“Due to this advantage, there is concern that some entities — specifically state-sponsored actors — are breaching and stealing data with a long-shelf life value now (think financial, government, DOD, etc.) with the intent of using future quantum systems to decrypt it and use it later,” said West.
Several initiatives are now under way to identify and develop post-quantum cryptographic algorithms organizations can deploy to become quantum-resilient. For example, NIST launched a global initiative in 2016 and is expected to release its final recommendations later this year. In 2022, US President Joseph R. Biden Jr. issued two security memorandums (NSM-8 and NSM10) to provide government agencies with the guidance and timeframes to begin implementing post-quantum cryptography.
As for Zoom’s post-quantum EE2E feature, West said the amount of information transferred via text messages and in virtual meetings “is a rather unexplored territory for post-quantum cryptography [PQC],” but is an important area of focus. “Compromised information using these technologies could lead to national security breaches, the accidental exposure of company trade secrets, and more,” she said. “Zoom has taken this opportunity to identify a current area of data security weakness and develop an industry disruptive PQC solution.”
Even so, West points to “severe limitations” in Zoom’s approach. For example, to be secure, all meeting participants are required to use the Zoom desktop or mobile app version 6.0.10 or higher. “So there is no guarantee that everyone will be using the most up-to-date version…,” she said.
In addition, using Zoom’s post-quantum encryption means participants loseaccess to some key features, such as cloud recording. “For PQC to be effective, not only must it be secure against potential quantum cyber security breaches, but it should also allow for the same performance and utility of the applications and infrastructure than if it weren’t being used. This doesn’t seem to be the case with Zoom’s implementation,” West said.
In general, West said all businesses should be considering how to keep encrypted data safe in future.
