Governments and tech giants around the world are spending billions to fund quantum computing research. It’s easy to see why: the scientific and mathematical breakthroughs it promises are mind-blowing. Not without reason has the significance of quantum computing been compared to the harnessing of electricity.
There’s very clear motivation for driving quantum innovation. It could unlock growth, job opportunities and competitive advantage on a whole new scale, by offering a new way to solve – in microseconds – the problems that even the most powerful supercomputers today cannot. Yet in doing so, these computers could also open a Pandora’s Box that breaks the asymmetric, or public key, cryptography on which many enterprises, societies and entire digital economies rely.
The question is, how long is it before this vision becomes a reality, and how can organizations and governments transition to quantum safety?
From Theory to Practice
Quantum computing is based on the theory of quantum mechanics, pioneered in work by Albert Einstein that won him the Nobel Prize. To the untrained eye, it seems to defy logic.
"The future of cybersecurity will be quantum-based"
Quantum particles, also known as qubits, don’t behave according to the traditional rules of physics. They do strange things like existing in two places at once and travel forwards or backwards in time.
When applied to computing, these features get even more interesting. While today’s computers process and store information in zeros and ones, quantum computers use qubits, which can be a zero and a one at the same time. By encoding one and zero at the same time rather than sequentially, the time it takes to process data, make calculations and solve problems is greatly reduced. It is this capability that excites and dismays in equal measure. It could enable governments to unmask any asymmetric encryption algorithm in the blink of an eye, but also allows hostile states and possibly a few well-funded cybercrime groups to do the same to citizens and businesses.
A Step-Change in Security
According to William Dixon, head of future networks and technology at the World Economic Forum (WEF), quantum computing in this context could undermine the key exchanges, encryption and digital signatures that protect financial transactions, secure communications, e-commerce, identity, electronic voting and much more.
“If quantum computers were to become, for example, capable of breaking asymmetric cryptography before the digital ecosystem has achieved the necessary transition to quantum safety, it would create significant cybersecurity risks,” he tells Infosecurity. “Businesses and governments could be left unable to ensure the confidentiality, integrity and availability of the transactions and data on which they rely upon.”
This will mark nothing short of a significant step-change in cybersecurity, according to Nelson Balido of consultancy Balido & Associates.
“The future of cybersecurity will be quantum-based. The impact will be that the entirety of our cybersecurity networks in the US should and will be reliant on quantum technology,” he tells Infosecurity. “You will have to fight fire with fire. The only way we can ensure that our data is safe is by matching our systems to any potential threat and incorporate quantum computing into our encryption processes. Today’s computing power versus quantum is like walking versus a jet plane.”
Fortunately, researchers are working on ‘quantum-safe’ cryptography methods to counter the crypto-busting threat from quantum computing. As long ago as 2018, UK public-private partnership the Quantum Communications Hub announced an “unhackable” quantum-secured network using quantum key distribution. In this set-up, photons are used to transmit data encryption keys across fiber links and through the air. The sender is alerted if the stream is interrupted and it can then be scrambled.
"Today's computing power versus quantum is like walking versus a jet plane"
It’s also true that symmetric (rather than asymmetric) encryption should be able to cope with quantum computing advances. However, the relevant algorithms will require longer keys and hash functions to ensure quantum safety, which will make operational cryptography more complex.
The Road to Quantum Safety
Although NIST is working on a post-quantum standardization project, there will still be numerous implementation challenges to overcome, according to Dixon, even if quantum threats can be neutered.
“The transition to a quantum-secure architecture will not be trivial for the global economy, and both individual and collective governance of the transition will certainly be an issue. Shared infrastructures, interconnected systems and interdependent business models, like the industrial internet of things (IIoT) or distributed-ledger technologies, that are being rolled out across a range of industrial applications, have highly distributed models. It is not necessarily clear who is responsible for ensuring that they are made quantum-safe,” he argues.
“There is already some emerging disparities in approaches, where entities such as the National Cyber Security Centre in the UK are cautioning against moving to quantum-safe methods until the standardization process by NIST is completed. Yet some major enterprises are already moving forward to mitigate any potential long-term risk and implementing solutions despite this guidance.”
When is it Time to Worry?
However, there remain hurdles to continued progress. Current quantum computers are pretty small and ‘noisy’ – meaning qubits don’t remain stable and entangled for long to run calculations. To address the problem they need to be extremely cold – about 250-times colder than deep space – which comes with its own challenges. That said, companies including IBM, Google, D-Wave, Microsoft, Honeywell, IonQ and Rigetti are developing the hardware, while engineers around the world are building algorithms for use on these quantum machines, according to Forrester senior analyst, Chris Sherman.
The big question is: how far away are the kinds of scenarios painted above?
“CISOs must pay attention to performance metrics like ‘quantum volume’ and qubit numbers discussed by hardware vendors, since device performance is correlated with the likelihood of a quantum computing security threat,” Sherman tells Infosecurity.
“Organizations can determine their exposure to quantum risk using a simple formula. If the length of time needed to move to a new quantum-safe infrastructure, added to the amount of time existing vulnerable assets will be exposed, exceeds the predicted amount of time until a quantum computer will compromise cryptosystems, your risk is captured by the remaining exposure time.”
He claims it will take quantum computers around 15 years to crack Shor’s algorithm (and therefore asymmetric encryption). However, it could be even sooner: Google is planning to achieve a one million qubit computer within 10 years. According to WEF’s Dixon, for Shor’s algorithm to work on RSA 2048 encryption, it would require a sufficiently fault tolerant performance of just 6200 qubits.
“For many enterprises and industries with complex systems and sensitive data that have long life spans, this is actually a very short timeframe,” he argues.
What Should CISOs Do Now?
Given these relatively short periods, it’s essential that CISOs start planning now. Forrester’s Sherman argues that they should be conducting tabletop exercises to map exposure and estimate the value of corporate data to adversaries – re-evaluating risk every six to twelve months according to the formula outlined above. Five years hence, they should be utilizing quantum technology to secure sensitive networks and replace public key encryption systems, with a goal of making all encryption post-quantum safe in a decade, he adds.
Lux Research senior research associate, Lewie Roberts, claims an awareness campaign is needed to get CISOs to take the threat seriously.
“It will take some time for quantum computing developers to reach a point where some of the most interesting quantum algorithms will be possible to run, including those that we know will pose security threats. However, the near-term is still full of a lot of unknowns,” he warns Infosecurity.
“Everyone is figuring out what is possible with the currently available hardware, which is resource-limited. CISOs would do well to get up-to-speed on the known threats and consult with security vendors to make sure that there is a plan to cover these new attack vectors at the appropriate time. Vendors should partner with quantum information experts to make decisions about how soon specific protections need to be developed.”
"It will take some time for quantum computing developers to reach a point where some of the most interesting quantum algorithms will be possible to run"
In the end, the challenge for CISOs could be an age-old one: persuading senior business leaders to invest in mitigations now, when there’s still debate over exactly what the material impacts of quantum research will be and when they’ll occur. Industry and government partnerships will be vital to get the message across, argues WEF’s Dixon.
“A vital step will be building ‘quantum literacy’ at a leadership level, educating leaders on the development of quantum technology and the potential benefits and risks it could create for their organization and sectors,” he concludes. “It is important that the security community has a rational and balanced discussion about the potential risks and mitigations, especially when engaging senior leadership.”