This concern of “harvest now, decrypt later” has been around for many years and has been discussed by many experienced people from several perspectives – it is a real threat of course.
Scrape the data, even if it’s encrypted, and work away offline on cracking the encryption as a narrow specific project – you may not need to create general purpose quantum computers to decrypt the data, but they will greatly help…..
What we wanted to talk about today, though, is some of the implications that flow from this threat vector – one of which is that, in all probability, we won’t know when the data does get decrypted – or at least for a long period of time – our own experiences with Enigma and how and why this was kept secret – even from Allies may be a direct analogue.
When data is decrypted in this scenario, there is simply no cause-and-effect scenario that allows us to directly understand that decryption has in fact occurred – the exfiltration signature was simply the data scraping, which we now allow to go on as routine commercial practice.
‘Harvest now, decrypt later’
In this ‘harvest now and decrypt later’ scenario we have to now focus on a very difficult problem – if the decrypted data is exposed and available for use (exploitation), how do we determine if what is going on with the data is ‘normal or abnormal’?
As one example, is that technological breakthrough one that has ‘occurred independently’, or is the breakthrough in fact one based on someone else’s decrypted IP or data? If it’s personally identifiable information (PII) that is being used, is it from the individual, under their own autonomy, or is the decrypted data being used as part of a misinformation campaign on a social platform? How can we tell? Are we chasing a horse after it has left the barn? Which always takes more resources and time than keeping the paddock properly locked in the first place.
If we are concerned about individual and systemic digital trust as enablers of a connected modern economy, keeping watch over how our data is managed today should be done on a proactive basis to maintain confidence in our future. There may not be an economic apocalypse from the harvest and decrypt scenario, just a slow and steady erosion of trust, IP, and economic value. And an even more vibrant dark economy.
What this ‘harvest now, decrypt later’ scenario really tells us is that we cannot wait for the market to time and deliver effective responses to deploying post-quantum encryption that protects important digital assets – particularly where your enterprise relies on digital trust for its lifeblood. Again, we think this is an area where pre-competitive behaviours may be appropriate, and an area for immediate focus by regulators and government thinkers.
We are on notice that we need to protect access to important data now – waiting until the commercial markets provide counter-measures may simply be too late, in fact, for a variety of sensitive information, it is already too late.
The “Quantum Ready” Insurance
It’s quite possible with all the recent and accelerating quantum breakthroughs that we are now arriving at the stage of what is known as ‘event risk’, and that as a prudent defensive expenditure for the future, given the amount of work, expertise, and time involved to become quantum safe, it is time to begin preparations and planning for strengthening the digital trust we all rely on. Think of it as “quantum ready” insurance.
We will have to do all this anyways – so why not before it’s an even bigger and more expensive challenge.