Why the NCSC and telecoms firms are at loggerheads over quantum key distribution
In the face of mixed messages between the public and private sector, should businesses be wary of jumping on the bandwagon?
The shift to remote working, the increase in ransomware attacks (and ransom costs), and the looming threat of cyber warfare have all unquestionably contributed to elevating the urgency of cyber security. By offering newfound levels of “unhackable” encryption, quantum key distribution (QKD) is turning heads in the cyber security and telecommunications industries alike.
QKD advocates claim this technology is an ultra-secure communication method that serves as the antidote to the rise of powerful quantum machines. It allows the parties involved in sharing confidential information to generate a shared random key, known only to them, in order to encrypt and decrypt messages distributed between them. Its purported necessity is driven by the fear that quantum computers may one day be powerful enough to bypass most cyber security defences by being able to rapidly identify the prime factors of numbers used in RSA encryption. Indeed, theoretically, anybody with access to a powerful enough quantum computer would be able to crack much of today’s encryption, which safeguards messages as well as sensitive medical information and military secrets.
It’s been a formative year for QKD research; from breaking records in long-distance quantum-secured information transfer, to the world’s first trial of QKD over hollow-core fibre cable, the technology is maturing at pace. Earlier this month, meanwhile, we learned London will receive the world’s first commercially available quantum-secured metro network connecting the Docklands with the City and M4 Corridor.
BT is among a number of companies that have, for years, advocated for the potential of QKD, with the firm behind the majority of recent developments. The National Cyber Security Centre (NCSC), however, hasn’t subscribed to this view, believing the technology is still a considerable distance from maturity.
QKD: Hackable or not?
What to consider when choosing a next-generation firewall
How to choose a NGFW solutionFree download
In a whitepaper published in March 2020, the NCSC stated it doesn’t endorse the use of QKD, and cautioned against relying on the technology to protect networks. Although the technology has evolved considerably since the start of the pandemic, the NCSC’s position hasn’t. “While the NCSC welcomes continuing research into QKD,” a spokesperson tells IT Pro, “it does not endorse its use in government or military systems and cautions against its sole reliance on networks used by critical infrastructure.
“Developments in quantum computing present challenges to cyber security in the long term that must be managed, and the UK is preparing new technologies to mitigate the threat and protect our digital lives. The NCSC considers quantum-safe cryptography to be the most effective mitigation to adopt, and advice to help organisations prepare for the transition has been published on our website.”
Although QKD promises a secure way of communication that’s “unhackable” by quantum computers, it’s still susceptible to man-in-the-middle (MITM) attacks, in which an exchange between two computer systems is breached by a third party. This is because QKD doesn’t have adequate authentication protocols in place, meaning that a threat actor could pose as person B to person A, and as person A to person B, leading them to believe that they are communicating with each other. Apart from that, the technology is also limited by specific hardware requirements, as well as the assumption the code used won’t contain any exploitable bugs which could sabotage the efforts of ultra-secure communication.
Today's problem for tomorrow’s security
Duncan Jones, head of cyber security of the quantum computing company Cambridge Quantum, tells IT Pro he wholeheartedly agrees with the NCSC’s position, adding that QKD won’t be suitable for production use for “a while” – potentially five years. In this respect, QKD is similar to 6G; at the moment, the technology is far from maturity, let alone there being any smartphones capable of supporting it. That shouldn’t, however, stop networking firms from exploring 6G, in the same way companies like BT shouldn’t refrain from continuing to research QKD.
“[QKD] is going to have a big impact on communications and telecommunications. And so, they are completely right to be investing in this now,” Jones says. The “average enterprise”, on the other hand, might want to sit it out for another few years. So what makes telecom companies exceptional? The answer lies in fibre optic cables, says Jones, and the telecommunication industry’s “responsibility for moving things around securely”.
“So, definitely, they should be exploring it, and a lot of this builds towards this idea in the future of a quantum internet, so the ability to share quantum data between distributed quantum computers – and that's something else that I know BT and others are thinking about and building towards,” he says.
Although innovation might seem to be moving at an overwhelmingly fast pace, to some it’s not fast enough. According to BT’s director of Government Relations, Simon Godfrey, the government doesn’t see QKD as a matter of urgency. “Quantum for me is something that I've woken up to only recently, but it is critically important to embrace it and understand it,” he tells IT Pro. “My fear is that our political classes are looking for it to be tomorrow's problem rather than today's problem, and it really is today's problem.”
Full steam ahead
Despite the private and public sector being at loggerheads over the readiness of QKD, Jones believes the technology’s “in a good place” thanks to the multiple grants, funds, and innovation projects that encourage research in the technology. One such initiative is a £10 million partnership between the UK and Singapore to build and fly a satellite QKD test bed. After three years of work, the satellite is set to become operational by the end of 2021.
Research and development of QKD can be described in one way: full steam ahead. Although this might seem at odds with the NCSC’s position, it’s thanks to its guidance that researchers can pinpoint the areas of development that need to be addressed. QKD might not come into play for most businesses at least for the next five years. With the encryption-breaking prospect of quantum computing coming leaps and bounds, however, UK enterprises might want to keep the technology on their radar as they aspire to future-proof their cyber security defences.
Four strategies for building a hybrid workplace that works
All indications are that the future of work is hybrid, if it's not here alreadyFree webinar
The digital marketer’s guide to contextual insights and trends
How to use contextual intelligence to uncover new insights and inform strategiesFree Download
Ransomware and Microsoft 365 for business
What you need to know about reducing ransomware riskFree Download
Building a modern strategy for analytics and machine learning success
Turning into business valueFree Download