Cyber Safety in the Era of Quantum Computing and AI
As Sophocles, the ancient Greek tragedian, stated over 2400 years ago, “Nothing vast enters the life of mortals without a curse”. Oscar Wilde wrote “When the Gods wish to punish us, they answer our prayers”.
The true benefits of quantum computing, artificial intelligence (AI), and post-quantum cryptography (PQC) may ironically be a zero-sum gain for cybersecurity, unfairly empowering the tools and methods for cyber-attacks and cyber-defense equally, unless one establishes a strategic advantage over the other.
How did we tiptoe here from the big data and omnipresent services cloud to the dark web and post quantum ethos?
The Big Data (Noise)
The Internet big bang created an information superhighway for data sharing and global commerce. It changed the way we live today in under 30 years giving birth to a new human regimen. Life today revolves around a distributed network of connected things. The scary prospect is that one could inadvertently harvest untrustworthy data that triggers data-based cyber-attacks, flawed assessments, and erroneous mitigation actions. The law, judge and jury are online to weaponize data for mass disruption with deadly consequences. Data has become merely an instrument of purpose. The information age is closing in on an era where big data could become a flash point sparked by big noise without trustworthiness (true signal) in data and a tightly coupled network without perimeters.
The Omnipresent Services Cloud
We may live on the ground, but we survive in the cloud. Trusted identity on the ground must be transported to a broker in the cloud to access hosted data, applications, and services. This has created a plethora of authentication protocols, handshake ceremonies, and digital artifacts (from passwords to quantum-safe keys, authorization tokens, access tokens, and certificates) in our digital life. Online Software-as-a-Service (SaaS) platforms require both privacy protection and anonymity protections in the global marketplace. Customization of views (pages) on web platforms, based on authenticated or anonymous entity (user or device) attribution and affiliation, has become critical for public safety, intellectual property protection, data sharing, and responsible derivative use of published content.
The Dark Web
Digital connectivity helped in the emergence and appeal of social media networks and online services available today. The Internet is fueled by data – originating from minds and machines. Search engines and AI powered languages have replaced the long and tedious research cycles to discover information from books, publications, and yellow pages. The grave challenges that societies face today, and must battle in the decades to come, will emerge not from nuclear weapons, weaponized drones, or traditional warfare but from cyber warfare launched at scale. Data is the fuel and currency, without borders, for mind games in cyberspace. Data travels faster than human minds can process, and the information is consumed faster than the human intellect can filter out disinformation. Data is no longer harvested only from humans. Headless devices autonomously stream data to the cloud at high velocity, and social robots have arrived. This is where social and Enterprise networks come perilously in proximity with the dark web in cyberspace.
The Post Quantum Era
The intricate entanglement of humans with digital networks (from the first to last mile of the information grid) and data (in transit and at rest) form the fabric of modern-day civilization and livelihoods for the billions inhabiting this planet. This frictionless surface exposes an enormous single point of failure. The sophistication and advancement of ransomware and drones (weaponized as trojans) pose a clear and present danger to the digital world that already endures a plethora of cyber-attacks every second. In the coming decade, cyber wars will escalate to artificial intelligence powered predator drones and land-line autonomous rogue devices. If the power of artificial intelligence and quantum computing are true to claims, then the aggregate power of smart re-programmable devices with remote command and control will surpass the capability of human intelligence to combat machine intelligence in cyber warfare. It is not the capability of the device in the warfare, but the capability of the warfare in the device. Every successful ransomware attack on information technology (IT) infrastructure today is only a breath away from locking and bricking operational technology (OT) devices in the not-so-distant future that could teardown mission critical infrastructures. Cyber wars are forever wars – an infinite game of will and resources, and the adversaries are well equipped with an arsenal of sophisticated tools and methods, and the technology to discover soft targets with network and supply chain surveillance.
Strategic cybersecurity initiatives over the past 30 years have focused on the gullibility and vulnerability of user interactive systems. Cyberspace is now dominated by headless autonomous devices and integrated systems at the edge with immense computational power for image and voice processing, segmentation, object recognition, natural language processing, sentiment analysis, artificial intelligence-based learning, and training models. These advancements in modern silicon chipsets and miniaturized device functions enable immensely powerful dual use technologies at scale for nefarious purposes and gains by cyber criminals and nation state actors.
The Verifiable Trust Era
Is there light at the end of this paralysis-by-cyber tunnel?
Verifiable trust is the quintessential measure of protection in the post quantum era. Digital devices must be designed for trustworthiness with identity validation prior to onboarding into digitally connected local and wide area networks, supply chain provenance for inspected and verified updates, and runtime monitoring for risk indicators. Protection must begin in the first mile before the device is powered on and before the device is granted access to the distributed (routed) network fabric beyond the first level of a multi-level network security hierarchy model. A device that is not trusted in the first mile is not trustworthy on the last mile, and therefore foundational trust must be pre-established on the first mile. The challenge lies in retrofitting trust into the day-zero implicit trust network (i.e., the status quo of assumed trust, and the here-and-now cyber hygiene). Today’s OT networks comprise of connected legacy, brownfield, and greenfield devices in tightly coupled live production environments. Devices in OT environments require scheduled downtime for maintenance and upgrades approved by field operators. Further, the original equipment manufacturers (OEMs) must ensure interoperability and high availability to prevent service outages. Therefore, an adaptive technology is required to seamlessly and ubiquitously transition from the “assumed trust” to a “verifiable trust” model for the billions of heterogeneous connected devices and systems in the emerged public/private Internet of Things (IoT). This applies broadly across all industry segments on the path to digital transformation from energy, to manufacturing, retail, healthcare, national defense, transportation, aviation, space, finance, and logistics.
The current state of the IT paradigm for protection of user-interactive systems is deep-rooted in the notion of threat management. The future state of a converged IT-OT paradigm must ensure runtime operational integrity in user-interactive and headless devices ingrained in the model of risk management. Data should only be entrusted to authenticated and verified trustworthy devices as a must-have risk management countermeasure.