Why diversification leads to a better financial return and better encryption

Organizations spend enormous amounts of time and money on reducing single points of failure and diversifying risk, whether that be within our own portfolios or across supply chains. Without diversity of thought and process, we create single points of failure, from the relatively benign to the catastrophic. 

Examples of single points of failure can be seen in our everyday lives. The U.S. baby formula market is so concentrated that the closure of a single factory threw the entire nation into crisis. The Germans used an “Enigma” encoding machine throughout WWII that had been previously broken by the allies in 1939, thank you, Alan Turing. This left all of the supposedly encrypted messages readable. Unarguably, however, this single point of failure had some very positive externalities. 

In cybersecurity, it’s in our blood to reduce single points of failure, with the exception of encryption. Poor implementations of cryptographic suites that are meant to protect our networks are the primary means for breaking encryption of captured traffic. So are certificates captured through brute-forced passwords and cryptography due to insufficient entropy used to generate random numbers. 

We are connected in ways thought unimaginable at the turn of the century, let alone back in the 1970s when public key encryption was first introduced by Diffie-Hellman. And now, we are undergoing the largest cryptographic migration in the history of computing.

Countering future threats to encryption

This year, the National Institute of Standards and Technology (NIST) is expected to finalize its shortlist of quantum-safe encryption algorithms and standards designed to resist the threat of quantum computers. The final NIST selection process is only the beginning of this decade-long cryptographic transition, one that is certain to be fraught with challenges and unforeseen risks. 

As we begin this massive undertaking, we should look to lessons learned from diversification to reduce risk. In investing, we look at risk in two ways: systematic risk, associated with the market in its entirety, and idiosyncratic risk, specific to one firm, for example. 

We use diversification to smooth out, or eliminate, idiosyncratic risk by minimizing risks to maximize returns. By mixing assets that don’t move in lockstep, we can reduce risk without sacrificing returns. We are always seeking that elusive efficient frontier, the outrebound of how much return you can get for any level of risk. By mixing encryption technologies and approaches, we can do the same.

The security industry often thinks in terms of crypto-agility, but agility requires us to know when we’ve been hacked or that an algorithm has been defeated. I’d venture to guess that a nation-state actor isn’t going to raise its hand when that’s been done. So, we’re often left guessing.

Agility means diversification

Let’s think about agility another way. I purchased Peloton stock right when Mr. Big, a “Sex in the City” character, had a heart attack after his workout. Since then, the stock lost 75% of its value. Great.  

I can be agile, so I’ll swap out my tanked Peloton stock for Splunk, but the damage has already been done. Instead, I should have looked to diversify my investments across asset classes, companies, industries and geographies. Had I done that instead of buying Peloton stock, I’d only be down 30% instead of 75%.  

The same goes for encryption. Rainbow, a NIST post-quantum algorithm finalist, and one of the most peer-reviewed, fell to an IBM researcher who “broke it over a weekend with a laptop.” Subsequently, and obviously, it lost nearly all its value. It’s not enough to just swap out a Rainbow post-quantum algorithm for Dilithium. Rather, I would be better served by diversifying my encryption using out-of-band key delivery that allows multiple paths for the key and data to flow, and a range of algorithms and keys to be used. I thus minimize the impact of a single strategy or algorithm failing. 

Our journey with encryption is similar to the beginning of the mercantile period’s physical commodities trade. At first, we mined gold and put it all on one boat to ship across the sea. When the boat sank, all of the gold was lost. The next time, we split the gold up and put it on multiple boats, but used the same shipping route, so all the boats still sank during one bad storm. So we split the gold up, put it on multiple boats that left at different times and used multiple shipping routes. 

Similarly, I can take my encryption key, generated with multiple blended sources of entropy, break it up, send it down multiple paths independent from the data path, protect it with different post-quantum algorithms and use different mediums to get it there, from fiber, to subsea cable, to satellite, while you send the data over 5G.  

Many believe the risk of encryption failing due to advances in computing is systemic. If a nation-state builds a quantum computer strong enough to break encryption, then the entire system fails, and “hey, that’s not on me!”  But CISOs have the never-ending and unenviable task of managing their organization’s risk.

While we will never achieve perfect security, we can carefully choose what security measures “diversify away” risk in the most efficient and cost-effective way possible. Remember that encryption risk is idiosyncratic, not systemic, and idiosyncratic risk can be diversified away. 

If I’d put $100,000 of my savings into Bitcoin last November, I’d only have $26,000 today. If I took my standard approach, $10,000 in bonds, $10,000 in a Cheez-It box, $10,000 in a bank account that I can’t remember the password to and the rest spread across the S&P 500, I’d probably still have $85,000, even in this downturn. 

More diverse teams lead to more successful outcomes. Diversification in investing produces better risk-adjusted returns. Diversifying encryption strategies leads to better security, so that we all don’t wake up one day to find that our encryption has been Mr. Big’d.

Holly Neiweem is Chief Financial & Operating Officer at Quantum Xchange