Europe’s quantum communication plans: Defending against state-sponsored cyber attacks
State-sponsored cyberattacks are on the rise and are a significant part of the future of warfare. Why would a nation send humans to a frontline when it can take out the critical infrastructure of an adversary nation from behind a computer (or millions of computers working in a coordinated attack)?
We have seen the devastation that cyberattacks can have on infrastructure, such as the hack which took down the Colonial Pipeline (the largest fuel pipeline in the US) in 2021, the cyber attack on French hospitals at Dax and Villefranche-sur-Saôneor earlier this year, or the WannaCry malware that caused chaos for the UK’s national health service in 2017.
Attacks like these show us how important it is that the future of defense must include cyber defense. And a critical part of that defense is establishing a secure communication infrastructure, using the principles of quantum computing.
Europe’s foray into quantum communication is extremely promising. It establishes an ultra-secure form of encryption, protecting communications systems against eavesdropping or even from being controlled by a hacker. The combination of ground-based and space-based elements overcomes the physical limitations of having a purely ground-based communication system.
Many entities – both in the public and private sectors – have invested heavily in quantum technology, and the race is on to produce the first set of products ready for industrial use. The EU is no exception, building on a tradition of excellence in quantum research that could take the first step towards the creation of a quantum internet, which will allow government institutions and companies to securely exchange highly sensitive information.
This research is critical for security. As computing power has increased, so has the hackers’ ability to decrypt encrypted data (e.g., passwords). However, we should still exercise caution. While quantum communication could be the answer for defense, we should also assume that criminals will already be researching ways to break it.
France is at the forefront of this development, launching its national Quantum plans in January 2021. France-based Airbus has been selected by the European Commission to lead the EuroQCI (Quantum Communication Infrastructure) consortium to design the EU-wide quantum communication network. France has led the way in research into qubits (the quantum bits that are the units of quantum computing, holding two possible states at the same time) at the CEA in Saclay, and the ENS and Collège de France in Paris.
The first job of the consortium will be to allow an ultra-secure quantum key distribution (QKD), which uses quantum principles to create such intrinsically secure random keys that attackers are unable to eavesdrop on or control communications channels. We won’t see the first proof of concepts for industrial usage in private firms any time soon. However, the first protype systems will be available in 2021, with the first systems ready for scientific use by 2027.
Securing existing encryption methods
Until then, organizations must focus on securing existing encryption methods. We advise organizations to take the following steps:
1. Review how you classify and protect your data. As business needs change, existing data classifications may not be fit for purpose.
2. Don’t rely on standard data protection audits, but instead conduct your own robust assessments to understand the state of your data protection.
3. Improve the security of the organization’s application landscape, by practicing the principles of development, security, and operations (DevSecOps) in both maintenance of existing applications and the development of new ones. Involve security experts from the very beginning of development of major releases and new software. If they’re involved at the start, they will spot more opportunities to protect relevant and critical data and information.
4. Bear in mind that whatever you have in the cloud is only as secure as the systems of the provider you use. Define and identify the organizational and technical security measures you need and ensure your cloud repositories meet them.
5. Encrypt sensitive data along the whole processing line, using the highest level of encryption available (and review this regularly). Both encryption at rest and in transit should be considered.
6. Manage your encryption keys effectively. Protect them, use different keys for data that is replicated in different regions, and change and update the keys regularly.
7. Constantly review your compliance with the rules that apply to your business, and with the public cybersecurity entities that provide recommendations applicable to your geography and vertical.
The EU’s move to develop a quantum communication network heralds a new era in the region’s fight against state-sponsored cyber warfare and could fundamentally change the security landscape. Until then, though, we must all do what we can to keep our infrastructure and data secure with the technology currently available.