The Future of Cybersecurity Might Look a Lot Like Snapchat – Slate Magazine (blog)

CERT-LatestNews ThreatsStrategic
461910203This program will self-destruct.

Fernando Gregory/Thinkstock

Snapchat isn’t just the favored social media platform of millennials everywhere—it’s also becoming an under-the-radar model for the future of cybersecurity. Think about it: At its most basic, Snapchat lets you send a picture or video message, deletes it in just seconds, and makes it impossible to retrieve it afterward. A self-destructing message as a perfect way of safeguarding data and information—who knew it was going to take a generation of meme-obsessed weirdos to popularize a Mission: Impossible gimmick?

There is an increasing number of tools catered to mimicking the Snapchat model for professional means. Apps like Whisper, Confide, and Signal have become vogue among industries trafficking in sensitive information, especially among government sources leaking to reporters. But these apps still possess limitations, like the need for an internet connection or the lack of anonymity. They also have their flaws that tenacious (and creative) hackers can exploit.


So the only real way to ensure information can’t be stolen isn’t just to burn the message after reading—you have to burn the messenger as well. If a program handling sensitive information is deleted immediately afterward, it can’t be compromised later on by malicious parties. The original data is kept safe after it’s processed the way it was meant to be. This could obviously be a boon for businesses trying to keep trade secrets in-house, government agencies corresponding with operatives abroad, and private citizens trying to keep their social security numbers private. Anne Broadbent, a quantum computing researcher at the University of Ottawa who specializes in cybersecurity development and testing, says one-time programs could help safeguard other software as well by acting as gatekeepers to accessing valuable tools (for instance, creating a one-time password application that gives one access to military arsenal).

There’s just one problem: It’s extremely difficult to build a one-time program, at least by using conventional technologies. This would not be a way to keep office gossip on Slack about the boss’s weird ticks from being leaked. According to Broadbent, conventional information, including the code for a one-time program, can be too easily copied. For one-time programs to actually work on, say, a modern-day MacBook, you’d have to physically destroy the computer afterward to guarantee the single-serving software can’t be resurrected and run again and hacked. Not ideal.

So we have to move past conventional technologies, and the key might be quantum computing. In the quantum world, information is impossible to copy because it doesn’t exist in the static state we normally think about information. The thinking goes that if you can’t copy quantum information, a quantum computer could allow for the best opportunity to run a one-time program as envisioned.

Can this work? An international team of researchers thinks it can. A new paper currently out for peer review demonstrates a proof-of-concept for a one-time program running and deleting itself on a quantum-computing device.


Here’s how it works. Let’s say you worked at a very large credit bureau—maybe one of the largest in the nation, with a recent history of, say, putting millions of Americans’ financial information at risk—and wanted to run a program that would allow you to share—just once!—analyses of different individuals’ credit histories. Under a one-time framework, the program would run an analysis, make that information available to a client, and then delete that data along with the program to ensure total security on the company’s end.

Unfortunately, there’s a catch. Because quantum physics operates on probabilities and odds, the result of the analysis—and really, any resulting action the software takes with the data, even if it’s just to repackage it for delivery to someone else—isn’t 100 percent guaranteed to be accurate or successful. For this study, the researchers achieved a success probability of 75 percent, which isn’t bad for a first-of-a-kind trial. It’s certainly not ideal for someone trying to prove to the bank they should be allowed to buy a house, but perhaps it’s good enough for the transfer of information one wants to destroy anyway. And even if the analysis is off, the data will still be better safeguarded than nearly any other security measure.

The researchers added another key feature for safe measure: Even if the program didn’t delete itself automatically, it’s impossible to reverse-engineer the task in order to find the information that’s supposed to stay safe.

It’s unclear yet how the researchers intend to follow up on these results—the team is not taking any inquiries from the media until after the paper is formally peer-reviewed and published in a journal. But they will presumably want to minimize the probability the program produces an erroneous result. Broadbent, who wasn’t part of the research team but has read a preprint of the study, also emphasizes that there is always a trade-off between security and functionality, so the researchers will probably need to figure out a way to stretch the capabilities of a program while ensuring it still provides safety. She’s pretty optimistic, however, about the results.

Although this type of cybersecurity measure can only exist in a quantum computing process, the commercial sector, especially businesses and research firms handling enormous amounts of data, are beginning to rapidly adopt quantum computing technology, which suggests that it could become mainstream. The advent of one-time program security is probably closer than you think.