LMU computer scientist Dieter Kranzlmüller, Managing Director of the Leibniz Supercomputing Centre, about cybersecurity in the era of the first quantum computers – a portrait from our research magazine EINSICHTEN
On my way to our interview, I could have strolled right into your office and sat down at your desk. No security staff would have stopped me. Is there nothing at the Leibniz Supercomputing Centre that needs protecting with identity checks?
Kranzlmüller: Certainly, you would have got into my office. But this is not a critical zone. The most sensitive objects in my office are probably some documents or other. And they won’t be lying around on the desk; confidential papers must be filed away in a cabinet. You won’t be able to do anything with my computer keyboard because access is securely protected. So, getting into my office isn’t difficult. But you won’t get access to the server. Even I need my ID card to get in there. We’re the data center for the Bavarian Academy of Sciences and Humanities and for the Munich universities LMU and TUM. I can assure you that we take security very seriously.
LMU computer scientist and Chairman of the Board of Directors of Leibniz Supercomputing Centre (LRZ) Kranzlmüller: “I can assure you that we take security very seriously.”
Kranzlmüller: Not at all, and my regular key doesn’t work for the server area either. I need a special key that has to be issued to me. We have several security zones. For example, if we take the zone where the servers containing all the emails of the two Munich universities are housed, even I can’t just casually drop by. I need to get approval first. And on it goes: In the case of medical data – say, the data used in research – the hard drive is additionally encrypted. Even if somebody managed to enter this restricted area and extract the hard drive, it wouldn’t be of any use to them, because everything on the disk is encrypted. It’s like an onion, where we build up multiple layers.
Despite all this, hackers did breach the defenses of the Leibniz Supercomputing Centre.
Kranzlmüller: Yes, these things can happen. So you have to continually ask yourself: How can I prepare for such an eventuality? For example, the emails through which hackers gain access to a system are getting more sophisticated all the time. In the past, people would say: Look at all the horrendous spelling mistakes – that’s got to be written by a hacker. This is no longer the case, and so we’re continuously training our staff and raising their awareness of these issues. And the same goes for me: I’ve got to do further training as well. Our security experts deliberately set traps and I’ve got to see if I can spot them.
Any system that’s connected to the internet can be hacked. That’s just a fact. We have to prepare for it.
Prof. Dieter Kranzlmüller
What do you do when a Trojan breaches the defenses?
That sounds a bit fatalistic.
Kranzlmüller: Realistic is a better word. In everything to do with technology, people are often the vulnerable point. That is to say, the success of defenses depends on the awareness people have for the problems that can arise through interaction with the device. If the devices are left alone, nothing can go wrong. But the devices cannot always work in isolation. Some time ago, we had a Trojan horse in our system. An LRZ colleague and I got a blackmail email, which we didn’t treat seriously at first. Then the Federal Office for Information Security contacted us and said: You know you’ve got a problem there, right? We were then able to identify and neutralize the Trojan.
Does this mean that every attack eventually gets through?
Kranzlmüller: In the best case, no attack gets through, but you have to be prepared for an emergency. If ransomware infiltrates the system, for example, you should already have backed up a copy of the data in a different place. If hackers encrypt one area by means of a Trojan horse, then you can recover the backed-up data from the other, separate area.
The SuperMUC-NG at the Leibniz Supercomputing Centre. According to Kranzlmüller, it is “one of the most powerful computers in the world.” Despite its 27 quadrillion operations per second, it may soon not even be the fastest computer at decryption.
Couldn’t we just shield ourselves better from the outside world?
Kranzlmüller: The thing is, we’re all in constant communication with others online – and that’s how it’s supposed to be. We operate one of the most powerful computers in the world here, so that researchers from outside can use it for complicated calculations and simulations that cannot be done elsewhere. These scientists don’t work here on site, but access our computers remotely from their research institutions. If their computers aren’t adequately protected, the hackers get into our system through them. Unfortunately, this has happened in the past.
Doesn’t it keep you awake at night, knowing that it could happen again?
Kranzlmüller: My basic attitude is: Every system that’s connected to the internet can be hacked. That’s just a fact of life. There is no 100% protection. We have to prepare ourselves for it, so that in an emergency we can get things up and running again as quickly as possible.
Cyberattacks are increasingly being carried out by professional hackers, usually with the aim of blackmailing their victims, or state-organized cyberwarriors pursuing political objectives of destabilization.
Don't miss an EINSICHTEN issue! The E-paper subscription!
There are concerns that in times of war such as the present, it won’t be scientific institutions that will be hacked so much as power grids and hospitals. How justified are such worries?
Kranzlmüller: The danger is real. In the past few months alone, there have been numerous reports of cyberattacks, ransomware attacks, and security breaches. We need only think of the case in which an incapacitated satellite network resulted in the shutdown of communication with more than 3,000 wind turbines in Germany. Yet the wind turbines were actually just collateral damage. The goal of the Russian hackers was to disrupt communications in Ukraine. I hope that the operators of critical infrastructure have prepared properly, so that our water and power supplies and healthcare systems are capable of dealing with such attacks. The organizational and legal frameworks for this were laid down with the IT Security Act and the Critical Infrastructure Ordinance. I believe, however, that we’re lagging behind in this race in many respects.
How do you mean?
Kranzlmüller: Even here at the Leibniz Supercomputing Centre, we need a plan to deal with eventualities like power blackouts. I admit that this wasn’t always on our radar, as actually our power supply works just fine, you know? But seriously: How would we respond to a blackout? How would we secure the data? How would we get our systems, with all their dependencies, back up and running when the electricity returns?
So, you’re worried that a cyberattack could shut down the power supply to important facilities?
Kranzlmüller: As regards the power supply, I don’t see any acute danger yet, as conventional electrical engineering still plays a major role there. If we look at the incident on a railroad track in northern Germany in the fall of 2022, for example, the communications needed for the trains to keep running was not destroyed by cyberattack, but by somebody accidentally severing fiber optic cables. But of course the more digitally connected various structures become, the more the cyber danger grows. Cyberattacks are increasingly being carried out by professional hackers, usually with the aim of blackmailing their victims, or state-organized cyberwarriors pursuing political objectives of destabilization.
Now the Leibniz Supercomputing Centre not only has the SuperMUC-NG supercomputer, but also a quantum computer. It’s said that these computers are far superior to even the most powerful traditional computers. Are quantum computers able to crack any code you can throw at them?
Kranzlmüller: Yes, a quantum computer will one day be able to crack all common encryptions around today. If we picture a code like a four-digit combination lock for a bicycle, then I have to try out a maximum of 10,000 combinations to crack it. Our SuperMUC-NG can execute 27 quadrillion operations per second. Thus, the supercomputer can run through these 10,000 combinations in a flash and tell us how to open the lock. The quantum computer works using another method, which doesn’t try out the possibilities in very rapid succession, but in a single sweep, so to speak. As a result, it is 10,000 times faster than our supercomputer.
Latest generation: work on the quantum computer.
Among other things, the scientists are researching post-quantum security.
So a quantum computer can crack an online encryption for, say, telebanking? Or can access encrypted health data?
Kranzlmüller: In principle, yes. In telebanking, for example, the code works in much the same way as it does in combination locks – just that it’s much longer. But if I have a powerful quantum computer, then I can solve even this longer code in no time.
Does this mean that when quantum computers come of age, we can kiss secure encryption goodbye?
Kranzlmüller: That would be mistaken. We’re actually working on post-quantum security here – basic research to be more specific. First we need to know how the quantum computer works. Then we can try to develop an encryption that does not function like today’s encryptions. The question is thus: Can we build an encryption to which the quantum computer cannot apply its strengths?
And can you?
Kranzlmüller: Yes. We have approaches which use encryption techniques that do actually offer security against the processes of a quantum computer.
You’re researching quantum cryptography here at one of the largest scientific computing centers in Germany. Where else in the world are scientists working on this topic?
Kranzlmüller: I’d be willing to bet that they’re working on such quantum systems at the National Security Agency’s Utah Data Center in the United States. This is one of the largest computing centers in the world, 20 times bigger than we are. How the insights obtained there are used, we do not know. In addition to tech giants like IBM and research institutions, I’d also expect the intelligence agencies of all large countries to be investing heavily. Moreover, the American National Institute of Standards and Technology (NIST) recognized the problem and launched a competition for the standardization of quantum-computer-resistant cryptographic methods all the way back in 2016. The first techniques are now operational.
What will become of conventionally encrypted data?
Is it possible to explain to a non-computer scientist how such techniques work?
Kranzlmüller: It certainly can’t be explained as easily as our bike lock example. It works according to completely different principles that are steeped in higher mathematics.
And they make it possible to develop an encryption that would be safe from quantum computers?
Kranzlmüller: Yes, we’ve analyzed many methods to see whether we can crack it with the quantum computer. And with some of them, it does actually work. But we’ve also developed approaches that the quantum computer, it seems, cannot crack. But there’s another problem we have to consider. What happens when data encrypted with today’s methods is stolen and saved somewhere to be decrypted later? Let’s say a hard disk with medical data from a hospital or a company’s patents for innovative technologies. All this data would then be easy for data thieves to read in the future. Cryptologists refer to this as “store now, decrypt later.”
How big is the risk that in five or ten years, we’ll be at the mercy of an international cybercriminal mafia, or dictatorial regimes, which have used quantum computers to hack everything that is still encrypted today?
Kranzlmüller: I believe we can protect ourselves with suitable technical methods. I’m fundamentally optimistic in this regard. My worry is that, put crudely, the “bad guys” will be quicker off the mark with the new encryption techniques. We’re involved in a race. And even if we have post-quantum cryptography, the problem still affects all security-relevant data that we’ve encrypted before that point: All backups contain the old code and can therefore be attacked with the new methods. Even if we develop a secure method now, we still have to update and protect everything we’ve previously encrypted. So there’s much work to do – and quickly. We must not get caught napping.
Interview: Nikolaus Nützel
Prof. Dr. Dieter Kranzlmüller is Professor of Computer Science at LMU’s Chair of Communication Systems and Systems Programming. He is also Chairman of the Board of Directors of the Leibniz Supercomputing Centre (LRZ) at the Bavarian Academy of Sciences and Humanities (BAdW). Born in 1969, Kranzlmüller studied computer science at Johannes Kepler University Linz, where he also completed his doctorate. His career has included stints as an assistant and professor in Linz, as a lecturer at the University of Reading in England, and as a visiting fellow at Dresden University of Technology. Most recently, he worked as deputy project leader at the CERN center for nuclear research in Geneva, before joining the staff of LMU in 2008.
Read more articles from the current edition of "EINSICHTEN. Das Forschungsmagazin" in the online section and browse the issue archive. Or subscribe to EINSICHTEN free of charge and never miss an issue again (in german).