Protecting Research and Innovation sectors from current and future cyber threats

The threat to research and IP data

At the October 2023 Five Eyes conference in Silicon Valley USA, heads of Western intelligence agencies provided a stark reminder of the determination of hostile states and scale of their efforts to steal cutting-edge research and innovation data from the West. Adversaries like China, Russia and Iran continue to orchestrate sophisticated cyber-attacks on institutions, corporations, and research facilities to acquire proprietary technology, trade secrets, and advanced research findings. This is leveraged to bolster their own technological and economic standings without bearing the substantial costs and time associated with organic research and development. With early access to advanced Western innovations, these nations can leapfrog stages of development, accelerating their technological advancements and strategic positioning on the global stage. The increasing frequency of these attacks underscores the growing importance of cyberspace in geopolitical rivalries and the profound implications of data security in the age of digital innovation.

“We know it because week by week, our teams detect massive amounts of covert activity by the likes of China in particular, but also Russia and Iran… activity not aimed just at Government or military secrets. Not even just aimed at our critical infrastructure, but increasingly promising startups, innovative companies spun out of our universities, academic research itself.”

Ken McCallum - Director General of MI5, as part of an appeal for research institutions and companies to take action, October 2023

We know universities and research labs are prime targets for intellectual property theft due to their cutting-edge research across a multitude of fields. Over the years, there have been instances where institutions of higher learning have been hacked and precious data has been exfiltrated back to China or Russia. The FBI Director, Christopher Wray, also described an ‘exponential growth’ in Chinese attacks on American firms.

Motivations are clear

Nations that lead the way on emerging technologies like AI, advanced materials, synthetic biology and quantum computing will command immense power and economic advantage. According to VMWare, “The appeal of their [university] data and resulting IP also goes far beyond academia. Research in all fields is vital for innovation and universities carry vast quantities of sensitive information to help advance government and commercial programmes in areas such as healthcare, engineering and technology and national defence”.

 

Not a New Problem 

In 2018, two dozen universities were targeted, including the Massachusetts Institute of Technology. The attack targeted maritime military secrets, especially those related to the development of undersea warfare technology.

Medical and vaccine research data emerged on the front line of these attacks during the Coronavirus pandemic. U.S. officials warned that Chinese hackers were attempting to steal research related to vaccines, treatments, and testing from institutions and pharmaceutical companies. In July 2020 the NCSC and its counterparts in other countries reported that hostile states had shifted their cyber operations to steal vaccine and medical research, stating they were 95% confident Russian state-sponsored hackers targeted UK, US and Canadian organisations involved in developing a coronavirus vaccine, including drug companies and research institutions like Oxford University.

Increasing attack surface

Defending against these attacks is made more challenging by the nature and complexity of university environments. According to Jisc - the UK organisation responsible for managing the UK’s national research and education network that serves top UK academic institutions as well as global research institutions like CERN and MIT - intellectual property and research data must often be shared between the institution itself and third-party organisations like innovation hubs; start-ups spun out from universities themselves; as well as corporate partners. One example is the sharing of sensitive data from medical institutions that provide patient-identifiable or other clinical data. This complexity increases the attack surface and potential points of entry that can be exploited by attackers.

Store Now, Decrypt Later

The methods being used by hostile states to steal data vary. One method is via social engineering, where fake profiles are used on LinkedIn or other social media sites to solicit contact with individuals who are then lured into divulging information.

Another method is to capture large volumes of network traffic, for example using a wiretap on a cable, so that the
data can be decrypted later using a quantum computer. This method, so called Store Now, Decrypt Later (‘SNDL’), relies on the premise that the encryption keys contained in data packets alongside the payload will be decrypted using a quantum computer, so that the data is readable and compromised. The public key cryptography used to generate the keys is based on mathematics that would take classical computers millions of years to reverse engineer. However, a quantum computer would break the encryption in hours or minutes by running the famous
algorithm created by the mathematician Peter Shor.

Data harvesting is not new. Historically, nations have kept encrypted messages in hopes of one day decrypting them. During World War II, encrypted communications were stored even when immediate decryption wasn’t possible. As cryptanalysis improved, some of these messages were decrypted later.

In a digital age, it is a well-documented reality that government entities, either directly or indirectly through proxies or affiliated hacker groups, are harvesting digital data and have been for many years. China is believed to have an extensive undersea cable harvesting programmes, and according to the Head of the FBI “China has ‘stolen more’ US data ‘than every other nation combined”.

Looming urgency for quantum-safe security

Whilst the timing of ‘cryptographically relevant’ quantum computers is difficult to estimate, headlines this year regularly report on breakthroughs in quantum computing, the predicted growth of which is exponential. Defense Advanced Research Agency (DARPA), the US military’s premier research institute, announced three new endeavours in 2023 to explore advancing quantum computing.

Moreover, in October 2023, an IsraeliAmerican computer scientist and mathematician, Oded Regev, published a new quantum algorithm to factor numbers with potentially much more efficiency than the legendary Shor’s algorithm. This means the algorithm would run on smaller quantum computers – bringing the timeline to quantum decryption even closer. Breakthroughs like this also show how our predictions can change overnight.

Top officials from intelligence agencies in various countries have commented on the race to viable quantum computing due to its potential to break current cryptographic methods. Organizations like the National Institute of Standards and Technology (NIST) in the U.S. have been working diligently to develop and standardise quantum-resistant cryptographic algorithms. According to Dustin Moody, a mathematician at NIST, “Adversaries and nation states are likely doing it (SNDL),” he says. “It’s a very real threat that governments are aware of. They’re taking it seriously and they’re preparing for it. That’s what our project is doing.” Intelligence agencies and our adversaries think long-term – if the content of communications remains relevant for years, it makes future decryption worthwhile.

The problem is exacerbated further by development in network architecture, such as the migration to hybrid cloud and towards more open, dynamic networks like SD-WAN. More sensitive data than ever is moving across the public internet into cloud services like Amazon AWS and Microsoft 365, and this traffic is easy to spot for an attacker. Classic protection methods like VPN tunnels, whether between firewalls and routers or at the endpoint, are not enough to keep this data safe from future decryption.

In May 2022, the US National Security Memorandum-10 gave an imperative for agencies to plan migration to quantum-safe cryptography. This was swiftly followed in December 2022 by the Quantum Computing Cybersecurity Preparedness Act mandating federal organisations to modernise encryption to provide quantum-safe protection.

Options for quantum-safe security today

What options for post-quantum security are available for universities and research institutions to protect IP and research data from SNDL?

One way is the adoption of the NIST Post-Quantum Algorithms (PQAs) – also known as Post-Quantum Cryptography
(PQC) – which are harder versions of existing public key cryptography used today and currently still being standardised by NIST. However, it will be some time, potentially 10-15 years, before these are readily available for use with network equipment. And, according to the NCSC “the migration to PQC is a very complicated undertaking” because “it requires more than just new algorithms. Protocols and services need to be re-engineered, because PQC typically places greater demands on devices and networks than traditional PKC. This is especially true of the amount of data that needs to be communicated between parties using PQC to secure their communications.”

Another option is Quantum Key Distribution, which uses quantum phenomena to deliver key material as light particles over a satellite link or fibre optic cable. This is a costly and hardware-intensive option, and even then, it still requires integration with endpoints.

An option being recommended by the NSA is the adoption of ‘symmetric pre-shared keys’, also known as Post-Quantum Pre-Shared Keys (PPKs). These are private keys, traditionally shared between two parties by manual delivery, or more scalable and dynamically using Symmetric Key Agreement software. PPKs are not encumbered with the complexity or security uncertainty of new PQC. Indeed, PPKs is the approach being facilitated by leading network equipment vendors through recent feature launches for VPN implementations designed to make the migration to quantum safety quick and easy.

All of these approaches are likely to form part of a layered approach, and one option is available to deploy at scale on network infrastructure today: Symmetric Key Agreement According to the NSA, it “considers the use of pre-shared symmetric keys in a standards-compliant fashion to be a better near-term post-quantum solution than implementation of experimental post-quantum asymmetric algorithms.”

Symmetric Key Agreement and Arqit NetworkSecure™

Arqit, an encryption technology company, provides NetworkSecure - a software application allowing network equipment to create quantum-safe levels of encryption for data links by using Arqit’s Symmetric Key Agreement platform, QuantumCloud™. This is a cloud-based service that allows connected devices to use Arqit’s patented protocol to agree symmetric keys over a public channel, removing the risk of interception of the keys. NetworkSecure is simple to deploy with industry-leading network devices and requires minimal ongoing management.

For leading research institutions, universities and their industry partners, NetworkSecure can be deployed today to prevent future decryption of stolen TLS traffic containing long life assets like intellectual property and sensitive research data, that otherwise gives rise to GDPR risk and other business threats and liabilities.

Jisc themselves are leading by example  with their recent deployments of NetworkSecure.

“The recent feature launches from leading network equipment vendors combined with Arqit’s technology gives Jisc and its members the opportunity to test new features that harden encryption on data links to a quantum-safe level. We are pleased to be at the forefront of piloting quantum safe cryptography within the academic and research sector to safeguard IP and innovation data.”

Simon Farr - Director of Innovation & IT, Jisc

Sources

1. 20,000 Britons approached by Chinese agents on LinkedIn, says MI5 head | The Guardian
2. VMWare-UK-University-Challenge-Cyber-Security.pdf (nextgensecurityforeducation.com)
3. The US is worried that hackers are stealing data today so quantum computers can crack it in a decade | MIT Technology Review
4. Chinese hackers reportedly targeted 27 universities for military secrets - The Verge
5. Health to be on cyber-security’s front line in 2021 - BBC News
6. UK ‘95% sure’ Russian hackers tried to steal coronavirus vaccine research | Espionage | The Guardian
7. Cyber security and universities: Managing the risk (2023 update)
8. The cyber threat to Universities - NCSC.GOV.UK
9. NCSC Annual Review 2021.pdf
10. DARPA Collaborates with Commercial Partners to Accelerate Quantum Computing
11. Quantum Computers Could Crack Encryption Sooner Than Expected With New Algorithm (singularityhub.com)
12. Quantum_FAQs_20210804.PDF (defense.gov)
13. Next steps in migrating to post-quantum cryptography - NCSC.GOV.UK