Opinion | Cybersecurity

Protecting American data is the real crisis in national security

The views expressed by contributors are their own and not the view of The Hill

Many people use the term "crisis" to describe almost any difficult situation, and so it is overused and does nothing to inform us. A genuine crisis, one that requires immediate action and the expenditure of scarce resources, is distinguished from all other unpleasant circumstances because things are bad, getting worse, and if they're not fixed right now, everything's going down the drain.

By these criteria, we are definitely in the midst of a data security crisis.

The confluence of national security, financial services, and quantum technology may sound like the beginning of a very tired joke, but recent criminal attacks on government and commercial entities in the United States and other countries constitute a rapidly rising tide of malicious assaults on the very data on which countries now rely.

Nevertheless, it seems that officials have yet to grasp either the widespread damage these incursions can inflict or what needs to be done now to deflect and eliminate future threats. 

The heart of everything we do today is composed of data, much of it data in transit as it moves among companies, or countries, or within communities. We struggle to protect data at rest, too, but data in transit is a much bigger problem because it creates tentacles that spread and become entangled in a multifarious and vulnerable web. 

The financial services industry, however, may provide some guidance. Take, for example, the strides leaders like JPMorgan and Goldman Sachs are taking with quantum technology.

While the promise of quantum computing may be years away, these banks and others are investing in early-stage quantum technologies to solve complex and resource-intensive financial computations. But simultaneously they're also researching, developing and testing quantum-based solutions for security risks.

Technologists predict that one day, and probably sooner than we think, we will reach Q-Day, when quantum computers will break all current methods of cyber-encryption. From that day forward, traditional mathematical algorithms - the present-day security - will be broken by quantum computers that can compute huge volumes of data at speeds far, far exceeding what's possible today.

What the financial services industry has gotten right is this: it has recognized that this is a real crisis and is taking steps to address it. 

It is in the financial services industry that we see the first applications of quantum technologies being added to security infrastructures. While they are not deploying the full capability of quantum computers, they are advancing the practice of crypto agility and quantum-safe out-of-band key delivery architecture capable of supporting all security key sources; that is Quantum Key Distribution (QKD), Quantum Random Number Generation (QRNG) and Post-Quantum Cryptography (PQC). And these bite-size quantum tools can be easily integrated with an existing infrastructure and scalable in an enterprise setting.

I was talking recently to a CTO at a Fortune 10 company, and we spoke at length about the inability or refusal of businesses to talk to one another about securing data, and of the same problem within our own government. It is important to remember that no organization - United Technologies or Boeing, JP Morgan or Wells Fargo, or the Department of Energy and the Department of Homeland Security - exists in a vacuum. We are all connected by data. If we continue to take the same ineffectual approach to data security, we will continue to convince ourselves that we've done everything to solve the problem - when we have not.

Regrettably, this is a tactic that ensures that we will be ambushed - because our corporate and international adversaries can gain the advantage with ease and seize our data.

As in most endeavors, successful tactics often involve a fundamentally novel way of doing something. First however:

  • You must acknowledge there is a problem. Some security pros mistakenly believe they are on top of the threat, or that the risk of Q-Day is so far away that it doesn't have an impact on their organization. It is vital that leaders understand the scale, complexity, and danger of this problem.
  • Don't be naïve. Whatever you're doing now, don't convince yourself or anyone else that you're fixing it. Even if you think it's fixed today, it's not fixed for tomorrow. And your organization remains open to attacks and threats that also put your trading partners, clients, and suppliers in jeopardy.
  • Get out of your IT security box. Quantum-safe security technologies are available today, and they will protect your data for the future. Be alert to new approaches beyond traditional IT security.

Years ago, there was a demarcation between national security and everything else. Eisenhower bemoaned the close association between military and industry when he warned of the military industrial complex. His warning was that the nation was on the long road to perdition.

But what has happened since then is vastly more dangerous. On a personal level, we've all come to rely very heavily on technology over which we have absolutely no control. The bigger problem, though, is that neither government nor business has control over it either. 

Medal of Honor recipient Jack H. Jacobs is a retired Colonel in the United States Army and former investment banker. He currently serves as an on-air military analyst for NBC News and is an advisor to Quantum Xchange

Outbrain