Technology & Innovation

China – a quantum walled garden

August 15, 2016

Global, Asia

August 15, 2016

Global, Asia
Dwayne Melancon

Chief Technology Officer and Vice President, Research & Development

Dwayne entered the tech industry as a support analyst, and he hasn’t slowed down since. In addition to holding positions at Symantec and DirectWeb, he contributed to the Visible Ops Handbook and the Visible Ops Security Handbook, which required him to work with researchers from Carnegie Mellon, the University of Florida, the University of Oregon and the IT Process Institute.

Dwayne holds CISA and ITIL certifications and is a member of the Information Systems Audit and Control Association (ISACA), the National Association of Corporate Directors (NACD), the Information Systems Security Association (ISSA) and IT Service Management Forum (itSMF).

Throughout history, nations have used walls to protect their interests and keep intruders away from their valuable possessions. With that in mind, it is no surprise that China’s latest walled garden approach is being applied to its cyber assets.

China recently announced that it is creating a “quantum communication satellite” to provide a means of transmitting data without the risk of eavesdropping by hackers.

There are a couple of basic problems with walled gardens: first, they require perpetual maintenance and eternal vigilance; second, nothing makes an attacker more curious than a wall they can’t see through.

While this is an interesting concept, I see it as more of a novelty than a practical solution to the eavesdropping problem. In other words, I don’t think it will ultimately be successful.

Peeking through the cracks

In China’s approach the assumption is that they can successfully keep attackers out, and keep all of their sensitive data inside their crypto garden, at all times. This premise assumes that everything works as planned, and that every link in the chain of data custody can be trusted. Unfortunately, that is seldom the case.

For example, there is a high likelihood that this satellite communication system will be connected to a traditional, terrestrial network at some point. If the secure network ever connects to another network, the data will not be secure for very long – even if the data cannot be intercepted as it is transmitted by this quantum satellite, it will likely be vulnerable while it sits on the terrestrial network to which it is transmitted.

Traditional network security often utilizes “air gapped” network structures to prevent cross-contamination of networks, but that requires absolute discipline and tremendous control. The simple act of plugging a smartphone into a computer on an air gapped network can be enough to compromise security.

Furthermore, a completely isolated network is of limited value, which will ultimately lead China to make decisions to increase the utility of the data. A decision to connect to a different network “just this once” will weaken the security of the network. Such decisions are seductive – someone comes up with a scenario that seems compelling, a decision is made to satisfy this one-off usage scenario, and weaknesses are introduced into the system. The problem is that these weaknesses can be difficult or impossible to remove. After all, once the means to move one kind of data out of a secure system is provided, it offers the means to move any other data out of that system.

Blame not the machine

However, the biggest vulnerability is probably not a technical one. History teaches us that the biggest weakness in communications and security is the same one that plagues every network on earth: humans will be the ones securing and using this high-tech network.

When attackers find technological safeguards too difficult to overcome, they take the path of least resistance – they attack and exploit the human weaknesses in the system through bribery, trickery, or simply taking advantage of our short attention spans. After all, attackers and scammers routinely get what they want by exploiting human flaws such as errors, carelessness, and greed.

To increase the security of any network (without building a quantum satellite), there are steps to take:

  • When designing a process, a network, or a security strategy, remember that users often go to great lengths to make copies of data and move them around – typically, with good intentions. When that happens, data is even more difficult to secure and contain, which increases the likelihood that an authorised user will expose the data to an unauthorised one. Monitor both data at rest and data in motion to ensure that you know how data is being used and how it is moving through (and possibly out of) your network.
  • Use data classification, coupled with network and data segregation to limit the loss in the event a network being compromised. These methods can greatly increase the difficulty for hackers to acquire data, while limiting what attackers can see when they are on a network.
  • Use encryption to limit the value of data. A lot has been said about encryption, but it is extremely effective in making stolen data useless when used effectively.
  • Understand and tightly control all access to your network and data – including all users, applications, and processes. That includes authorized 3rd parties, as well.

These are just a few of the basics, but they can make a big difference in your security.

Of course there is another key lesson in this: if you want to keep your walled garden secure and private, keep it a secret. 

 

The views and opinions expressed in this article are those of the authors and do not necessarily reflect the views of The Economist Intelligence Unit Limited (EIU) or any other member of The Economist Group. The Economist Group (including the EIU) cannot accept any responsibility or liability for reliance by any person on this article or any of the information, opinions or conclusions set out in the article.

Enjoy in-depth insights and expert analysis - subscribe to our Perspectives newsletter, delivered every week