There are all sorts of next-gen technologies hitting the headlines right now: generative AI, open source, cloud native—you name it.
But there’s one more looming on the horizon that offers every industry a plethora of challenge and opportunity: quantum computing. Quantum computing differs drastically from today’s modes of computing because quantum computers use the “spooky action” of quantum mechanics to multiply computing power by the thousands, even the millions, through superposition and entanglement.
The problem is, no one knows exactly when quantum computers will become commercially viable, but we do know two things.
- Quantum computers are likely coming sooner than we think.
- Quantum computers—specifically cryptanalytically relevant quantum computers (CRQCs)—have the potential to break traditional cryptographic systems like RSA and ECC.
That means, if you haven’t already, the time to start preparing for that eventuality is now.
Because your adversaries already are.
In fact, across many industries, threat actors are already carrying out “store now, decrypt later” attacks—otherwise called “steal now, decrypt later,” “harvest now, decrypt later,” or simply “retrospective decryption” attacks.
What are “store now, decrypt later” attacks?
“Store now, decrypt later” (SNDL) attacks occur when a threat actor steals encrypted data (usually data that’s in transit), stores it and plans to decrypt it later when quantum computers reach the point of being “cryptographically relevant.”
To look at this another way, let’s turn to a pop culture example: The Italian Job (2004). In this movie, the thieves don’t just steal the gold straightaway. They steal the entire safe. Then, when it’s convenient for them to do so, they crack the safe open to plunder the riches inside.
This is exactly what threat actors are doing when they carry out an SNDL attack. They’re swiping encrypted information, often the kind with a long shelf life, and stockpiling it until quantum computers can crack it open for them in the future.
And businesses are becoming increasingly concerned with these attacks. In fact, according to a survey from Deloitte, 50.2% of security professionals are concerned that their organizations are at risk of “harvest now, decrypt later” cybersecurity attacks.
Understanding the risks
Why are more than half of the 400 professionals Deloitte surveyed so concerned about “store now, decrypt later” attacks? It’s because the at-risk information is some of the most sensitive material found across their IT systems.
Think patents, customer PII, financial data, military and state secrets, telecom logs, drug compounds and formulas, energy plant blueprints/plans—the possibilities are endless.
What’s an organization to do against such an attack? First, you’ll want to follow industry-recommended best practices for information security, for data both at rest and in transit.
You’ll also want to start preparing to defend your data in a post-quantum world—today.
The role of quantum computing in “steal now, decrypt later” attacks
Today’s quantum computers can’t decrypt your data. Not yet. They’re not powerful enough to factor the large prime numbers used as the basis of popular public key encryption. But when they are, they’ll be able to crack that math problem, and threat actors will be able to use them to access your most sensitive materials.
That’s the main reason why today’s threat actors are resorting to “store now, decrypt later” attacks.
Why should we be concerned about "store now, decrypt later" attacks?
Although the idea of a threat actor stealing your encrypted data to decrypt later is a scary one, not everything involved in these attacks will necessarily be valuable in the long term.
But this level of potential disclosure is still alarming, and no industry is immune to this kind of long-term data exposure, which increases your risk for more large-scale breaches and lasting damage to customer trust and brand reputations.
The impacts of long-term data exposure
- Sustained vulnerability: Some encrypted information, such as state secrets, military intel, or long-term business strategies, can retain its value for decades. If this data is intercepted now and quantum computers become practical in the next few decades, threat actors can decrypt it and profit from it.
- Potential for large-scale breaches: Without adequate security, businesses face greater potential for large-scale breaches once quantum computing is viable. Even with a drawn-out timeline, if threat actors access crucial intel, your company’s future could be at stake because of information stolen during an SNDL attack.
Here are 4 potential examples:
- A pharmaceutical company plans to release a new cancer drug in the next few years. If that info is harvested as ciphertext, once quantum computers can decrypt that IP, a competitor could copy the drug formula and the marketing plan—and release a generic equivalent that’s even more commercially successful than the original compound.
- An arm of the federal government securely stores defense contractor information and planning for future military strategies, but that information is taken during an SNDL attack. Later, the threat actors who stole the data sell it to enemy foreign states, who turn their own sights on the defense contractors - or intervene directly with those well-laid, previously classified, military movements.
- A banking institution's customer account information is taken during an SNDL attack. Even if it's encrypted using strong traditional cryptography, the data can be deciphered with a quantum computer, exposing the PII and account numbers for thousands of customers.
- An energy company’s blueprints for a decades-long global expansion are intercepted. Once those plans are decrypted, a nation-state group carries out a physical-cyberattack, causing actual damage, endangering lives, and delaying builds to forever tarnish the brand—and impact that nation’s critical infrastructure.
Trust and reputation
As you can see in those examples, just like with any security breach, your business can face legal, reputational, and financial damages—even if the data impacted was stolen decades ago and later resurfaces when quantum computers become mainstream. If it’s still relevant, it’s still vulnerable, which makes mitigation critical.
“Quantum computing could ‘jeopardize civilian and military communications, undermine supervisory and control systems for critical infrastructure, and defeat security protocols for most internet-based financial transactions.’” – National Security Memorandum
Mitigating the risks: a comprehensive approach
How can your organization combat SNDL threats? There are a few core components to building resilience that you can start with today, to help prepare for a post-quantum tomorrow—and that’ll help prevent you from falling victim to “store now, decrypt later” attacks.
NIST’s post-quantum cryptographic standard
Early drafts are out for NIST’s post-quantum standardization efforts, but they know that new algorithms will not simply be “drop-in replacements for quantum-vulnerable algorithms.” We can likely expect clear standards from NIST in 2024.
If you’d like to read about their current developments, including their latest draft PQC standards head over here.
Implement hybrid encryption
Hybrid encryption uses traditional cryptographic standards, as well as quantum-resistant cryptography, (also known as post-quantum cryptography (PQC), to ensure both angles are covered.
Let’s go back to that Italian Job allusion. Recall that huge heist in the third act, when the thieves don’t just steal the safe. They steal the armored truck containing the safe, which contains the gold. It’s an apt example for reviewing hybrid encryption.
The truck itself, even with all its armored toughness, represents vulnerable traditional encryption. Once the thieves bust the doors open, they might think they’re home free. But there’s a safe inside the truck—and it’s no ordinary safe.
It’s a top-of-the-line, commercial-grade safe, and even their professional safe-cracker initially balks at the challenge. This safe is virtually impossible to crack open, and in this scenario, it represents quantum-resistant encryption. That’s the beauty of hybrid encryption: even if one type of crypto gets cracked, the other is still there as a fallback to protect your data.
Use strict key management
Using stringent key management practices is central to protecting your organization.
Rotate keys regularly, practice good key hygiene, and always have an awareness of where your encryption keys are used, how they’re used, who has access to them, and where they’re stored.
Continuously monitor for unauthorized access or suspicious activities
Continuously monitoring activity on your IT systems, especially your machine identities, can help you secure and protect your company’s encryption keys and digital certificates.
Visibility and automation can help minimize your risk of breaches of encrypted data—and they’re your company’s first steps toward strong security and crypto-agility, even the kind you need to adapt to a post-quantum world.
Embracing post-quantum cryptography (PQC)
Post-quantum cryptography is extremely difficult to crack because it’s based on a lattice pattern. To avoid getting too in the weeds, that simply means finding and breaking the keys used is nearly impossible, even for advanced quantum computers.
However, implementing PQC itself poses another dilemma. It takes a significant amount of time to update the encryption systems used within your organization. And yet, it’s never been more crucial.
This is especially true if you want to ensure your organization has the crypto-agility needed for a successful post-quantum migration.
Crypto-agility: the new normal
When it comes to ever-evolving technologies like quantum computing, it’s important that your business maintains a flexible, adaptive security strategy. And the best way to do that is to start preparing today. Take stock of your current quantum risks. What systems are using quantum-vulnerable cryptography?
Routine infrastructure audits are also helpful in the early detection of vulnerabilities. Ask yourself which assets and data you currently have that needs protection—and know how you’re already protecting them.Knowing the answers to these two questions will make the timely process of swapping crypto standards that much easier.
Being ready to make swift remedial actions is also key. This requires a PQC readiness plan, because your post-quantum success is entirely dependent on your pre-quantum readiness.
Even if we don’t have an exact date for quantum supremacy, it’s no doubt rapidly approaching—and threat actors are already taking notice.
Take the first step towards enhanced cybersecurity in the PQC era
The Venafi Control Plane for Machine Identities can help you solidify your management of digital certificates and cryptographic keys, ensuring your data is safe from “store now, decrypt later” attacks.
And, through the robust deployment of comprehensive visibility and automation, the Venafi Control Plane helps you achieve the crypto-agility needed to build the quantum-resistant infrastructure of the future.