Protect digital assets against future threats

Two major technological advances – AI and quantum computing – are the impetus for significant innovation across industries. Unfortunately, the cybercriminal ecosystem is no different.

Cybercriminals’ experimentation with AI, the threat that quantum computing poses to encrypted data, and the rapid adoption of digitized value are leading to massive changes, says Ian Rogers, chief experience officer at Ledger, a provider of secure signature platforms.

“We have experienced the ‘once in a lifetime’ digitization of all information, and now we are experiencing a ‘once in a lifetime’ digitization of all value,” he says. “And I would say we may all be suffering a little bit of Internet whiplash, but we haven’t seen anything yet.”

The ubiquity of AI and continued advances in quantum computing will transform the security landscape and change what businesses and users need to safeguard their digital assets. Quantum computing poses challenges for the cryptocurrency ecosystem, especially for those areas that are not up to date to use post-quantum cryptography, while AI reduces barriers to creating synthetic identities and convincing fake information.

The impact? Unless businesses and digital asset owners adopt stronger security, they will face more advanced threats and risks to their wallets.

Disruption, but when?

As the tutoring scam demonstrates, AI already poses a threat to technology users. A variety of other AI-powered attacks have also appeared. Attackers use AI code generators to produce variations of their tools, often successfully evading malware detectors and antivirus software. In one case, a cybercrime group known as GreedyBear generated 150 wallet extensions for Firefox using AI code generators. The malicious campaign stole more than $1 million from users.

AI is increasingly being used to impersonate company executives or create synthetic identities for fraud purposes. The attacks are often very convincing, even fooling tech-savvy victims, says Charles Guillemet, chief technology officer at Ledger.

“As a user, it is very difficult to know if you are interacting with a human or a bot,” he says. “How do you know that you are interacting with me today and that I am a human? Because it is already easy enough for AI to impersonate me.”

The threat that quantum computing poses to encrypted data is real, but it is still in a future state. For example, a quantum computer capable of storing a million qubits will likely be needed to break the public-key encryption commonly used today. However, even with accelerated investment in research and development, a practical quantum computer may only be deployed in the next decade or two.

However, while practical quantum computing may not exist today, sensitive data must begin to be protected now. Forward-thinking cryptocurrency thieves, not to mention nation-state threat actors, may collect high-value data today with the expectation that it will still be valuable when it can be decrypted a decade from now. The scheme, known as “harvest now, decrypt later”, means that today’s most valuable data must use post-quantum encryption to protect it against the future development of a practical quantum computer.

“It’s not that easy to assess the threat,” says Guillemet. “However, the good news is that we have a solution to this threat.”

The entire cryptocurrency ecosystem needs to adopt post-quantum cryptographic algorithms to protect asset owners from these future threats. The EU and US are already taking steps to mandate quantum-resistant cryptocurrencies by 2035. Ecosystem companies, such as Ledger, are creating tools to facilitate the adoption of post-quantum security and prove the authenticity of digital assets.

A next generation identity is needed

As these rapidly evolving technologies threaten the ecosystem, the lines between identity protection and asset security continue to blur. Protecting both identity and assets has become vital. As the trend toward digitization of all securities continues, cryptocurrency technology providers must innovate in both identity and privacy. Security alone is not enough; Users and businesses also need better identity and privacy.

Self-custody and permissionless value are necessary for the future, but they make security difficult. Cryptocurrencies are based on the principle of self-custody (meaning that a user, not a third party, holds the keys that protect them in a digital wallet) and do not require permission to use them. However, these characteristics also mean that, in the event of theft, that value is irretrievably lost.

These attributes mean that crypto security providers must continue to innovate, Rogers says.

“If we use cryptocurrencies, then we need self-custody, and if we have self-custody, then we need security,” he says. “It doesn’t matter if it’s on the user side, the organization side, or the government side: someone will have those tokens, and while stealing a billion in gold bullion is very difficult, stealing a billion in cryptocurrency is easy.”

When a third party, such as a cryptocurrency exchange, is the custodian of an owner’s digital assets, proving identity is essential. Given the potential for AI to facilitate user spoofing or theft of users’ digital identities, and quantum computing potentially undermining some legacy cryptographic systems, identity also needs to have well-tested security, Guillemet says.

“Cryptography is the answer,” he says. “If I can authenticate myself and my content, then you will have a firm guarantee that you are talking to me and that I am a human being.”

Securing the next generation economy

An important difference between digital assets and physical assets is that bits are easily copied, while atoms require more effort. As such, security decisions must be made today to prepare for the digital economies of tomorrow. For starters, post-quantum encryption algorithms must be adopted at all levels of the cryptocurrency ecosystem, and at least a decade before a viable quantum computer is built.

Security is a chain and is never stronger than the weakest link. Most of the time this link is the user, which is why the de facto mantra of the cryptocurrency market is “Do your own research.” Security technology should be simple and empower the user by default, so they can make the right decision and avoid giving away their assets.

Cryptosecurity companies need to innovate in both security and user experience to help them make the right decision. Newer hardware wallets display critical information on secure screens before allowing the user to sign a transaction, such as Ledger wallets’ Transaction Check feature, which often helps warn the user if something appears wrong. The user does not have to try to understand what type of transaction they are signing, but they are still protected.

Another Ledger initiative, known as Clear Signing, aims to present all the relevant details of a transaction before the asset owner signs the contract, Guillemet says. “We are working on our next-generation devices and making sure they are ready for post-quantum cryptocurrencies,” he says. “We will have this capacity in new generations.”

Cybercriminals do not rest and are constantly innovating, he adds. While the timing of the arrival of certain threats is uncertain, the fact that they will arrive is not. Almost all consumers depend on their smartphone for security, but in the future, the security of those devices may not be enough. Guillemet emphasizes: “We are talking about the next generation, but I think it is already here and we cannot wait. This is what we need to prepare for the future.”