IT security is a fast moving and exciting field to be in. Fascinating industry news greets me almost every morning.
Recently I read that the University of Science and Technology of China in Hefei is leading a project to build the world’s longest quantum communication network stretching 2,000km between Beijing and Shanghai by 2016. The builders hope to give completely secure communication to users though quantum encryption.
That’s certainly a big ambition.
A quantum communication network is, in theory, unbreakable. Any attempt to intercept the encryption key would alter the physical status of the quantum data, or qubits, and trigger an alert to the communicators. Currently, there are several other labs in various countries around the world that are looking to tap into this technology.
Is quantum encryption the holy grail of IT security, if such a pinnacle exists? I can certainly relate to the developers’ dogged pursuit of unhackable security technology, but that doesn’t stop me from asking if one single technology − no matter how perfect − can be the be-all and end-all solution to one of the most complex problems facing mankind today.
I can see two hurdles standing between quantum encryption and widespread adoption – the cost-benefit proposition, and more importantly, the existence of weak links in other parts of the security system even if quantum encryption itself is impenetrable.
Are the benefits worth the cost?
There are no clear indications of quantum encryption’s costs yet but it’s likely to be high, especially at the initial stages when the technology is immature and the pool of users is small. Businesses are all about increasing profit and reducing expenditure − low cost encryption technologies that are secure enough for most enterprise applications already exist today. So how will organisations justify the big jump in costs for moving to quantum encryption?
Your enterprise is as secure as its weakest link
The tougher challenge lies in the fact that security is an interconnected system, not an isolated jigsaw piece. If quantum encryption is really hard to crack, cybercriminals will look for a weaker link in the security system to target. They could, for instance, use social engineering to gain knowledge on how to access confidential data, or they could, like most hackers do today, plant malicious software in end-users’ computers to steal their data when it is at rest.
Since quantum encryption only promises to protect data in motion − which is just one link of the entire security chain − labelling it as an “unbreakable security” technology is overreaching. Many technologies lie beyond quantum encryption, and many domains lie beyond technology.
Boosting overall security requires us to continuously strengthen the weakest link of the chain, as and when it appears. To be successful, there must be concerted, industry-wide action to concurrently upgrade individual components of the security chain.
That means that while security solution providers work hard to share threat information and develop their technologies, enterprises and consumers must take time to learn more about cybersecurity and guard against attacks, CERT teams must improve their response capabilities; and institutions worldwide must step up their efforts to groom cyber security talent.
The list goes on, and the stakeholders involved are many. These stakeholders need to do their earnest best in their respective fields, and cooperate with one another. That − not quantum encryption alone − is the real key to making the world a more secure and liveable place.