Via Satellite archive photo

Quantum computing is set to impact space networks, and the past year saw a number of updates in quantum regulations. The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) in August finalized a principal set of encryption algorithms designed to withstand cyberattacks from a quantum computer. The algorithms announced are specified in the first completed standards from NIST’s post-quantum cryptography (PQC) standardization project, and are ready for immediate use.

Roger Grimes, a data driven defense evangelist at KnowBe4, a provider of security awareness training and simulated phishing platforms, spoke with Space Security Sentinel, calling this standards a “significant” step forward. Grimes pointed to the fact that the U.S. government has been saying organizations need to prepare for the coming post-quantum crypto migration since 2016, but he believes most organizations really couldn’t start anything until the ‘official’ post-quantum cryptography standards were defined and released.

“Now that this has happened, every organization needs to get a move on. Every organization needs to start with creating an official project, assigning resources, and taking a data protection inventory designed to determine what does and doesn’t need upgrading and replacing. This one step — the data protection inventory — will likely take most organizations over a year to perform,” he adds.

With work now on standards making tangible progress, what does this mean to companies in the satellite/aerospace sector? Grimes believes trying to meet NIST/FIPS compliance in most companies will impact every bit of software, hardware, and firmware. “Get started defining and resourcing an official project team, and get started on the data protection inventory, if you haven’t already,” he says.

Grimes believes the impact on satellite companies could significant given the unique dynamics of how the technology is used and acquired. “It is difficult to update/replace cryptography in the aerospace industry, especially for things built ten or more years ago. All space/satellite items should start being built with crypto-agility in mind, which is the ability to more easily upgrade/replace existing cryptography with newer cryptography far more easily than it is mostly done today,” he says.

Even though things are changing in satellite, and satellites are being launched and acquired in shorter time frames, there are still long timelines compared to most communications technologies when being implemented. Grimes believes in most cases companies here “are severely behind most other sectors.”

Grimes explains: “They use a lot of cryptography, but most of it is embedded in hard-to-upgrade firmware, lacks appropriate CPU and memory-handling requirements for the newer cryptography algorithms, and is way, way harder to replace/upgrade than it needs to be. Anyone thinking the satellite or aerospace industry is cutting-edge in cryptography isn’t spending a lot of time looking outside that industry.”

Quantum Era

The quantum era is no longer a far off era — it is here. With the U.S. government talking of a target of organizations using post-quantum cryptography by 2030, we are set for a number of developments in the second part of the decade. However, despite new standards and progress by NIST, Grimes believes things still need to move faster.

“I’m in the minority of quantum computing/cryptography followers who think that is a date way, way too far off. I think the ‘quantum crypto break’ has already happened and we just don’t know about it, or will absolutely happen years ahead of 2030,” he says. “Of course, I’ve been saying that since 2019, but I can’t look at all the progress we’ve made publicly and think that the US government hasn’t beat what we know publicly by at least a few years. And I wouldn’t count China out, although they seem to be concentrating more on quantum-protected networks versus attacking traditional quantum-susceptible crypto.”

When looking to the future, Grimes believes that sufficiently-capable quantum computers will be capable of quickly decrypting traditional quantum-susceptible cryptography that is used by much of the world, including RSA, Diffie-Hellman, Elliptical Curve Cryptography, El-Gamal, and symmetric key sizes smaller than 192-bits. He talks about how most of the world runs on these ciphers, including most WiFi, HTTPS, smart cards, banks, credit cards, and cryptocurrencies.

“If we don’t get our cipher infrastructure moved to quantum-resistant ciphers before sufficiently-capable quantum computers are generally available, anyone using quantum-susceptible cryptography will be at great risk of having their encrypted data and authentication compromised,” he says.

Nation-State Attacks

CyberSat was a first of its kind event that bought members of the satellite and cybersecurity communities together. Much has changed since the event launched in 2017. Nation state attacks on satellite infrastructure is now a very real and likely scenario. Grimes admits that nation-state attacks have certainly become far more normalized over the last decade. He points to the fact that only a few years ago, nation-state attacks were rare and only used against traditional nation-state targets such as, politicians, media, military, and subcontractors etc.

“Today, the average nation-state target is a regular organization that, years ago, would not have to have worried about it. That is not true any longer,” he says. “You can assume that every sufficiently-capable nation-state has many ways to take down or harm existing satellite technologies. I think it’s foolish to wait to hear of an attack or attempted attack to be announced publicly. No, you have to assume that your adversaries have far more advanced capabilities than are currently known and adjust and defend accordingly. But, yes, I think as cyberwarfare has moved from the realm of something we just worried about to what is just normal in today’s kinetic and non-kinetic conflicts, satellite technologies will increasingly be targeted. It would be foolish to think otherwise.”

In terms of overall trends in cybersecurity, Grimes says AI will become more prevalent, “While we certainly see AI-enabled attack technologies taking a bigger role over time, it’s the traditional types of attacks (e.g., social engineering, unpatched software, misconfiguration, etc.) that will stay the main things to worry about over time. AI will enhance those attacks, but not focusing on the traditional things and ways of attack would be foolish as well. The more things change, the more they stay the same,” he says.