Samsung and SK Telecom recently announced the debut of the Galaxy A Quantum 5G smartphone, taking much of the world by surprise. This smartphone comes with a quantum random number generator (QRNG), which produces secure keys and truly random numbers using particles that outside parties cannot intercept or eavesdrop. This debut represents the first potential mass commercialization of quantum technology for mobile phones, indicating that quantum encryption may be closer to broad adoption than previously thought.
Earlier this month, I attended the 2020 Inside Quantum Technology virtual conference. I had the opportunity to learn of recent quantum computing breakthroughs, explore established and emerging quantum players, and gather insights from the international quantum computing community. The following takeaways stood out as worthy of insurer attention for 2020-2021.
Quantum computing still faces some hardware challenges, but recent breakthroughs signify an acceleration of quantum development.
Supercooling has been the long-standing method to stabilize qubits (e.g., atoms, ions, or photons which act as units of information) within quantum machines. Supercooling extends qubit coherence time; the longer the coherence time, the longer a qubit can maintain its vital quantum properties. However, supercooling is an expensive and energy-intensive process.
In April, IEEE Spectrum shared a significant breakthrough: Two independent research groups built quantum devices that can operate using “hot” silicon qubits, which can withstand temperatures up to 15 times greater than other qubits. This discovery, and the news of Xanadu’s exploration of room-temperature quantum computation through the development of a photonic quantum computer, is an indication that broad deployment of quantum machines draws closer.
Quantum computing attacks may already be occurring.
The advent of a quantum machine capable of cracking RSA encryption (and similar public-key encryption methods) is years away. However, the threat of retroactive decryption exists today. Retroactive decryption (aka “harvest and decrypt”) involves bad actors stealing encrypted data and communications by tapping fiber-optic networks. They store this data with the intent to decrypt it once universal quantum computers (or cloud access to them) become widely available. Large US banks are investing early and heavily in quantum key distribution to protect sensitive data from “hack now, decrypt later” attacks.
Insurers can take steps towards quantum readiness that don’t require purchasing a quantum solution.
Achieving crypto-agility, i.e., the ability to adopt new encryption methods swiftly without significant alterations to existing infrastructure, is the best defense against the quantum threat. The process of achieving crypto-agility is lengthy; cryptographic transformations and security system upgrades can take years, even decades. However, insurers must first examine their existing data and IT security infrastructures and improve their enterprise security before becoming crypto-agile.
Insurers must adhere to existing and new data regulations (e.g., NYDFS, CCPA, GDPR). They can comply with these regulations by implementing strict data governance policies through data categorization (e.g., PII, PCI, HIPAA) and data classification (three to four levels of classification, at minimum) based on specific privacy standards. Organizations should obfuscate or encrypt highly confidential data; they can use two-factor authentication as an additional security measure.
Additionally, insurers should use role-based security to limit access to data, allowing access to stored personal information only to those with certain privileges and demonstrated business needs. Insurers can leverage virtual private databases to create security policies that restrict database access at a granular level. Insurers can also limit data warehouse write access to improve database security.
Once insurers have achieved compliance with state and federal data regulations, they can focus on developing organizational and technological crypto-agility. No single method of data encryption is impenetrable; insurers must prepare themselves to transition between cryptographic techniques and procedures often and quickly. This process involves continuous inventories of all cryptographic techniques and identifying potential areas of vulnerability to prepare for future quantum attacks. Insurers should be able to validate new cryptographic algorithms and procedures repeatedly and replace any legacy encryption standards.
Crypto-agile insurers can begin to consider quantum cryptography when protecting their enterprise data. There are several quantum key distribution (QKD) solutions on the market for insurers looking to leverage quantum encryption methods (i.e., techniques that harness quantum mechanics to protect data). Providers ID Quantique and Quantum Xchange are offering enterprise QKD systems that can securely transmit the random keys used to encrypt data.
There are multiple post-quantum cryptography (PQC) algorithms that exist today that may resist quantum attacks. These PQC algorithms include lattice-based, hash-based, and code-based cryptography. Insurers should keep in mind that adopting a new encryption method, classical or quantum, is not enough. Crypto-agility requires insurers to reevaluate all cryptographic techniques continuously and adopt new standards as needed.
Early adoption of crypto-agility and quantum readiness may help forward-thinking insurers gain an exponential edge over their competitors.
Early adopters that added quantum readiness to their five-year IT roadmaps may prevent future security debacles that could lead to the loss of data integrity, policyholder trust, and revenue. Careful preparation for the inevitable quantum threat today will go a long way toward future-proofing insurer enterprise security.
For more on this topic, check out Quantum Computing and Insurance: Overview and Potential Players.
Add new comment