Why VMWare's Post Quantum Action Plan Misses The Mark

After reading VMWare’s latest article on post-quantum readiness, I found myself feeling a mixture of frustration, confusion and disinterest. Now, if I was just your average Joe, with no prior understanding of quantum or cryptography, you might understand, perhaps even expect this reaction from reading this article. But, as someone with a keen eye on the quantum computing and quantum cryptography markets, this reaction was a little worrying. To prevent those who are genuinely looking for support preparing their business for the post-quantum era from meeting the same fate, I decided to write this blog.

After all, receiving advice that is fluffy, unhelpful and quite frankly misses the point is hardly conducive to actually preparing your business - especially when the thing you’re preparing for is a very real and very intense threat to its security. 

Anyway, now that my VMWare rant is over, onto the important stuff. I am going to take a look at the advice VMWare has provided and explore where they’ve hit the mark and where they’ve missed it, before proposing my own ‘action plan’ for businesses preparing for the quantum threat.

The Problem With VMWare’s Advice

“Start By Establishing Goals”

Described in the article as ‘high-level ideas’, the first piece of advice VMWare has to offer is that businesses should establish the exact goals that they intend to achieve in their preparations. They allude to the fact that ‘quantum readiness’ can mean many different things for many different organisations, but don’t specifically identify the need for your business to decide what ‘quantum readiness’ means for you. Luckily, I am here to identify that need. 

They then go on to explain a few different goals that you might look to include in your definition of ‘quantum readiness’, including identifying cryptography usage, understanding exposure points and anticipating customer questions about your new approach. These are in fact very helpful if a little difficult to dig out amongst the format of the article. Again, lucky for you, I have laid out a number of example ‘goals’ in my ‘How To Prepare For Quantum Readiness’ section below.

“Build A Phased Migration Plan”

This section is, despite being potentially a little patronizing, actually quite helpful. After all, when we are panicking about preparing for our impending quantum doom, it might be easy to forget that a phased approach will actually help make things happen much faster and more efficiently.

I do, however, feel that the four detailed phases described in this section make the whole ‘quantum readiness’ phenomenon feel very complex and time-consuming. In reality, there are solutions out there that can manage the majority of this process on your behalf, making much of this phase talk actually quite useless. More on this in the next bit… 

How To Prepare For Quantum Readiness (My Advice)

Now you know more about why I am not happy with VMWare’s approach to this topic, it is time for you to see my approach, broken down into 3 simple steps.

1. Establish what ‘quantum readiness’ means to you

Every business is different, so your idea of being ‘quantum ready’ may differ entirely from that of another business, even if you both operate within the same industry. 

In this step, consider the many ways that quantum threat could affect your business and work back from them to create ‘goals’ that you’d need to achieve in order to be ‘quantum ready’. These could include:

Merging your existing cyber security solutions to avoid clashes in the service provided

Identifying gaps in your existing cyber security solutions (once merged)

Identifying any potential vulnerabilities that a cyber criminal could exploit

Identifying any vulnerabilities that, whilst they are not a concern now, could be exploited by a quantum computer in future

Identifying the types of data transfer your business relies on

Identifying the methods through which any of your business’ data is stored

Adoption of a new, quantum-safe cyber security solution capable of securing all potential vulnerabilities, data storage and data transfers

Constant monitoring and improvement of the cyber security solution in place

2. Find the solution that best fits your business and helps you to achieve ‘quantum readiness’ as you defined it in step 1

I am willing to place some pretty hefty bets on the idea that this solution will probably be QuantumCloud™, a quantum encryption solution developed by an English company called Arqit Limited. Although it does not integrate with every single part of your business (i.e. data storage, transfer, monitoring etc.), it performs a truly end-to-end encryption service that cannot be decoded even with quantum computers. So, unless you actually want to go out of your way to find a more complex solution (and one that might not necessarily even be proven to work), I’d say Arqit is your safest bet. 

3. Continue to monitor and test your business’ ‘quantum readiness’, using the criteria you identified in step 1

Finally, once you’re pretty sure you have adopted the right solution and ticked off the rest of the goals on your list from step 1, that doesn’t mean it is time to rest on your laurels. Quantum technology is constantly evolving and the threat it poses will no doubt evolve along with it, so we have to be ahead of the game when it comes to this kind of technological evolution. Thankfully, Arqit is proud as punch of the fact that they are already ahead of their time and it doesn’t look like they are showing any signs of slowing down. So, with their QuantumCloud™ solution, you’ll never be far behind! 

Find out more about QuantumCloud™ and reach out to Arqit to get it installed for your business here 

Or, if you’re nuts, read VMWare’s original article here. 

Quantum Encryption In The Legal Sector

As someone with an avid interest in the legal sector, I was excited to discover that leading law firm Dentons (London) has entered into an agreement with the quantum encryption geniuses at Arqit Limited. 

Why did this excite me so much, I hear you ask? 

Well, although “quantum encryption” might sound like something that is only relevant to those working in tech or defence industries, it actually has implications across literally any industry you can think of. And, when it comes to an industry where privacy is paramount (for example, the legal sector), its implications are insurmountable. 

In this blog post, I am taking a look at what exactly quantum encryption actually is, why it is so important right now, and how it can be applied to the legal sector. Then I will review how Dentons is collaborating with Arqit to explore this exact application. 

What Is Quantum Encryption And How Does It Work?

Let’s take a step back for a second and have a look at what “quantum encryption” actually means.

For those of you who don’t know, quantum encryption is a cyber security technique through which quantum computers are used to secure communications such that it cannot be read by anyone or any device other than the intended recipient. 

Why Is Quantum Encryption Important?

In today’s ever-developing world, we are constantly experiencing new threats to our cyber security. The latest threat comes from a different application of quantum computing - the application that decrypts rather than encrypts data and is capable of breaking apart our existing cyber security infrastructure (known as PKI) in the blink of an eye. Quantum encryption techniques are important because they are capable of alleviating the threat that quantum computers pose to our cyber security. Put simply, they fight fire with fire (or quantum with quantum) and they win. What’s more, experts say that quantum key distribution (the main process through which quantum encryption is carried out) can protect us not just from the threats to our cyber security we are experiencing today, but from threats we don’t even know about yet. 

How Does Quantum Encryption Apply To The Legal Sector?

As I mentioned in my opening paragraph, privacy is of particularly high concern for those operating in the legal sector. Understandably, the stakes of losing or leaking information about a client or their case are incredibly high, making the security of this information absolutely vital. And, as one in five

global law firms experienced a cyber attack in 2020, the threat is higher than ever.

Let’s take a murder trial, for example. If the prosecution were to find a particularly damning piece of evidence against the defendant in this trial, they might want to keep this evidence to themselves in order to present it to the defendant in court. The benefit of this would be the element of surprise, as it may incite an emotional reaction that could force the defendant to react in a suspicious manner, change or forget their story, or even confess. However, if this information was somehow obtained by the defendant’s legal team, they could prepare them for the presentation of the evidence ahead of time, tightening their story and improving their chances of walking away with a non-guilty verdict.  

The Dentons Example

The world’s largest law firm, Dentons, signed a contract with Arqit Limited back in July. The contract involved the co-development of a quantum-safe self-sovereign identity system (or SSI), known as QuantumKeep™. 

According to the original press release, this SSI has the ability to transform the onboarding and compliance processes “from a repetitive, burdensome, and time-consuming process that involves transmitting identity documents over insecure channels, into a hassle-free and secure exchange under the client's control.”

In other words, it improves the efficiency, simplicity and security of the process. It combines well-known blockchain with Arqit’s patented quantum digital signature technology to create a safe and efficient data storage and transfer system. Dentons will be the first to pilot the technology, but they won’t keep it to themselves for long. Arqit already have a distribution plan in place to get this technology implemented across the legal services industry and in other sectors including professional services, finance, and the government (with whom they already have a sturdy relationship thanks to a different product offering). 

To find out more about QuantumKeep(™) and the Dentons X Arqit collaboration, read the full press release. 

Why China Didn’t Need To Ban Crypto

China has just banned cryptocurrency for good and, while the move is hardly surprising given their increasingly hostile stance on the activity in the past couple of years, it is also completely unnecessary.

What Has Happened?

So China has just announced that they will be cracking down entirely on cryptocurrency by making associated activities against the law. 11 Chinese government authorities came together to announce that they would be banning all crypto mining and declaring all financial transactions involving cryptocurrencies entirely illegal. Even overseas crypto exchanges will be illegal if they involve a Chinese party. 

Within minutes of the announcement, Bitcoin had plummeted 7% on the NASDAQ. Hardly surprising given that China once accounted for 75% of the world’s Bitcoin energy use.

Why Did They Do It?

There are a couple of key reasons that Chinese governments have given for the ban, and they are reasons they have been banging on about since they first expressed concerns about the industry. 

Environmental Impact

The first concern China has raised is that crypto mining is extremely bad for the environment. Now, in all honesty, I don’t have much of an argument for this one, because it is. 

Meanwhile, Chinese president Xi Jinping has committed to making his country completely carbon neutral by 2060. Seeing as it is predicted that China accounts for the vast majority of Bitcoin mining globally, it is hardly surprising that this is an activity he wants to shut down. 

I won’t argue with this one, Xi, 1-0 to you. 

Decentralized Finance

Let’s put the environmental aspect to the side for a second (don’t shoot me, it’s just not the topic of this blog, OK?). 

The primary reason China has actually given for the crypto ban is the fact that it is based on a decentralized finance system (also known as DeFi). DeFi is a financial system through which financial products and services are run without any central authority. They are available on a decentralized blockchain network that is completely open to the public. It takes out the financial middleman (i.e. a bank or broker), making DeFi products far more accessible than their centralized counterparts. 

The benefits of DeFi are predominantly in speed and cost. Without needing to wait for a middleman to approve a transaction, trades and asset movement can be made instantly and without the need to pay any additional fees. However, the system is also much safer for end-users. Under centralized programmes, banks and other authorities can manipulate the value of their customer’s savings and investments - for example, by adjusting interest rates. However, without a central authority, end-users can be sure this won’t happen. Their assets are stable and secure. Finally, the data storage technology utilised within DeFi (known as ‘Blockchain’) is far safer than those used for centralized financial products. Blockchain carefully monitors, stores, and secures each transaction made so that it can be verified and traced back to its owners. It is also managed by a whole team of devices (rather than one device, as most data storage facilities are). This makes it much harder for cyber criminals to access, change, or manipulate data in order to steal money. BUT that doesn’t mean they can’t. Because they have. Several times. 

It might sound like I am on China’s side here (in which case, what’s with the title of the blog, right?) but I am not. You see, what they are failing to see is that the way crypto is run right now isn’t the only way. Instead of banning it altogether, they just need to find a better, safer way to make it work. And that already exists! 

So What Is The Alternative?

Get to the point, right?

I will.

See, there is a solution out there that can help crypto to exist in much the same way it does right now, but with an added layer of cyber security keeping it safe from any malicious attack. No need to get rid of blockchain or start again with the whole DeFi process. We can keep all the benefits of decentralized finance whilst ensuring that our data (and, most importantly, our money) is completely safe. 

The solution comes from a company called Arqit, which has created a cyber security product based on its own encryption technique. The technique, which benefits from some of the clever technology used in quantum computing, is known as ‘quantum encryption’. 

Quantum encryption is completely impossible to decrypt because it does not rely on any type of ‘pattern’ to create its encryption keys. Instead, quantum encryption creates random and unique keys for every new piece of data transferred. This makes the system entirely unpredictable and thus unhackable! 

So how does this solve the security problem that China is using as an excuse to ban crypto?

Well, it’s pretty simple. 

If we equipped all crypto devices with QuantumCloud™, ensuring that the quantum encryption technique was enabled from end to end for all cryptocurrency-related data transfers, we would be completely safe from the kinds of hacks the Chinese government is worried about. No bans required. 

China, if you’re reading this, you’re welcome.

The Cryptocurrency Wild West, It’s Every Cowboy For Themselves

We just witnessed what is, to date, one of the biggest cryptocurrency heists to ever target the industry stealing a whopping $600m (£433m) in total. The scale of the attack puts it on the same level of security breaches such as the Coincheck hack back in 2018 and the Mt Gox hack 4 years prior. 

Poly Network is the crypto network that suffered the hack. It claims that the hackers exploited a vulnerability in its system which resulted in the theft of thousands of digital tokens like Ether. 

Before we look into the hack, we need to explore what Poly Network is and how it works. 

As a decentralised financial (DeFi) network, Poly Network is a platform that links some of the world’s most widely used digital ledgers like Binance Chain and Ethereum. These common blockchains developed independently meaning their coins run on separate technologies which makes moving tokens to a different blockchain to trade or use them as collateral more difficult. The computer protocol developed by Poly Network looks to connect different blockchains so they can work with each other and cut out intermediaries such as brokerage and exchanges. The Poly Network executes these transactions using scripts called “contracts,” which can make financial applications like lending or borrowing more efficient and cheaper. 

The aim for many projects is to be fully decentralised giving full power to the users. To do this, some keen crypto investors are working on networks that will allow them, and other users, to buy and sell digital assets directly with each other. The goal is to avoid any intermediaries that impose fees like clearing houses or n exchanges. 

So, how did the hack happen? 

According to a Poly Network spokesperson, the hacker exploited a vulnerability in the _executeCrossChainTx function between contract calls. The attacker used the function to pass in carefully constructed data to modify the keeper of the EthCrossChainData contract, which allowed them to then declare themselves as the owner to any funds processed through the platform. 

The hacker was able to exfiltrate funds from the Poly Network and transfer them into wallets under their control by using repeated calls to the attacked contract. 

How did / is Poly Network responding? 

They wasted no time in reaching out to the crypto community on Twitter and shared the hacker’s addresses where the assets were being transferred. Poly Network called on miners of the affected blockchain and crypto exchanges to blacklist tokens coming from the addresses below: 

Ethereum: 0xC8a65Fadf0e0dDAf421F28FEAb69Bf6E2E589963

BinanceSmartChain: 0x0D6e286A7cfD25E0c01fEe9756765D8033B32C71

Polygon: 0x5dc3603C9D42Ff184153a8a9094a73d461663214

They also posted a letter on Twitter urging the hackers to “establish communication and return the hacked assets” and reminded them of the fact that the money stolen was from  “tens of thousands of crypto community members, hence the people.” Of course the desperation and naivety was picked up by Twitter users and the letter became a trending topic on the platform because of it.  

To add salt to the wound, the hacker used the comment field in Ethereum transactions to taunt Poly Network even further by posting public messages and engaging in conversations with individuals. One such message revealed that it would have been a billion hack if Poly Network had bothered to move its less popular altcoins.

At the time of writing, the hackers have begun returning the funds and have sent back $4.8m worth to Poly Network. It raises the question whether the hackers are scared of being caught, or if they are trolling Poly Network just because they can?   

Is DeFi no longer safe? 

A major blow to DeFi supporters, the hack puts a damper on the expanding area of the booming cryptocurrency market. But as mentioned earlier, this isn’t the first time DeFi has been the victim of a cyber attack. 

In fact, according to cryptocurrency compliance company CipherTrace, DeFi-related hacks totaled $361 million from January to July 2021 alone. That’s nearly three times more than the whole of 2020. 

And it’s not just hacks that crypto investors have had to worry about, there seems to be an increase in fraud events too. This year alone DeFi-related fraud has accounted for 54% of total crypto fraud volume versus 3% for the whole of last year. 

What this recent attack has highlighted is the lack of regulation and a lack of consumer and investor protections. And it begs to question whether crypto will ever be a serious currency contender when there’s a lack of trust in the systems that underpin them. There are no chargebacks, no government to protect you and no centralised bank to deal with fraudsters. The world of cryptocurrencies is literally the Wild West and you have got to watch your own back. 

What if there is a way to make it safe? 

Luckily, there are some incredible quantum technology pioneers out there that are working on solutions to not only make blockchains more secure now, but to also protect them from the future quantum threat (yes, quantum computers are coming). I recently came across the company Arqit who is leading the way with its globally unique solution it’s dubbed as a Platform as a Service (PaaS). 

What makes Arqit exciting is that it suggests upgrading existing blockchains with encryption that is permanently quantum safe. It’s solution creates one-time zero-trust symmetric encryption keys at end points which is also 1,400 times faster than the alternative. 

When there are robust solutions like this available, it begs to question why they’re not being implemented now to not only protect against the hackers of today, but also the quantum hackers of tomorrow? I know what I’m banking my cryptocurrency on.