Quantum computing has the potential to solve problems with far more speed and accuracy than today's digital computers. A possible downside, however, is the danger the technology could pose to existing cybersecurity tools and practices.
“While the benefits unlocked by quantum computing are expected to be substantial, many current-day cryptographic security standards -- standards that are built into the foundation of our global digital economy -- will be susceptible to attacks running on quantum computers,” warns Colin Soutar, US cyber quantum readiness leader at business advisory firm Deloitte & Touche, as well as a platform fellow with the World Economic Forum’s quantum security project. “This threat challenges both government and commercial organizations,” he notes.
Instead of bits, the basic units of information in digital computing and communication, quantum computers use qubits that allow the use of different types of algorithms. Shor’s algorithm, for instance, will allow the factoring of large numbers, effectively breaking public key encryption, such as RSA, which is used to secure data in motion, says Konstantinos Karagiannis, director of quantum computing services at business consulting firm Protiviti.
Another key algorithm, Grover's algorithm, enables faster searches, which could open the door to brute-force attacks against some encryption methods used for data at rest.
The types of encryptions threatened by quantum computing are widely used across all industries. “As a result,” Karagiannis notes, “the threat footprint is nearly universal.”
Today’s internet is primarily based on public-key encryption standards that are vulnerable to quantum-based attacks, so the potential destructive impact is immense, Soutar observes. “Further, it's believed that sophisticated threat actors are intercepting and collecting encrypted data today so they can decrypt it later using a quantum computer in harvest-now decrypt-later (HNDL) attacks,” he adds.
Regardless of exactly when quantum computing will gain the ability to attack cryptography in the form of a Cryptographically Relevant Quantum Computer (CRQC), enterprises should begin considering the possibility immediately. “If you accept that there's a finite chance that a CRQC will exist in the next decade or so, are you confident enough that it won’t take longer than that to establish fully resilient organizational cryptographic management?” Soutar asks.
Karagiannis points out that a key warning sign will arrive when a quantum computer reaches about 4,000 error-corrected qubits. “RSA 2048 will [then] be vulnerable to attack, which means all secure transmissions using the cipher will be reversible to plaintext,” he states. “Nation-state threat actors could use this [opportunity] to obtain sensitive secrets, and well-funded criminal organizations could commit massive fraud and theft.”
A sufficiently capable quantum computer could also pose significant risks to the world's economic security since most global financial activity depends on secure cloud transmissions and storage. “As the US National Security Agency has explained, without effective mitigation the impact of adversarial use of a quantum computer could be devastating to the NSS and our nation, especially in cases where such information needs to be protected for many decades,” says David Kris, an advisor with security software firm Theon Technology and a former assistant Attorney General for National Security.
Countdown to Catastrophe
Enterprises should immediately begin preparing for what some observers are now calling “Y2Q.” “This is the first time we know a zero-day vulnerability is coming and can begin to plan,”Karagiannis says. He suggests that organizations should examine their crypto agility as well as their ability to implement the new ciphers that the US National Institute of Standards and Technology (NIST) is working on finalizing by 2024. “Many legacy systems without upgrade paths will need to be removed,” Karagiannis warns. “This kind of revamping takes time and needs to begin now to prevent the leaking of secrets in the future.”
Enterprises should be proactive in strategy planning and implementation, Soutar says. “Practicing overall good cyber hygiene is key, which includes things like cultivating data governance and creating cryptographic inventories.” He also advises security leaders to collaborate with C-suite colleagues and other enterprise leaders to spread awareness and gain support. “This can help to not only drive quantum cyber readiness strategies, but also integrate [plans] with broader enterprise-wide risk management efforts.”
As the quantum security threat looms, cryptographers worldwide are focusing on the development of next-generation quantum computer-resistant PK algorithms, says Murat Kantarcioglu, a computer science professor at The University of Texas at Dallas. The race is fierce. “NIST is running many different competitions to come up with the standards,” he says.
Soutar stresses the importance for enterprises of all types to immediately start working toward a state of quantum cyber readiness. “Failing to be prepared for the quantum transition can open organizations to security threats and may lead to a hasty, ad hoc response,” he warns. “Given the breadth of organizational networks and supply chain dependencies, an orderly risk-prioritized approach is much preferred.”
What to Read Next:
Quantum Compute Report Card: ‘We Need A Lot More Machines’
The Long Road to Quantum: Are We There Yet?