lightework design

Category: appropriate technology

  • Quantum Computing & Cybersecurity

    What is quantum computing?

    Quantum computing represents the third era of computing hardware which emerged after analog and digital computers, and which applies the laws of quantum mechanics to the world of computer science. Instead of using a digital bit to store a binary state, a quantum computer uses a quantum bit (qubit) to store binary and indefinite states within the subatomic particle of the qubit. Quantum computers utilize laws of quantum mechanics such as quantum entanglement, using the probability of entangled particles being in a certain state at a specific moment in time to quickly solve complex problems that contain many possible solutions (Smith, 2021).

    Does quantum computing present a cybersecurity threat? If yes, why? If no, why not?

    The capabilities of a fully developed quantum computer would theoretically pose a massive cybersecurity threat to our current infrastructure. The quantum mechanical properties of the sub-atomic particles within a quantum computer allow for many possible solutions to a problem to be considered simultaneously, which leads to solving some types of complex problems much faster than is possible with classical computers. One of the most discussed ramifications of a fully functional quantum computer is the ability to quickly determine the two prime factors of large numbers because determining those key pairs would crack the types of public key encryption systems currently utilized by the world wide web (Denning, 2019). Once a quantum computer can reliably surpass the performance of classical supercomputers, the current methods of encryption will essentially begin to prove obsolete against an advanced quantum computer. Essentially, all current encryption algorithms can be solved by a computer given a long enough period but the keys that take classical computers years to crack can potentially be solved by quantum computers in a fraction of the time. Researchers are currently working to create new algorithms and forms of cryptography that can resist the potential attacks of quantum computers; as well as new forms of key exchange based on quantum hardware.

    What role would quantum computing have on cryptography?

    The role that quantum computing takes in cryptography involves its ability to consider the many possible solutions to a problem in parallel instead of one at a time (Evans, 2019). In a brute force attack, considering all possible solutions simultaneously would theoretically provide a solution exponentially faster. These game changing effects of quantum computers on offensive cyber security presently creates a pre-emptive need for quantum resistant encryption algorithms to combat the inevitable emergence of quantum powered brute force attacks in the coming quantum era of computing.

    One defensive solution that provides some peace of mind against quantum attacks is to simply use longer keys (Denning, 2019). Denning writes in American Scientist that a 128-bit key has the same protection against a classical computing attack as a 256-bit key has against a quantum computing attack utilizing Grover’s algorithm.

    What country is winning the quantum computing arms race?

    According to Smith (2021), the United States and China are headlining a race to fully develop the capability of quantum computing and be the first nation with the ability to bypass information security as we know it. Each of these world superpowers is supported by several companies that are pushing the leading edge of quantum computing technology by developing a variety of quantum computing solutions and hardware. China has already achieved some major milestones in quantum computing such as the first cloud-native quantum computing platform, obtaining a solution in a fraction of a single percent of the time that it would take the fastest supercomputer in the world to obtain, and combining quantum computing with artificial intelligence. The key to winning the quantum computing arms race is likely to reside in the amount of collaboration and funding between government organizations and private companies. Regardless of what nation wins the quantum computing arms race, there is an expectation to allow developing nations to access the power of quantum computing through a cloud service, thus providing a global benefit.

    What national security implications would quantum computing present to the US if China beats them?

    If China can beat the United States in the race to quantum supremacy, all US intellectual property as well as possibly some classified government level data could potentially be quickly compromised and leveraged toward the disadvantage of the United States’ government, businesses, and citizens (Schappert, 2023). The winner of the quantum computer race would also have the earliest access to further applications of quantum computing such as developments in medicine, physics, artificial intelligence, and machine learning.

    References

    Denning, D. (2019). Is Quantum Computing a Cybersecurity Threat? American Scientist. https://www.americanscientist.org/article/is-quantum-computing-a-cybersecurity-threat

    Evans, A. (2019). Managing Cyber Risk. Taylor & Francis. https://online.vitalsource.com/books/9780429614262

    Schappert, S. (2023). Quantum computing race explained: fast and furious. Cybernews. https://cybernews.com/editorial/quantum-computing-race-explained/

    Smith, C. (2021). Competing Visions Underpin China’s Quantum Computer Race Alibaba builds their own qubits, Baidu remains quantum hardware-agnostic. IEEE Spectrum. https://spectrum.ieee.org/alibaba-baidu-quantum-computer-race

  • Which Technology Poses the Greatest Cybersecurity Risk?

    The internet of things (IoT), blockchain technology, artificial intelligence, and quantum computing all present risks to the future of internet security; however, I believe that the internet of things poses the largest security risk by unnecessarily connecting countless additional devices to a global network.

    The potential convenience of knowing how much coffee is left in the coffeepot inspired computer technologists at the University of Cambridge to develop the first web cam application which monitored the coffee levels in the breakroom with low-framerate, grayscale video (Kesby, 2012). Thirty years after this first coffee pot monitoring system went online in 1993, we now have a wide variety of internet-enabled devices that serve countless purposes, but which collectively grow the attack surface of its parent networks.

    Not only does each different model of IoT device have its own set of vulnerabilities that attackers could exploit, but compromised IoT devices could also be used in a botnet to perform distributed denial of service (DDoS) attacks (Abbass et al., 2019).

    Security for internet of things devices is still in its infancy, and standards will likely be developed soon which will lower the overall security risk of integrating IoT devices within a network. However, for the present, most IoT devices do not even allow users to reset the default login credentials of the device which represents a near complete lack of security embedded in an internet-enabled device (Evans, 2019).

    References

    Abbass, W., Bakraouy, Z., Baina, A., Bellafkih, M. (2019). Assessing the Internet of Things Security Risks.  Journal of Communications Vol. 14, No. 10.http://www.jocm.us/uploadfile/2019/0909/20190909054049213.pdf

    Evans, A. (2019). Managing Cyber Risk. Taylor & Francis. https://online.vitalsource.com/books/9780429614262

    Kesby, R. (2012). How the world’s first webcam made a coffee pot famous.  BBC World Service. https://www.bbc.com/news/technology-20439301

  • What is Vendor Risk Management?

    Vendor risk management describes the combined processes of third-party vendor management and cybersecurity risk monitoring (Tunggal, 2023).

    Third-party vendorsinclude cloud solution providers, information technology companies, or other vendors of other outsourced services. Healthy connections between a company and a vendor require the utilization of high-level assessments for security controls in relationship management. A vendor risk management plan is a service level agreement that details the arrangement between the company and the vendor and details how they plan to maintain compliance and ensure vendor performance overtime. Risk scoring methods and algorithms are used to generate quantifiable data that can help organizations conduct better risk management practices with the many third-party vendors also in consideration.

    A company that uses any sort of outsourcing or otherwise obtains a product or service should understand and document the risks involved with third-party vendors and have an organization-wide plan to minimize the specific risks associated with each third-party vendor that the company is involved with. Currently, it is not uncommon for the operations of organizations to utilize the products and services of over 1000 third-party vendors. It is imperative that the security risks involved with third-party relationships are managed throughout the entirety of their lifecycle so that the attack surface and risk to the organization can be minimized.

    Third-party and Fourth-party Vendors

    While a third-party vendor includes any outside provider of a product or service to the organization, a fourth-party vendor describes a supplier of a third-party vendor which can indirectly influence the organization as a supplier to the third-party vendor (Chipeta, 2023). Fourth-party risk basically aims to measure the risk that is inherited through the supply chain. To an information security team, the risks associated with third-party vendors and fourth-party vendors pose equal levels of threat and both contribute to the same overall attack surface which must be integrated into the vendor risk management plan. The existence of fourth-party vendors creates an environment that makes it important for each organization to have their own individual vendor risk management programs. It is also important for organizations to try to gain as much information about their vendors and supply chain as possible so that they can receive relevant information in a timely fashion which might warrant a response or change within the organization in the case of a security incident. If a fourth-party vendor is the victim of a data breach, the security of the third-party vendor cannot be assumed to protect the organization from harm. Regardless of where the breach occurred, the organization is responsible for its complete attack surface which includes all third-party and fourth-party vendors. Fourth-party vendors can be challenging to obtain information about or their presence might even be unknown to the organization.

    Vendor Security-focused Assessments

    Most of the cybersecurity breaches that are reported are caused through one of many third-party vendors which provide products or services to the organization (Evans, 2019). Because only 40% of current applications are stored on-site, most involve a third-party service vendor such as a cloud service provider. It is important that an organization’s data is accessible only to approved vendors and only while they require access to complete their tasks. Communication and transparency should be exercised and maintained between an organization and their third-party vendors throughout the life of their agreements; the documentation and information surrounding these relationships and agreements are part of the focus of vendor security-focused assessments. Other common areas of focus that are included in the vendor security-focused assessments are applicable governmental regulations, geographical data restrictions, privacy policies, encryption, offboarding security procedures, and disaster recovery planning.

    Industry Standard Questionnaires

    There are several industry standard questionnaires that companies can utilize in tandem with a vendor risk program to benefit the security posture of their organization such as Panorays (Goldman, 2023). Along with vendor attack surface assessment, vendor risk assessments, and continuous monitoring, industry standard questionnaires compose the four key steps that Panorays recommends for a comprehensive third-party risk management process.

    Another example of an industry standard questionnaire service is UpGuard; their software service offerings include continuous attack surface monitoring and protection from third-party data leaks in addition to their questionnaires (Tunggal, 2023).

    Opinion: How to Ensure Vendors Meet Security Requirements

    In my opinion, the best way to ensure that vendors meet an organization’s security requirements is to adhere to an industry-standard framework and set of standards as an organization and work with third-party vendors that also use standard frameworks and standards. Companies do not have to make scrambling attempts at meeting security requirements because frameworks created by the hard work of standards organizations will provide organizational structure and a set of procedures that can ensure compliance when completed properly. Secondly, I think that to a lesser extent accountability through transparent and logged communication including industry standard questionnaires can help quantify the levels of risk involved with third-party vendors. Certifications can attest to security compatibility in organization-vendor relationships.

    References

    Chipeta, C. (2023). What is Fourth-Party Risk? UpGuard.https://www.upguard.com/blog/what-is-fourth-party-risk

    Evans, A. (2019). Managing Cyber Risk. Taylor & Francis. https://online.vitalsource.com/books/9780429614262

    Goldman, Dov. (2023). How Vendor Risk Management Reduces Third-Party Risk. Panorays. https://panorays.com/blog/what-is-vendor-risk-management/

    Tunggal, Abi T. (2023). What is Vendor Risk Management (VRM)? 2023 Edition. UpGuard. https://www.upguard.com/blog/vendor-risk-management