Threat models are really good at identifying and mitigating cybersecurity threats. But they’re not much good at addressing threats nobody knows about. And that brings us to the security threats expected to arrive on Q-Day. We know about some of the threats that are coming, but not all of them, and we may be running out of time.
Q-Day is Coming
What is Q-Day? From Help Net Security, Q-Day, or Quantum Day, “represents the day that quantum computers will reliably use the super positioning power of multi-state qubits to break encryption algorithms that are widely used around the world to enable e-commerce, data security and secure communications.”
Q-Day will force every application developer to reimagine encryption and security. The good news? Q-Day is not here yet. The bad news? It may be only five to ten years away, some think sooner. And since it represents a seismic shift in the treat landscape, the time to start preparing for Q-Day is today.
Quantum computers will have an almost unfathomable impact on application security. According to an article on Forbes, “it would take a classical computer 300 trillion years to crack an RSA-2048 bit encryption key. A quantum computer can do the same job in just ten seconds with 4099 stable qubits.” How do you threat model that?
Preparing for Q-Day
The U.S. Government is aware of and preparing for the arrival of Q-Day. “The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) has chosen the first group of encryption tools that are designed to withstand the assault of a future quantum computer.”
Not everyone is preparing for Q-Day, however. Why is that? According to Dr. Lily Chen and Maëva Ghonda, speaking at the RSA 2022 Conference, “There is a general lack of quantum risk awareness among board members. [Q]uantum risk management is not a standard topic discussed at board meetings.”
The reality is we are all just beginning the journey to mitigating quantum security threats, but you have to start somewhere. According to TechTarget, “Quantum computing isn’t here yet, but now is the time for companies to start considering how it may affect their business—both negatively and positively—in the next decade.”
Step one for most organizations is just acknowledging the inevitable threats headed their way. After that, detailed preparations should include things like an enterprise-wide quantum risk assessment, incorporating quantum random number generators in applications and enabling quantum-safe key distribution. More concrete steps should become clear as we get closer to Q-Day.
Will Threat Modeling be Ready?
Will threat modeling be ready for quantum-based security threats? As best as it can be. Fortunately, threat modeling is not a tool or technology that can be made obsolete on Q-Day. Threat modeling is a process, and all that is required for successful threat modeling is a commitment to do it and commitment to stay up-to-the-minute on threats and their mitigations.
So, whether it’s phishing for credentials in 2023 or brute forcing a credential attack using quantum computers in 2033, there will always be threats and those threats will need to be mitigated. And the best way to ensure that is to stay committed to the threat modeling process.
If you’re not sure which threat modeling platform to commit to today, we suggest you look into ThreatModeler. It’s not quantum ready yet, but it no doubt will be on Q-Day.