Andersen Cheng, Post-Quantum: “businesses will need to overhaul their entire information security to ensure systems are quantum-safe”

The Internet can be a space for spreading ideas, communicating with people around the world, and celebrating a border-less reality. But it can also be a glooming environment full of file-encrypting viruses, malware, and phishing attacks.

Both companies and individuals use security technologies to protect their data from hackers with end-to-end encryption However, if quantum computers proliferate, even military-grade algorithms known to be unbreakable will be of little help.

According to the CEO of Post-Quantum, Andersen Cheng, it’s essential to build an ecosystem that would protect sensitive information from the start-point of creation to the end-point of transmission.

Post-Quantum has been successfully providing security solutions for more than a decade. How did this project come about?

I’ve been involved in cybersecurity for just over three decades now. I’m a computer auditor by training. So, the journey really started all that time ago when I first understood that computing systems needed end-to-end security.

I was also Head of Credit Risk at JP Morgan in Europe and a founder member of LabMorgan, a FinTech incubator, before becoming COO of the Carlyle Group’s European Venture Fund some years later.

After that, I was on the management team at TRL, which was the only provider of top-secret grade hardware crypto to the UK government and NATO allies – TRL was subsequently sold to L3, the US Defence Group.

After working with one of my co-directors at TRL, Professor Martin Tomlinson, we were looking for the next big problem to solve together. Martin said to me one day, “if you really want to save the world, then protect it from quantum computers, because that really will be the end of the world as everything is dependent on public-key cryptography (PKC).”

This was the catalyst that got me thinking about the impact of quantum code-breaking and the clear need to future-proof the entire ecosystem – from how we sign in to IT applications to how we protect the communications infrastructure that transmits data.

Over the last 12 years, the vision of the company has been to build an ecosystem and ensure that data can be protected from the moment it is created, then when it is stored at rest and as being transmitted across networks, even when a code-breaking quantum machine proliferates.

You describe your solutions as quantum-safe. Can you tell us more about what it means?

It means protection against a future quantum attack, but to understand the significance of this, you need to first appreciate what’s at risk.

Quantum machines are extremely good at performing vast amounts of computations in parallel, whilst today’s computers can only solve problems one at a time.

As such, they can derive knowledge from small datasets, which will allow them to break current public-key encryption. So, while quantum computers promise revolutionary benefits for many industries, they also pose an existential threat to existing public-key encryption, such as RSA, which enables digital commerce, secure communications, and remote access to financial services that we all rely on today.

People frequently talk about commercial quantum computers when referencing this Y2Q moment, and that’s a long way off – potentially 10-15 years away. But from a cybersecurity perspective, we’re not talking about slick commercial machines.

A huge, poorly functioning prototype in the basement is all that’s needed to break today’s encryption. It does not need to go through any benchmark review or certification, and this prospect is much closer, and it could happen within the next three to five years.

When this day comes, everyone’s data will be at risk of theft and exploitation, potentially with unimaginably dire consequences – think of the widespread fraudulent use of identities, emptying Bitcoin wallets, shutting off the power grids, etc.

However, our quantum-safe solutions use a new generation of quantum-resistant cryptographic tools. They are often called post-quantum cryptography (PQC) and will replace or supplement today’s cryptographic standards and counteract quantum computers.

What are the main threats associated with quantum computers?

As I’ve mentioned, the main threat is in the form of security through quantum computing’s ability to break the existing public-key algorithms that underpin today’s existing security measures, as well as the harvest-now-decrypt-later attacks that are already starting to be seen today.

Fortunately, the National Institute of Standards and Technology (NIST) is in the process of developing and selecting new algorithms that can withstand the quantum threat.

Our encryption algorithm NTS-KEM (now known as Classic McEliece, after merging with the submission from renowned cryptographer, Professor Daniel Bernstein, and his team), is now the only code-based finalist in the NIST process. The algorithms that form NIST’s final standard will effectively protect all future data flowing over the internet.

Whilst many are waiting for NIST’s standard to emerge before taking action on quantum encryption, things are not quite so straightforward. That’s because cryptography has been such a fundamental technique in the information security landscape, and we’ve embedded it into almost everything we do. The implication of this is that most businesses will need to overhaul their entire information security and cryptographic infrastructure to ensure systems are quantum-safe and in line with NIST’s new standards.

However, replacing today’s RSA and Elliptic Curve algorithms will not happen overnight and could take 10+ years to complete, which is why the post-quantum migration needs to be initiated now.

Microsoft’s Brian LaMacchia, one of the most respected cryptographers in the world, has summarised this succinctly when he states that quantum migration will be a much bigger challenge than past Windows updates.

Do you think the pandemic somehow affects the way people approach cybersecurity?

The obvious impact of the pandemic has been the acceleration of previously stagnant or incremental digital transformation projects, which by extension, has placed a microscope on cybersecurity. In other words, the pandemic has accelerated technological adoption but has simultaneously exposed cybersecurity vulnerabilities and unpreparedness.

The lack of cyber-readiness was clear from the start, following an increase in incidents during the first few months of the pandemic. Years of limited investment in cybersecurity was probably a primary cause here, as well as the rapidly stood up remote working practices and attempts to quickly enable employees to access sensitive networks and information from anywhere also left many organizations vulnerable.

That being said, there have been some encouraging signs that organizations are shifting to more secure foundations since the pandemic started. For example, over 150 million people are now using Microsoft passwordless systems each month, while 84.7% of people opted for Windows Hello to sign in to Windows 10 PCs instead of a password, up from 69.4% in 2019.

We now are seeing some of the world’s biggest and most renowned tech companies adopting, deploying, and investing in passwordless technologies that enable better identity management.

What are the risks associated with poor identity management and authentication, and how can these problems be tackled?

I think for anyone that doesn’t understand identity management, the easiest thing you could say to stress its significance is that identity is the key to the castle, and the castle is filled with personal data, information, and other valuables.

Just imagine from a cyber criminal's perspective: they will attack your pipes to start with; if you secure your pipes, they’ll attack your joints; if you secure your joints, they’ll poison the water. Identity is your gatekeeper to control what flows through the pipes. In other words, you could secure all of your other pipes and joints, but if someone can obtain your user name and password, then it doesn't matter what else you do – because they can gain a so-called legitimate way in.

Password-only systems are the bedrock of poor identity management, particularly given that password reuse is still rife and people still too often opt for easy-to-crack passwords. Using a traditional multi-factor authentication (MFA) method helps, and it can be further enhanced by introducing multi-factor biometric (MFB) authentication which will eliminate most common attacks, like credential stuffing and phishing, that are caused by password-only systems.

Credentials can’t be lost, stolen, or shared when they are your face, voice, haptic and behavioral patterns – the legitimate user must be present to log in.

What are some of the most common tactics cybercriminals use nowadays? What types of organizations do they usually target?

Cyberattacks come in all shapes and sizes. Despite the already mentioned harvest-now-decrypt-later threat, three more general tactics are sitting at the top of the tree and making an impact on a wide variety of public and private sector organizations. These include the following:

1. Ransomware
2. Phishing attacks
3. Credential stuffing

Ransomware has been around for a while, but it remains the most dominant threat as criminals continue to increase pressure on companies that need to protect their reputations. Attacks are becoming increasingly more targeted, and last year saw some huge attacks, including when the REvil gang pulled off one of the biggest ransomware heists in July.

Similarly, phishing attacks are nothing new, but particularly since the pandemic, we have seen a sharp uptick in Covid-19 specific phishing. For example, scammers send fake emails pretending to be from the US Centers for Disease Control and Prevention (CDC).

Finally, credential stuffing – or testing millions of email and password combinations on different sites hoping that one may eventually work – remains as prominent as ever. In 2020, the video-conferencing company, Zoom, fell victim to this attack with 500,000 usernames and passwords distributed on the dark web.

In your opinion, why do people still push cybersecurity to the background despite the recent rise in cybercrime?

Although I think cybersecurity has received more prominent attention lately, the main challenge continues to be senior sponsorship. Cybersecurity is still not taken as seriously as it should be in boardrooms and digital literacy still lags far behind financial or legal literacy higher up in the corporate food chain.

Although more and more digital transformation projects are being signed off and invested in, going the extra mile to stay secure is all too often being seen as a cost-center, which is puzzling given the revenue-generating potential of secure digital commerce.

It’s not all doom and gloom, though. A number of the largest institutions, mainly banks, have got permanent boardroom representation for cybersecurity, and some of them have already sanctioned multi-billion dollar quantum migration budgets.

Lately, there has been a lot of discussion regarding Web3. What are your thoughts on this new version of the Internet?

Up until recently, I was a strong skeptic of all things blockchain-related since the ledger can only prove immutability, but not security. Clearly, there are still fundamental issues with this world that pose question marks, but I've become much more optimistic over the recent months.

In terms of cryptocurrencies, the community has a clear ambition to lay a foundation for a more open and inclusive global financial system. In a similar vein, having founded a company that offers some of the world’s most secure cryptography, I have a steadfast belief in giving people the power to control how their data is being used and enhancing their privacy. That being said, I still have deep concerns about security in Web3, particularly the quantum threat.

In 2021 alone, there were several well-known bugs, hacks, or so-called fat-finger mistakes that an owner of an exchange, a coin, or an NFT has suffered from. Some of them have resorted to goodwill pleading from the founders or exchanges for refunds. Some of them have even used old-world techniques, such as threatening to freeze the receiving account’s other assets. Imagine, if these were perpetrated by quantum attacks – they would be conducted systematically and efficiently without any recourse.

Our firm is also providing a technology called Quorum, which would be relevant to the sector. This ensures that before a blockchain transaction can take place, multiple stakeholders must first approve it. Whilst it sounds similar to the Multi-signature protocol (Multisig) that the crypto community uses, it addresses several vulnerabilities. For example, no complete keys are ever transmitted or exposed when approving a transaction.

What does the future hold for Post-Quantum?

The world is now at an inflection point when it comes to post-quantum security. Within the next few years, a quantum computer will crack encryption and, in a single moment, the entire world’s data will be left vulnerable to theft and exploitation, threatening the foundations of everything from established enterprise infrastructures to Web3's crypto-based innovations.

The timing element here is still of much debate, but the threat that we are referring to is not a commercial quantum computer. I’m talking about the sheer power to do simple integer factorization under lab conditions, which will come sooner than many expect.

However, even if the first quantum computer isn’t seen until 2030, we are still in a race against time to stay secure. It’s estimated it would take at least ten years to modify the existing cryptographic infrastructure, which entails transforming all existing systems that use PKC or most electronic devices that connect to the internet.

Although NIST is expected to finalize their decision early this year, given the time scale of the transition in front of us and the limited time we have to do it in, organizations and communities like banks and Web3 must start the migration and transition now.