Securing digital assets against future threats

Two major technological advances—AI and quantum computing—are the impetus for significant innovation across industries. Unfortunately, the cybercriminal ecosystem is no different.

Cybercriminals’ experimentation with AI, the threat quantum computing poses to encrypted data, and the rapid adoption of digitized value are resulting in massive changes, says Ian Rogers, chief experience officer at Ledger, a provider of secure signer platforms.

“We have lived through the ‘once in humanity’ digitization of all information, and now we are living through the ‘once in humanity’ digitization of all value,” he says. “And I would say, we may all have a bit of whiplash from the internet, but you ain’t seen nothing yet.”

The ubiquity of AI and continuing advances in quantum computing will transform the security landscape and change what companies and users need to safeguard their digital assets. Quantum computing poses challenges for the cryptocurrency ecosystem, especially for those areas not updated to use post-quantum cryptography, while AI lowers the barriers to creating synthetic identities and convincing fake information.

The impact? Unless companies and digital-asset owners adopt more stringent security, they face more advanced threats and risks to their portfolios.

Disruption, but when?

As demonstrated by the mentorship scam, AI already poses a threat to technology users. A variety of other AI-augmented attacks have popped up as well. Attackers use AI code generators to produce variations on their tools, often successfully evading malware detectors and antivirus software. In one instance, a cybercrime group known as GreedyBear generated 150 wallet extensions for Firefox using AI code-generators. The malicious campaign stole more than $1 million from users.

Increasingly, AI is being used to masquerade as executives at companies or create synthetic identities for fraud. The attacks are often very convincing, even fooling tech-savvy victims, says Charles Guillemet, chief technology officer at Ledger.

“As a user, it is very difficult to know if you are interacting with a human or with a bot,” he says. “How do you know that you are, today, interacting with me and that I’m a human? Because it’s already quite easy for AI to impersonate me.”

The threat posed by quantum computing to encrypted data is real, but it’s still in a future state. For example, it’s likely a quantum computer capable of storing a million qubits is needed to break today’s commonly used public-key encryption. However, even with accelerated investment in research and development a practical quantum computer will only be deployable in the next decade or two.

However, while practical quantum computing may not be here today, sensitive data needs to start being protected now. Far-sighted crypto thieves—not to mention nation-state threat actors—can collect high-value data today in the expectation that the data will remain valuable when it can be decrypted in a decade. The scheme, known as “harvest now, decrypt later, ” means that today’s most valuable data needs to use post-quantum encryption to protect against the future development of a practical quantum computer.

“It’s not that easy to evaluate the threat,” says Guillemet. “However, the good news is that we have a solution to this threat.”

The entire cryptocurrency ecosystem needs to adopt post-quantum cryptographic algorithms to protect asset owners from these future threats. The EU and US are already moving to require quantum-resistant crypto by 2035. Ecosystem companies, such as Ledger, are creating tools to make post-quantum security easier to adopt and to prove authenticity of digital assets.

Next-generation identity is needed

With these rapidly evolving technologies threatening the ecosystem, the boundaries between identity protection and asset security continue to blur. Securing both identity and assets has become vital. As the trend toward the digitization of all value continues, cryptocurrency-technology providers need to innovate in both identity and privacy. Security alone is not enough; users and companies need better identity and privacy as well.

Self-custody and permissionless value are necessary for the future but make security hard. Cryptocurrencies are predicated on the principle of self-custody—meaning a user, not a third-party, holds the keys that secure them in a digital wallet—and they require no permission to use. However, these characteristics also mean that, if stolen, that value is irretrievably lost.

These attributes mean that cryptosecurity providers need to continue to innovate, says Rogers.

“If we’re doing cryptocurrency, then we need self-custody, and if we have self-custody, then we need security,” he says. “It doesn’t matter if it’s on the user side, the organizational side, or the government side — somebody is going to hold those tokens, and while stealing a billion in gold bars is very difficult, stealing a billion in cryptocurrency is easy.”

When a third party, such as a cryptocurrency exchange, is the custodian for an owner’s digital assets, proving identity is critical. With the potential for AI to make spoofing users or stealing users’ digital identities easier, and quantum computing potentially undermining some legacy crypto systems, identity also needs to have well-tested security, says Guillemet.

“Cryptography is the answer,” he says. “If I can authenticate myself and authenticate my content, then you will have the strong guarantee that you are talking to me and that I’m a human.”

Securing the next-generation economy

A major difference between digital assets and physical assets is that bits are easily copied, whereas atoms require more effort. As such, security decisions must be made today to prepare for tomorrow’s digital-based economies. As a start, post-quantum encryption algorithms must be adopted at all levels of the cryptocurrency ecosystem, and at least a decade before a viable quantum computer is built.

Security is a chain, and it’s never stronger than the weakest link. Most of the time this link is the user, which is why the cryptocurrency marketplace’s de facto mantra is “Do your own research.” Security technology needs to be simple and train the user by default, so they can make the right decision and avoid signing away their assets.

Cryptosecurity firms need to innovate both in security and in user experience to help users make the right decision. The latest hardware wallets display critical information on secure screens before allowing the user to sign a transaction, such as the Transaction Check feature of Ledger wallets, which often helps warn a user if something seems amiss. The user does not have to try to understand what kind of transaction they’re signing, but they are still protected.

Another Ledger initiative, known as Clear Signing, aims to present all the relevant details of a transaction before the asset owner signs the contract, says Guillemet. “We are working on our next-generation devices, and we are making sure they will be post-quantum-crypto ready,” he says. “We will have this capability on the newer generations.”

Cybercriminals do not rest and are constantly innovating, he adds. While the timing of the arrival of certain threats are uncertain, the fact that they will arrive is not. Almost every consumer relies on their smartphone for security, but in the future, the security of those devices may not be enough. Guillemet stresses, “So we are talking about next generation, but I think it’s already here and we can’t wait. This is what we need to prepare for the future.”