I sometimes get asked about what I think about “quantum” for solving cybersecurity problems. The answer is I try to never think about it because even one brain cell processing it is too many given its irrelevance to the problem domain.
What security problem is “quantum” trying to solve? Would quantum solve Solarwinds? Heartbleed? Log4Shell? The 2016 DNC compromise? Any number of the social engineering-based attacks we see month after month? No, no, no, no, and no.
“Quantum” is specifically solving the problem of cryptographic primitives: that some of the fancy math problems we use to keep other humans from guessing how to unscramble our data eventually might be solvable by superscale quantum computers.
The argument you’ll often hear from quantum zealots is: “imagine if the primitives that were beneath your feet just vanished.” I don’t have to imagine, bro, that happens in software security every fucking day.
Beyond zealots, there are those in the tech sphere and on its periphery who worry about how horrible cryptography problems could get – but this is because they are ignorant of how bad implementation problems currently are. They do not realize that “breaking a common cryptographic algorithm” is so far down the list of realistic concerns in cybersecurity that it might as well be next to secret agents kidnapping your sysadmin (or whatever employee has the most access to internal systems).
The reality is that there are lots of cyber-attacks and most are pretty boring. Very, very few attacks seen in the real world are from “breaking” encryption. When it does happen, it’s because someone tried to roll their own crypto1 and messed up the implementation. But most attacks use tactics like social engineering or exploiting known vulnerabilities in web apps or malware-as-a-service; they are not using fancy math, or really any math, other than thinking about the optimal level of effort to achieve the desired payout.
Quantum computing doesn’t solve spoofed URLs like company-name vs. companyname.com which lure users into entering in their credentials. It doesn’t solve attackers copying language from legitimate emails for use in their phishing emails. It doesn’t solve employees’ credentials being stolen. It definitely doesn’t solve memory safety issues, logic flaws, or components interacting in unintended ways.
The security problem “quantum” is trying to solve seems to be financial security – for the proselytizers’ ongoing research prospects. Looking deeper, I suspect the puffery about quantum security stuff is a variation on the theme of longtermism: let’s ignore the real problems in our face today and work on solving imaginary problems for problems many years from now. It’s a cheap way to feel like your work matters.
It also makes you immune to criticism. You can rightfully ignore the “it’s not even real yet” critique, but you can also ignore everything else because you’ve worldbuilt a future where the problem you’re solving is the biggest problem, so anyone who says otherwise is either myopically focused on the present or has other predictions for the future (and of course they are wrong because they do not use cool words like “post-quantum” to describe their future).
With the issue not existing today, anyone criticizing you doesn’t have evidence to disprove it. Sure, you don’t have the evidence to prove it will actually be a huge, society-shattering problem, either, but you can always leap onto your moral high horse and trot off with your bags of research funding, because one day you’ll be vindicated. And if it wasn’t important, would it be getting funding?? Checkmate, pre-quantum losers.
When I poke around the corners of tech society today, I often find a fatalism fetish – an weirdly eager hunger for the end of the world as we know it to be nigh, whether due to AI or quantum computers breaking cryptography.
The other significant contributing factor, I suspect, is the eroding sense of belonging and meaning in our society2 – the desperate human need to feel important and influential in our surrounding environment. If we fear that a Nation State will use multi-billion-dollar quantum capabilities to read our email, we implicitly are deeming ourselves important enough to warrant that level of attack investment – that our email is that special because our lives are that special.
The Nation State could also threaten our lives or our loved ones (“your laptop or your life”); profile our interests to send us targeted social engineering content; glean our favorite websites and inject malicious scripts that download malware onto our machine, watering-hold style; or literally so many things that don’t involve quantum anything. “Quantum” solves none of those things, but it does not matter because, like a cult, unquestioning faith is the price of entry for future glory.
The “quantum” hype, especially among leadership and people with deep coffers, is especially frustrating because there are many security problems worth solving now – not just the ones we hear about all the time (phishing, malware, vulnerability exploitation, etc.), but also ones we don’t discuss enough: stalkerware and spyware; digital identity and access for vulnerable populations, like refugees or the unhoused; privacy increasingly becoming a luxury good.
These are very hard problems to solve that disproportionately affect underprivileged groups, but instead we’re fretting about the future-flung vanity problem that is “quantum.” The fanatics think they are starring as an innovator in an epic sci-fi by being “involved” with “quantum” but instead they are the ham-fisted buffoon that serves to make it painfully obvious to the audience that merit does not matter in this dystopian setting.
In short, thinking that “quantum” will “solve” security is quixotic. If that is you, you are Don Quantum and you are tilting at windmills. I’d say you have big Captain Ahab energy, except your white whale doesn’t even exist. Meanwhile, problems abound, including very hard problems, many of which do need fancy math and sciencing. Like, was formal methods not exotic and impractical enough for you??
For real, if you want a huge, horrifying existential threat to tackle, the undersea cables that underpin the internet are vulnerable to climate change. Migrating your efforts from technobabble to working on climate change (whether inputs or impacts) will mean you’re no longer a waste of carbon, at the very least.
I mentioned I get asked sometimes about “quantum” for cybersecurity and the answer in my head is usually, “Cybersecurity is an entirely unserious industry.” We think we’re being serious if we dress it up in the shallow artifacts of science, whether risk quantification or quantum3. Yet we still suck at empiricism and we’re only really curious if we don’t have to be accountable for results.
The quantum hype is perhaps a culmination of this – the right place at the right time to provide an outlet for our valid anxieties about the future while not having to do anything real to make that future better.
If you’re attending Black Hat USA, check out my talk Wednesday at 11:20 in Oceanside A. I’ll be doing a book signing at the Fastly booth at 14:30 Wednesday, where you can get a free copy. Otherwise, I’m signing books 16:00 Tuesday in the Black Hat Bookstore and 13:00 Wednesday at the O’Reilly Media booth.
The advice “don’t roll your own crypto” comes from the time before cryptocurrency; in this case, crypto = cryptographic algorithm. ↩︎
This was accurately forecasted by Jacques Ellul in 1954. It’s probably for the best he died before the rise of social media. ↩︎
I’m dreading the rise of “risk quantumication”; look for it as an “Innovation Trigger” on Gartner’s 2030 Hype Cycle. ↩︎
2023-07-25 07:00 -0400