As quantum computing gains momentum, it has become imperative for cybersecurity teams to mitigate quantum attacks – or Y2Q.

Quantum computing research has gained momentum around the world, promising to deliver huge leaps forward in processing power.

But it also has the potential to render today’s public key cryptography useless.

Y2Q, a term recently coined by cyber experts, warns about a scenario where quantum computers become weaponized by threat actors, rendering many widely used security methods useless against next-generation attacks.

If we’re not careful, the end of internet security may be near.

Governments around the world have laid the foundation for quantum cybersecurity – including preparations for Y2Q by the US and new engineering quantum program in Singapore – and regulations may soon follow.

Quantum computing will be leveraged by threat actors and cybersecurity teams need to act now to prevent their existing security measures from becoming obsolete in the event of Y2Q.

CybersecAsia discusses the current and impending dangers with Jim Alfred, Vice President, BlackBerry Technology Solutions Certicom.

Why are we seeing a greater urgency to strengthen safeguards to the IT supply chain and critical infrastructure, globally and in Asia Pacific?

Jim Alfred, Vice President, BlackBerry Technology Solutions Certicom

Jim Alfred (JA): In the recent past, the software supply chain has become an extremely desirable target for threat actors – especially as the impact of a supply chain attack can be far greater than targeting an individual victim. A glaring example is the SolarWinds attack in 2020.

Throughout 2021, the world witnessed a series of cyber-attacks against water treatment plants and pipelines. By October 2021, the Monetary Authority of Singapore (MAS) was citing the need for a concerted effort to drive cyber security standards adoption across IT supply chains.

Now, as cyber-attacks continue to escalate locally and around the world, threat actors are not only becoming emboldened in their cyber onslaught, but there is a paradigm shift away from the usual financial services targets to “big game” organizations.

In Singapore, the Cyber Security Agency of Singapore received 1,238 reports of cybersecurity incidents from businesses, and other organizations in 2021, while it only received 972 such reports in the preceding year. One only needs to think of the large-scale impact of the supply chain attacks on SolarWinds or Kaseya.

These events are stark reminders that no organization or government agency is immune to cyberattacks, especially in today’s increasingly sophisticated digital landscape. The supply chain will continue to be globally interconnected, and any point of the chain can be a “weak link”.

This weak link can be in enterprise software, or in embedded devices which industry has come to rely upon to automate everyday tasks such as managing city traffic signals or power and water systems.

With many industries already grappling with the challenging realities of geopolitical tensions and inflation impacting the cost of doing business, protecting IT supply chain and critical infrastructure can negate unnecessary costs, inefficient delivery schedules and even potential harm to human lives.

What is Y2Q, its plausible threats, and the implications for organizations across various industries?

JA: Y2Q is akin to Y2K. Y2K referred to the massive amount of software recoding that was required to extend two-digit field used to encode years “YY” in the last century. For some reason it didn’t dawn on many developers that their code and data structures would be around for a long time – and it wasn’t until the mid-1990s that the software community work up to the realization that most programs simply weren’t ready for the new millennium.

While Y2Q is not a fixed date on the calendar, it is the cybersecurity industry’s hopefully not-too-cryptic message that traditional public key cryptosystems might not be either. Cyber experts warns that Y2Q will be the uncertain date, perhaps in the next 10 to 15 years, when it will be practical (for say a nation state) to crack traditional public key cryptosystems.

Nation states are preparing for future cyber wars (some term it, the new cold war) and critical infrastructure is a prime target. Traditional cryptography used to protect devices deployed today may be the weakest link is a prime. 

The implications of Y2Q are many, but chiefly among them is the increased vulnerability it brings to Smart Cities like Singapore. With interconnectivity as the backbone, IoT entities like streetlights, phones, cameras embedded with sensors and software are abundant – therefore expanding the attack surface and vulnerabilities that hackers could exploit.

Besides Smart Cities, critical infrastructures such as industrial controls, aerospace, and military electronics, telecommunications, transportation infrastructure, and connected cars are also vulnerable to the threats of Y2Qs.

What measures should governments, end-user organizations, and developers/manufacturers of connected technology take now to mitigate Y2Q risks?

JA: It took industry over 5 years and over $100B to fix the Y2K issue. Replacing cryptography is much more difficult than adding a couple of digits to a date field, and experience tells us it could take much more time and cost much more money. One way to reduce both risk and cost is to begin using crypto-agile design today.

As encryption algorithms are often broken or deemed to be too weak, cryptographic agility refers to the ability to change to a new algorithm without the need to rewrite applications or deploy new hardware systems.

Y2Q is a particularly insidious problem because an attacker may begin breaking cryptosystems long before the world knows about it. They can plant “authentic” malware that may remain dormant for a long time.

From a government point of view, regulatory framework like standardizing post-quantum cryptography can be imposed to ensure critical parts of the economy are quantum ready. To accelerate industrial growth, governments can also engage with the growing ecosystem of technology partners.

Organizations can also stay vigilant by re-evaluating cybersecurity strategies to better support their IT teams.

How does the partnership between BlackBerry and NXP Semiconductors help organizations in Asia Pacific prepare for and prevent post-quantum cyber-attacks?

JA: With the constant existence of increasingly sophisticated threat actors, the consequences of cyber-attacks have escalated far beyond just financial losses – it can cause electrical blackouts, network disruptions, and even breaches of national security secrets.

The good news is vendors are already working on solutions that offers an increasing level of quantum security and the partnership between BlackBerry and NXP is a prime example.

Both BlackBerry and NXP are global suppliers and leaders in their respective fields. The industry partnership will set an example of how it is never too early for business to start working towards crypto-agile design.

The new integration allows software to be digitally signed using the National Institute of Standards and Technology’s (NIST’s) recently endorsed CRYSTALS Dilithium digital signature scheme that will be quantum resistant, safeguarding those relying on – and delivering – long lifecycle assets such as systems in critical infrastructure, industrial controls, aerospace and military electronics, telecommunications, transportation infrastructure, and connected cars.

This collaboration is expected to guard against an increasingly risky future when quantum computers are expected to, at some point, break or decrypt public key encryption (PKI) used by most organizations to secure sensitive data. It is therefore critical that every organization assesses their quantum-cybersecurity posture with regards to how data is encrypted and protected.