Cybersecurity faces a rising threat from "harvest now, decrypt now" ransomware attacks, where hackers steal data and demand payment. Traditional encryption is increasingly vulnerable, but combining asynchronous and synchronous encryption, like AES, with quantum key distribution (QKD) can significantly enhance protection. This layered approach makes it far more difficult for hackers to decrypt stolen data, offering stronger security for organizations.
In cybersecurity, we talk about “harvest now, de-crypt later” attacks as a serious threat when quantum computers become more commercially available. The theory is that while data today may be encrypted, high-performance quantum computers will be able to decrypt the information at some point in the future.
But some recent incidents are highlighting the even more profound threat of “harvest now, decrypt now” ransomware attacks.
In these breaches, bad actors steal data and then threaten the victim organization that they will release the information unless they receive payment.
In May, hackers carried out a cyberattack on luxury auction house Christie’s website, jeopardizing its major spring auction. When Christie’s refused to pay the ransom, the hackers started releasing bits of information about their wealthy clientele.
And in early June, hackers managed to kneecap three major London hospitals with another ransomware attack. Hospital leaders were forced to cancel procedures, delaying operations, blood tests and transfusions and potentially putting patient lives at risk.
A similar attack earlier this year on Change Healthcare in the United States apparently netted the cybercriminals a $22 million ransom.
The malevolence of these kinds of attacks goes beyond greed or even wanting to harm an organization’s reputation. In the Christie’s case, the perpetrators—presumed connected with a known Russian hacker group—posted on the dark web anticipated fines the auction house might incur for violating European data privacy laws.
The fundamental security challenge comes down to encryption.
Overwhelmingly, encryption today is a traditional, decades-old asynchronous, mathematical-based algorithm. This is public-key cryptography, and it uses pairs of related “keys” for encryption and decryption. For a long time, it’s worked very, very well. But as the bad guys get more sophisticated, this style of cryptography is becoming easier and easier to break using conventional tools.
Even before we have the power of quantum computers at hand, hackers can expose organizations to the threat of data theft—loss of reputation, loss of customers and revenues, and even potential fines and punishment due to inept data protection.
One thing security professionals can do today to mitigate the danger is to add synchronous encryption to their security portfolio. In asynchronous or asymmetric encryption, there are two keys—a public key and a private key. The public key is used for encryption, and the private key is used for decryption. This approach generally provides good security for key distribution because only the private key must be kept secret.
However, a synchronous encryption such as AES (advanced encryption standard) can support key sizes of up to 256 bits, the fundamental building blocks of data storage and processing in computers. To crack that 256-bit encryption, a hacker would have to compute more combinations than there are grains of sand on all the beaches on Earth—many times over.
Together, this double-headed encryption could not only thwart most attacks but also safeguard any stolen data.
Add in a quantum security technology such as a quantum key distribution (QKD) between key points in your data path and you’ve created a virtually unassailable fortress. QKD is a form of synchronous encryption, with just one key. However, QKD uses photons of light to share that key between the sender and receiver.
And photons don’t lie—any intrusion or hacking into the fiber-optic cable transmitting the photons stops them in their tracks, preventing the key from being transmitted and thus protecting the data in transit. While you wouldn’t provide QKD end points for consumers accessing a website, for example, security professionals could strategically set up QKD-protected transfers into and out of a database.
Deploying the combination of asynchronous and synchronous encryption with QKD protection can reduce the risk of an attack in the first place and improve your chances of surviving a data theft without harm.
Just like basic home security, homes without a security system are more likely to be broken into and burglarized than homes with one. Given the importance and value of your data, the basic encryption most organizations use just isn’t good enough anymore.