Quantum computing has the ability to solve problems with greater speed and accuracy than today’s digital computers. A potential downside, however, is the threat the technology could pose to existing cybersecurity tools and practices.
“While the benefits unlocked by quantum computing are expected to be substantial, many current-day cryptographic security standards—the standards built into the foundation of our global digital economy—will be susceptible to ongoing attacks on quantum computers,” Colin warns. Souter, US cyber quantum preparedness leader at business advisory firm Deloitte and Touche, as well as a platform fellow with the World Economic Forum’s Quantum Security Project. “This threat challenges both governments and commercial organizations,” he notes.
Instead of bits, the basic units of information in digital computing and communications, quantum computers use qubits that allow a variety of algorithms to be used. Shor’s AlgorithmFor example, large numbers would allow factoring, effectively breaking public key encryption, such as RSA, which is used to protect data at speed, says Konstantinos Karagiannis, director of quantum computing services at business consulting firm Protitivity.
Another major algorithm, Grover’s AlgorithmEnables faster searches, which can open the door to brute-force attacks against some encryption methods used for data at rest.
The types of encryption threatened by quantum computing are widely used in all industries. “As a result,” notes Karagiannis, “the threat footprint is nearly global.”
Today’s Internet is based primarily on public-key encryption standards that are vulnerable to quantum-based attacks, so the potential catastrophic impact is huge, Souter observes. “Furthermore, it is believed that sophisticated threat actors today are intercepting and collecting encrypted data so that they can later decrypt it using quantum computers in harvest-now decrypt-letter (HNDL) attacks,” he adds.
As quantum computing gains the ability to attack cryptography in the form of a cryptographically relevant quantum computer (CRQC), enterprises should immediately begin considering the possibility. “If you accept that there is a limited chance that CRQC will exist in the next decade, are you confident that it will not take longer than that to establish fully resilient organizational cryptographic management?” Carpenter asks.
Karagiannis explains that a major warning sign comes when a quantum computer reaches about 4,000 error-correct qubits. “RSA will be 2048 [then] Be vulnerable to attack, meaning all secure transmissions using ciphers are reversible to plaintext,” he says. “Nation-state threat actors can exploit this. [opportunity] To obtain sensitive secrets, and well-funded criminal organizations can commit massive fraud and theft.”
A sufficiently capable quantum computer could also pose a significant risk to the world’s financial security since most global financial activities depend on secure cloud transmission and storage. “As the US National Security Agency has explained, without effective mitigation the effects of adversarial use of quantum computers could be catastrophic for the world. N.S.S and our nation, especially in situations where such information must be protected for decades,” says David Criss, a consultant at security software firm Theon Technologies and former assistant attorney general for national security.
Countdown to destruction
Enterprises should immediately begin preparing for what some observers are calling “Y2Q.” “It’s the first time we know a zero-day vulnerability is coming and can start planning,” says Karagianis. He suggests that organizations should examine their crypto agility as well as their ability to execute New Ciphers The US National Institute of Standards and Technology (NIST) is working on finalizing it by 2024. “A lot of legacy systems need to be removed without an upgrade path,” warns Karagiannis. “This kind of reform takes time and needs to start now to prevent future leaks.”
Enterprises must be proactive in strategy planning and execution, Souter says. “Practicing overall good cyber hygiene is key, including things like cultivating data governance and creating cryptographic inventories.” He advises security leaders to work with C-suite colleagues and other enterprise leaders to spread awareness and gain support. “This can help to not only integrate quantum cyber preparedness strategies. [plans] with broader enterprise-wide risk management efforts.”
As quantum security threats grow, cryptographers around the world are focusing on developing next-generation quantum computer-resistant PK algorithms, says Murat Kantarcioglu, a computer science professor at the University of Texas at Dallas. The race is fierce. “NIST is running various competitions to develop standards,” he says.
Souter emphasizes the importance for enterprises of all types to begin working immediately to position themselves for quantum cyber readiness. “Failure to prepare for the quantum transition can open organizations up to security threats and lead to a hasty, ad hoc response,” he warns. “Given the breadth of organizational networks and supply chain dependencies, a systematic risk-prioritized approach is highly preferred.”
What to read next:
Quantum Compute Report Card: ‘We Need More Machines’
The Long Road to Quantum: Are We There Yet?
Why IT trends are so difficult to accurately predict