sponsors grant APTs access to quantum computers.

Although a functional CRQC is primarily believed to be (at a minimum) several years away (i.e., 2027), there is evidence that quantum operations of "Steal Now, Decrypt Later" (SNDL) are already underway. The U.S. National Security Agency (NSA) has warned that nation-states and criminal organizations are collecting data to decrypt later with CRQCs. Criminal organizations and governments are already actively recording traffic in bulk. In 2022, over $30 billion was spent on quantum technology development.

The timeline for developing CRQCs is uncertain, but some experts believe they could be available as soon as 2025.

SNDL seriously threatens the 97% of enterprises that use cloud-based services to host their intellectual property, financial data, or other sensitive information. Founders, startups, and investors using cloud services to communicate their workflow are at risk.

Source: Booz Allen Hamilton Inc., Code Siren, LLC

Part II: How to Prepare for the Quantum Apocalypse

Post-quantum cryptography (PQC) is a type of cryptography designed to resist attacks by quantum computers. PQC is still nascent, but according to CISA, NIST, and the NSA, it is important for technology startup founders and investors to consider migrating immediately.

Using PQC, we can help protect our data from classical and quantum computer attacks and ensure that our communications, work, and intellectual property remain secure. Incorporating PQC into your communications and storage is essential.  Migrating to a PQC collaboration platform like Polynom is a low-cost solution.  Polynom offers a free-to-use Community Edition for small enterprises to securely text, file share, and conduct high-quality VoIP via quantum-proof encryption.  

1. Lattices and Learning With Errors (LWE)

Lattice-based cryptography is a relatively new field that is PQC and relies on the difficulty of solving vector-related problems in multidimensional lattices. A multidimensional lattice is an infinite set of points in a space of n dimensions such that the distance between any two points is a multiple of a fixed length. These problems are extremely challenging to solve even for quantum computers, which means that lattice-based cryptography is considered to be quantum-proof.

Source: Nature

LWE is a promising lattice-based cryptographic scheme that is believed to be too tricky for quantum computers to solve. This makes LWE today’s best candidate for building secure cryptographic schemes resistant to quantum attacks.  LWE has been used to construct several secure cryptographic schemes, including encryption schemes, signature schemes, and key exchange protocols.  These schemes are all currently secure against quantum computers and offer a promising way to protect communications in the future.

How is lattice-based cryptography/LWE different from traditional cryptography? Here's the explanation - feel free to skip if it's too technical for your liking:

  • Cryptographic lattices are multidimensional mathematical objects that are difficult to visualize.  They comprise a set of all equally spaced points and have many dimensions.
  • Vectors are points in space that have both magnitude and direction.  They can be used to represent points on a lattice and can be represented as polynomials.
  • The value of possible lattice vectors is exponentially significant.
  • Polynomials created by lattices are too challenging to guess by a quantum computer.
  • With LWE, there are infinite possible vectors to search through.
  • To solve LWE, an attacker must recover the secret vector from the public vector (good luck!)

Source: Code Siren, LLC

2. CRYSTALS-Kyber and CRYSTALS-Dilithium

The CRYSTALS lattice cryptography schemes (Kyber and Dilithium) use the LWE problem to generate cryptographic keys.  The keys are generated by encrypting the secret vectors using a public key.  The public key is used to encrypt messages, and the secret key is used to decrypt messages.

In July 2023, NIST announced that it had selected CRYSTALS-Kyber and CRYSTALS-Dilithium as the first two post-quantum cryptographic algorithms to be standardized. The algorithms were selected from 82 submissions after a rigorous evaluation process.  In August 2023, NIST designated FIPS standards for the selections.

FIPS is the Federal Information Processing Standards. They are publicly announced standards that NIST has developed for use in computer systems of non-military US government agencies and contractors. FIPS standards establish requirements for ensuring computer security and interoperability.

CRYSTALS-Kyber is a key-encapsulation mechanism (KEM) designed for use in applications such as secure messaging and virtual private networks (VPNs).  CRYSTALS-Dilithium is a digital signature algorithm (DSA) designed for electronic signatures and authentication applications.

NIST's decision to standardize these algorithms is a significant step in developing a quantum-resistant future.

3.  Self-Hosting

Self-hosting means hosting the software on your own servers (on-premise) rather than using a third-party cloud-based provider.  This gives you complete control over your data, including who has access to it and how it's stored.  It also means you're not relying on a third party to keep your data safe.

There are many benefits to self-hosting your own collaboration apps:

  • It gives you more control over your data. You can choose the level of security (and encryption) you need, and you can ensure that your data complies with any regulations you're subject to.
  • Self-hosting can be more cost-effective than using a third-party cloud-based provider. In some cases 1/30th the cost. You’re not forced to pay for monthly or yearly subscriptions, and your data won’t be held hostage when you leave.
  • Flexibility! You can choose the software you want to use and customize it to meet your specific needs.

Of course, there are also some challenges to self-hosting your collaboration apps.  You need to have the technical expertise to set up and maintain the servers, and you need to be prepared to deal with any security incidents that may occur.  The Intel NUC and ASUS PN 64 are some low-cost entry points that are easy to set up, relatively quiet, and great devices for getting started with self-hosting.

Sources: ASUS

Conclusion

It is important to note that quantum computers are still in differing stages of development.  Superconducting quantum computers are the most advanced type of QC, and they have been used to achieve a number of important milestones, such as the factoring of real numbers using Shor's algorithm. Neutral atom, ion trap, topological, and photonic QCs are less advanced but more stable and easier to control.  

Quantum error correction is rapidly developing, and quantum computers will likely become more resistant to errors in the near future. It is equally likely that QCs will have the potential to break the encryption of cloud-based collaboration and storage tools within the next few years. Regardless of whether quantum computers become more powerful, APTs will likely continue to threaten the free enterprise system and intellectual property everywhere.

Here are several ways that founders and investors can protect themselves from APTs that use both classical computers and QCs to hack collaboration apps, including:

  • Using applications like Polynom that utilize quantum-resistant encryption (i.e., CRYSTALS-Kyber, CRYSTALS-Dilithium, and AES-256) for all work-flow, file storage, and communication.
  • Only use decentralized, federated applications for collaboration. Apps with strong encryption, user whitelists, and strict user controls reduce your attack vectors.
  • Minimize your digital footprint. Reduce your attack surface (i.e., less social media exposure).
  • APTs frequently use LinkedIn accounts to target their victims. If you're serious about cybersecurity, you should consider deleting your account.
  • Using two-factor authentication (2FA) or multi-factor authentication (MFA). 2FA and MFA add layers of security to accounts and can help protect them from being compromised.
  • Self-hosting is a great way to take back control of your data and intellectual property (i.e., data sovereignty).
  • Enterprises should better monitor their networks for suspicious activity, such as unusual login attempts or data exfiltration.

About the Author

Jeff Phillips works in Corporate Development at Code Siren, LLC.  Founded in 2018, Code Siren is a deep tech startup building sophisticated cryptographic tools that are designed to be easy to use and accessible for everyone.  

Jeff can be reached at [email protected]

More Resources

Here are some resources where you can learn more about post-quantum cryptography and self-hosting:

You might also enjoy

How to raise funds with OpenVC

How to raise funds with OpenVC

New on OpenVC? In 5 min, you will know exactly how to use OpenVC to raise funds for your startup. If you have questions, the answer is probably here.

Posted by Stéphane Nasser | December 5, 2024

"You're not VC fundable!" What it really means.

"Your project sounds cool, but I'm not sure it's VC fundable". If you're raising funds, you may have heard those words. It is important to understand what VC fundability is, why it's important, and how you can become VC fundable.

Posted by Stéphane Nasser | September 5, 2023
11 Measures to Create Optimal Board Dynamics

11 Measures to Create Optimal Board Dynamics

A functional board may not lead to a successful outcome but a dysfunctional one will likely lead to a company’s downfall. Here are 11 measures to create optimal board dynamics for your startup.

Posted by Netalie Nadivi | August 28, 2023