Admitting cybercriminals to hospital through the front door

Quantum decryption will soon arrive to compromise the reliability of standard cybersecurity practices – just as the British National Health Service is working to make its most sensitive data digitally accessible.

On Friday May 12th, 2017, computer screens across British NHS hospitals freeze, and patient records are unavailable to their doctors. As a result, ambulances need to be rerouted, and thousands of planned surgeries and appointments are canceled.[1] The cause: a vulnerability in Windows XP has been exploited to gain access to the IT infrastructure and encrypt its data.[2] The hackers demand money to reinstate the systems. Finally, a cybersecurity expert succeeds in deactivating the virus before any ransom is paid. In terms of disruption however, the damage is done. The ‘WannaCry’ ransomware attack hit organizations across the globe, including Fedex, Renault and Telefónica.[3,4] All of them had digitized their functionality and sensitive data, and connected their systems to the internet, relying on firewalls and encryption software to keep unauthorized people from accessing it.

Currently, the most-used encryption algorithms use a public key. A popular algorithm is RSA, which uses the product of two large prime numbers as the basis for encoding secret information. Anyone can use this public key to encrypt data, but only someone who knows the two prime numbers can decrypt it.[5] Trust in this method is based on the ungodly amount of computing power it takes to parse numbers like these. However, this is about to change, due to the arrival of quantum computing.

Whereas classical computers code information in a series of bits with values of either 0 or 1, a quantum computer’s bits (or ‘qubits’) which can be both 0 and 1 at the same time, or any other value on the spectrum between completely 0 and completely 1. This means that the number of states a qubit can occupy is limitless. When multiple qubits are linked together, they can form an entangled network with faster-than-light interaction which allows for trying multiple solutions to a problem at the same time. The network only puts out the solution that works, such as the prime numbers at the base of a public key.[6]

If efforts to develop a quantum computer are successful, online communications that rely on encryption software with public keys will be vulnerable. Instead of using an obscure backdoor, as WannaCry did, cybercriminals can use quantum computing to bust right through a system’s front door.[7,8]

Managing cybersecurity risk should certainly be a priority for the NHS, which is currently working to become a ‘paperless’ organization by 2020. This storing patients’ personal health records centrally, and providing them to clinicians and patients online, which means that large amounts of confidential patient data need to be transferred externally to patients’ private devices.[9] Another part of the project is allowing patients to book appointments online, opening up another potential entryway for hackers to disrupt hospital logistics.

The huge risk to the organization’s operations notwithstanding, an investigation by the UK National Audit Office (NAO) after the attack found a lack of preparation for cybersecurity breaches within the NHS. Although the Department of Health had developed a plan, it had not been properly communicated or tested within the organization. When things went wrong, few people knew what to do.[10]

The good news for the NHS is that quantum computing is not here yet. Building a functional quantum computer is a huge technical challenge that has not yet been completed. However, massive resources are being pumped into developing it. A few years ago a research team succeeded in parsing the number 56,135 using a 4-qubit device[11], and the US government is working under the assumption that the technology will be fully functional within the next 10 years.[12] Once it is here, we should assume not only the well-intentioned will use it. As a result, organizations like the NHS will need to be ready for their defenses to be tested once more.

To fare better this time around, there are several actions the NHS could take in the short term to strengthen security. They should implement the recommendations of the NAO to improve their response to ‘classical’ cyber-attacks. In the medium term, they should prepare for the arrival of quantum computing by implementing symmetrical security algorithms, which do not share a public key and are seen by experts as harder for a quantum device to crack. An example is the AES algorithm, already in use across the US government.[13] In addition, it makes sense to add protection which does not rely purely on cryptography, such as dual-factor authentication, which forces would-be intruders to crack two separate security systems at a time, increasing the logistical challenge.[14]

Quantum computing will arrive. What remains to be seen is how long it will take us to get there, and what disruption will be caused for those organizations that are ill prepared when it does.

(778 words)

Endnotes

  1. BBC News (2017). NHS ‘could have prevented’ WannaCry ransomware attack. [online] Available at: http://www.bbc.com/news/technology-41753022 [Accessed 15 Nov. 2017].
  2. Washington Post (2017). NSA officials worried about the day its potent hacking tool would get loose. Then it did. [online] Available at: https://www.washingtonpost.com/business/technology/nsa-officials-worried-about-the-day-its-potent-hacking-tool-would-get-loose-then-it-did/2017/05/16/50670b16-3978-11e7-a058-ddbb23c75d82_story.html?utm_term=.a5ae2b3e6866 [Accessed 15 Nov. 2017].
  3. The Guardian (2017). NHS seeks to recover from global cyber-attack as security concerns resurface. [online] Available at: https://www.theguardian.com/society/2017/may/12/hospitals-across-england-hit-by-large-scale-cyber-attack [Accessed 15 Nov. 2017].
  4. Sharman, J. (2017). Nissan’s Sunderland factory latest victim of massive cyber attack. [online] The Independent. Available at: http://www.independent.co.uk/news/uk/home-news/nissan-sunderland-cyber-attack-ransomware-nhs-malware-wannacry-car-factory-a7733936.html [Accessed 15 Nov. 2017].
  5. Rivest, R., Shamir, A. and Adleman, L. (1983). A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 26(1), pp.96-99.
  6. Chu, J. (2017). The beginning of the end for encryption schemes?. [online] MIT News. Available at: http://news.mit.edu/2016/quantum-computer-end-encryption-schemes-0303 [Accessed 15 Nov. 2017].
  7. How did the WannaCry ransomworm spread?. (2017). [Blog] com. Available at: https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/ [Accessed 15 Nov. 2017].
  8. Rousseau, A. (2017). WCry/WanaCry Ransomware Technical Analysis. [Blog] Endgame. Available at: https://www.endgame.com/blog/technical-blog/wcrywanacry-ransomware-technical-analysis [Accessed 15 Nov. 2017].
  9. Next stept on the NHS Five Year Forward View. (2017). [online] NHS, March 2017. Available at: https://www.england.nhs.uk/wp-content/uploads/2017/03/NEXT-STEPS-ON-THE-NHS-FIVE-YEAR-FORWARD-VIEW.pdf [Accessed 15 Nov. 2017].
  10. Investigation: WannaCry cyber attack and the NHS. (2017). [online] Department of Health. Available at: https://www.nao.org.uk/wp-content/uploads/2017/10/Investigation-WannaCry-cyber-attack-and-the-NHS.pdf [Accessed 15 Nov. 2017].
  11. Dattani, N. (2014). Quantum factorization of 56153 with only 4 qubits. org. [online] Available at: https://arxiv.org/abs/1411.6758 [Accessed 15 Nov. 2017].
  12. US Department of Commerce (2016). Report on Post -Quantum Cryptography. NIST Interagency Report 81 05. [online] National Institute of Standards and Technology. Available at: https://csrc.nist.gov/csrc/media/publications/nistir/8105/final/documents/nistir_8105_draft.pdf [Accessed 15 Nov. 2017].
  13. Wood, L. (2011). The Clock Is Ticking for Encryption. [online] Computerworld. Available at: https://www.computerworld.com/article/2550008/security0/the-clock-is-ticking-for-encryption.html [Accessed 15 Nov. 2017].
  14. Keizer, G. (2013). Security experts applaud Apple’s new two-factor authentication. [online] ComputerworldUK. Available at: https://www.computerworlduk.com/it-vendors/security-experts-applaud-apples-new-two-factor-authentication-3436827/ [Accessed 15 Nov. 2017].

Previous:

For AT&T, It’s (DirecTV) Now Or Never

Next:

Kellogg Changes so the Climate Won’t

Student comments on Admitting cybercriminals to hospital through the front door

  1. I completely agree with Josephine that the specter of quantum computing’s impact on cyber security is deeply concerning, and that most organizations, including the NHS, are woefully underprepared. While I also agree with her recommendations for the NHS to improve security, I wonder when the potential costs of digitizing sensitive information outweigh the benefits. As a somewhat extreme example, the US nuclear force is run on technology that still operates disconnected from the internet using floppy disks (granted, this is going to be replaced in 2020), in large part because they cannot be hacked remotely [1].

    In my view, the costs of digitization are often understated, particularly in the case of healthcare. Mass General, for example, has spent over $1B implementing Epic, a digital records management system, and it is still not fully operational [2]. I question whether we will truly be able to adequately safeguard digital information, and whether we should place limits on the extent of our reliance on digitization.

    1. Merrit Kennedy, “Report: U.S. Nuclear System Relies On Outdated Technology Such As Floppy Disks”, NPR, accessed November 2017, https://www.npr.org/sections/thetwo-way/2016/05/26/479588478/report-u-s-nuclear-system-relies-on-outdated-technology-such-as-floppy-disks
    2. Kristen Lee, “Epic’s EHR: Challenges and lessons learned at Mass General”, TechTarget, accessed November 2017, http://searchhealthit.techtarget.com/video/Epics-EHR-Challenges-and-lessons-learned-at-Mass-General

  2. This is an extremely thought-provoking topic, particularly as we prepare for leadership roles in the near future. In the corporate world, there has been an increasing pressure on the companies and their boards to understand cybersecurity better. The advent of quantum computing definitely adds to the risk element here. However, I would like to point out a couple of potential mitigants:

    1. Post-quantum cryptography

    You are absolutely right that a quantum computer will render the currently used public-key cryptosystems such as the RSA, DSA, elliptic curves etc., obsolete. The cryptography academia is approaching this problem with the new research area of Post-Quantum Cryptography (“PQC”) [1][2][3]. Although, it’s important to realize that research in PQC is years behind the quantum computing research. For instance, IBM asserts that its functional quantum computers are only years away [3]. This brings me to the second point of the accessibility to quantum computing.

    2. Who can really use quantum computing?

    In the current state of affairs, quantum computing is obscenely expensive and operationally challenging due to the requirement of near zero temperatures. This gives some comfort that criminals will not be able to get access to quantum computational power in the near-term. However, if we consider geopolitical tension between countries, it is a completely different situation. Both Russia and China are often perceived to be ahead in quantum computing research as compared to the United States. It is frankly scary to imagine what that could potentially mean!

    References
    [1] http://research.stevens.edu/post-quantum-cybersecurity
    [2] https://pqcrypto.org/
    [3] https://www.forbes.com/sites/jasonbloomberg/2017/08/11/this-is-why-quantum-computing-is-more-dangerous-than-you-realize/#151601c03bab

  3. Josephine! Love this topic. I think it’s an incredibly interesting issue that not many people talk about. It’s exciting to think about the incredible capability of new technologies and how disrupting they are, but all too often we forget to talk about the large negative externalities. And this is definitely an issue. Given all the problems that everyone from Sony to Uber have had in cyber security, this is already an increasingly important issue. And given the fact that a cybersecurity breach for hospitals can result in deaths, this is a particularly tricky issue.

    Another solution that has been suggested is the fighting quantum with quantum (1). Quantum cryptography gives the possibility of creating security systems called quantum key distribution, which could provide an effective barrier against quantum computings massive firepower. Another potential solution (similar to the dual system you mentioned) is to use lattice theory to that utilizes geometric convergences to protect data (2).

    Regardless of the potential solution, your point is an incredibly important one. Quantum computing is a huge risk for cyber security – and one that we aren’t ready for.

    (1) https://www.forbes.com/sites/juniper/2017/11/01/cybersecurity-in-the-age-of-quantum-computing/#21bfaf7f423c
    (2) http://research.stevens.edu/post-quantum-cybersecurity

Leave a comment