Posted by Rob Slade on September 21, 2016.
In security, we are all well familiar with the importance of risk assessment, analysis, and management. Assessment and analysis are difficult and time consuming, but we do have some software tools that help us with the management aspect. (Quantum computers may provide us with new tools for assessment and analysis, but we’ll explore some of those in other domains of security.)
Typically, these utilities have to be loaded with all the risk assessments and analysis that you have done, the calculations of annualized loss expectancies for each risk, the various countermeasures, factors by which the safeguards will reduce the risks, and the cost of running the countermeasures. (Among other things.) Once all of this data is loaded, the program will operate in a spreadsheet fashion, allowing you to play “what if” games, where you reduce or increase your expenditure on the various controls, and see what impact that has on the bottom line. The intent, of course, is to try and find the greatest total cost savings given the set (and usually inadequate, but we will ignore that for now) budget that you have for security.
What these programs won’t do is to tell you what that most desirable state is. In order to find it, you would have to create every possible combination of spending on controls, calculate the savings created by each blend, and then determine which one gives you the greatest reduction in risk. Sound familiar? It’s our old least path problem. Therefore, a quantum computer may be able to do that last risk management step for us, as long as we’ve done the assessment and analysis properly in the first place.
That last point is an important one. Quantum computing may seem like magic, in some aspects, but it is still a technology with limitations, and “garbage in/garbage out” is still going to apply. The assessment and analysis areas are also going to rely on quantitative risk assessments, which we have never been really good at (and which seem to be falling, increasingly, into disfavor).
However, finding a best (or, at least, optimal) solution will be an enormous advantage. It will save time that would be otherwise wasted playing “what if,” and it will give a “best” rather than simply “better” solution. It will also allow a recalculation of “best” in real time, as situations change. This will probably not seem important in regard to security risk management, which tends to be rather long range. (It probably would be important in business continuity planning, which I’ll get to later.) I did discuss it on one occasion with a US naval officer, who got very excited about the possibilities for battle management.
Information classification is a difficult and time consuming task, and one that is hard for people to do in a consistent manner. So difficult that many companies are abandoning the practice altogether, at the same time that we are seeing increased needs for more, and more complex, classification systems. There are very few software tools that can assist us with the classification process. A good deal of the inconsistency results from not recognizing patterns that indicate this information is of the same sensitivity as that data. Therefore, a system that can match patterns may be able to do a good deal towards helping us with this particular problem, and quantum computers, you will recall, are far better at pattern matching than traditional systems.
Incident response is, in a sense, a microcosm of security and security management, with it’s own needs for planning and risk or impact assessment. There are a couple of areas where quantum computers could be very useful. In regard to response assessment and management, we come back to a situation similar to that of overall risk management as we reviewed above, but, particularly in incident response, we have a need for real time response. In addition, incident response often relies upon the correct correlation and identification of individual events, and these are often first seen by untrained users and barely trained front line help desk personnel. A quantum based incident response system would be able to identify potentially dangerous patterns of events and raise incident alarms more quickly, providing for earlier detection and response, and reduced impact of the incident.
Quantum computing is a new technology. Any new technology will require a new risk assessment: part of the following sections of this series will note areas where the existence of the new technology may create new vulnerabilities, or require greater vigilance on our part. There is one risk assessment that management should probably be looking into: what, for our particular industry and company, is the risk of investing, or failing to invest, in quantum technologies? A whole new set of policies and procedures need to be addressed. Both IT and senior management should start to build awareness of the coming technology before it arrives, bringing with it an enormous range of disruptions.
Quantum computing is a very new technology. It’s on the bleeding edge. We don’t even have any real, full quantum computers yet, other than as test beds. The commercially available quantum “computers” are actually more akin to quantum co-processors, able to conduct specialized and useful tasks for us, but not capable of the full range of potential quantum computing functions. And the testing and research that has been done with quantum computers definitely indicates that they are error prone, and potentially unreliable in a number of ways. Therefore, while quantum computers can and will help us with functional security requirements, we are definitely going to need to address a whole new set of assurance requirements, once we start using them.
So we need to look at how quantum computing is going to affect computer architecture, and security architecture.Submitted in: Expert Views, Insights, Perspectives, Rob Slade, Security |