On Friday May 12th, 2017, computer screens across British NHS hospitals freeze, and patient records are unavailable to their doctors. As a result, ambulances need to be rerouted, and thousands of planned surgeries and appointments are canceled. The cause: a vulnerability in Windows XP has been exploited to gain access to the IT infrastructure and encrypt its data. The hackers demand money to reinstate the systems. Finally, a cybersecurity expert succeeds in deactivating the virus before any ransom is paid. In terms of disruption however, the damage is done. The ‘WannaCry’ ransomware attack hit organizations across the globe, including Fedex, Renault and Telefónica.[3,4] All of them had digitized their functionality and sensitive data, and connected their systems to the internet, relying on firewalls and encryption software to keep unauthorized people from accessing it.
Currently, the most-used encryption algorithms use a public key. A popular algorithm is RSA, which uses the product of two large prime numbers as the basis for encoding secret information. Anyone can use this public key to encrypt data, but only someone who knows the two prime numbers can decrypt it. Trust in this method is based on the ungodly amount of computing power it takes to parse numbers like these. However, this is about to change, due to the arrival of quantum computing.
Whereas classical computers code information in a series of bits with values of either 0 or 1, a quantum computer’s bits (or ‘qubits’) which can be both 0 and 1 at the same time, or any other value on the spectrum between completely 0 and completely 1. This means that the number of states a qubit can occupy is limitless. When multiple qubits are linked together, they can form an entangled network with faster-than-light interaction which allows for trying multiple solutions to a problem at the same time. The network only puts out the solution that works, such as the prime numbers at the base of a public key.
If efforts to develop a quantum computer are successful, online communications that rely on encryption software with public keys will be vulnerable. Instead of using an obscure backdoor, as WannaCry did, cybercriminals can use quantum computing to bust right through a system’s front door.[7,8]
Managing cybersecurity risk should certainly be a priority for the NHS, which is currently working to become a ‘paperless’ organization by 2020. This storing patients’ personal health records centrally, and providing them to clinicians and patients online, which means that large amounts of confidential patient data need to be transferred externally to patients’ private devices. Another part of the project is allowing patients to book appointments online, opening up another potential entryway for hackers to disrupt hospital logistics.
The huge risk to the organization’s operations notwithstanding, an investigation by the UK National Audit Office (NAO) after the attack found a lack of preparation for cybersecurity breaches within the NHS. Although the Department of Health had developed a plan, it had not been properly communicated or tested within the organization. When things went wrong, few people knew what to do.
The good news for the NHS is that quantum computing is not here yet. Building a functional quantum computer is a huge technical challenge that has not yet been completed. However, massive resources are being pumped into developing it. A few years ago a research team succeeded in parsing the number 56,135 using a 4-qubit device, and the US government is working under the assumption that the technology will be fully functional within the next 10 years. Once it is here, we should assume not only the well-intentioned will use it. As a result, organizations like the NHS will need to be ready for their defenses to be tested once more.
To fare better this time around, there are several actions the NHS could take in the short term to strengthen security. They should implement the recommendations of the NAO to improve their response to ‘classical’ cyber-attacks. In the medium term, they should prepare for the arrival of quantum computing by implementing symmetrical security algorithms, which do not share a public key and are seen by experts as harder for a quantum device to crack. An example is the AES algorithm, already in use across the US government. In addition, it makes sense to add protection which does not rely purely on cryptography, such as dual-factor authentication, which forces would-be intruders to crack two separate security systems at a time, increasing the logistical challenge.
Quantum computing will arrive. What remains to be seen is how long it will take us to get there, and what disruption will be caused for those organizations that are ill prepared when it does.
- BBC News (2017). NHS ‘could have prevented’ WannaCry ransomware attack. [online] Available at: http://www.bbc.com/news/technology-41753022 [Accessed 15 Nov. 2017].
- Washington Post (2017). NSA officials worried about the day its potent hacking tool would get loose. Then it did. [online] Available at: https://www.washingtonpost.com/business/technology/nsa-officials-worried-about-the-day-its-potent-hacking-tool-would-get-loose-then-it-did/2017/05/16/50670b16-3978-11e7-a058-ddbb23c75d82_story.html?utm_term=.a5ae2b3e6866 [Accessed 15 Nov. 2017].
- The Guardian (2017). NHS seeks to recover from global cyber-attack as security concerns resurface. [online] Available at: https://www.theguardian.com/society/2017/may/12/hospitals-across-england-hit-by-large-scale-cyber-attack [Accessed 15 Nov. 2017].
- Sharman, J. (2017). Nissan’s Sunderland factory latest victim of massive cyber attack. [online] The Independent. Available at: http://www.independent.co.uk/news/uk/home-news/nissan-sunderland-cyber-attack-ransomware-nhs-malware-wannacry-car-factory-a7733936.html [Accessed 15 Nov. 2017].
- Rivest, R., Shamir, A. and Adleman, L. (1983). A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 26(1), pp.96-99.
- Chu, J. (2017). The beginning of the end for encryption schemes?. [online] MIT News. Available at: http://news.mit.edu/2016/quantum-computer-end-encryption-schemes-0303 [Accessed 15 Nov. 2017].
- How did the WannaCry ransomworm spread?. (2017). [Blog] com. Available at: https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/ [Accessed 15 Nov. 2017].
- Rousseau, A. (2017). WCry/WanaCry Ransomware Technical Analysis. [Blog] Endgame. Available at: https://www.endgame.com/blog/technical-blog/wcrywanacry-ransomware-technical-analysis [Accessed 15 Nov. 2017].
- Next stept on the NHS Five Year Forward View. (2017). [online] NHS, March 2017. Available at: https://www.england.nhs.uk/wp-content/uploads/2017/03/NEXT-STEPS-ON-THE-NHS-FIVE-YEAR-FORWARD-VIEW.pdf [Accessed 15 Nov. 2017].
- Investigation: WannaCry cyber attack and the NHS. (2017). [online] Department of Health. Available at: https://www.nao.org.uk/wp-content/uploads/2017/10/Investigation-WannaCry-cyber-attack-and-the-NHS.pdf [Accessed 15 Nov. 2017].
- Dattani, N. (2014). Quantum factorization of 56153 with only 4 qubits. org. [online] Available at: https://arxiv.org/abs/1411.6758 [Accessed 15 Nov. 2017].
- US Department of Commerce (2016). Report on Post -Quantum Cryptography. NIST Interagency Report 81 05. [online] National Institute of Standards and Technology. Available at: https://csrc.nist.gov/csrc/media/publications/nistir/8105/final/documents/nistir_8105_draft.pdf [Accessed 15 Nov. 2017].
- Wood, L. (2011). The Clock Is Ticking for Encryption. [online] Computerworld. Available at: https://www.computerworld.com/article/2550008/security0/the-clock-is-ticking-for-encryption.html [Accessed 15 Nov. 2017].
- Keizer, G. (2013). Security experts applaud Apple’s new two-factor authentication. [online] ComputerworldUK. Available at: https://www.computerworlduk.com/it-vendors/security-experts-applaud-apples-new-two-factor-authentication-3436827/ [Accessed 15 Nov. 2017].