Quantum computing, once a theoretical concept, is rapidly becoming a reality. These powerful machines have the potential to solve problems that traditional computers can't handle, utilizing quantum mechanics to tackle challenges beyond the scope of current technology.
The UK’s National Cyber Security Centre (NCSC)’s Annual Review 2024 rightly highlighted the need for organizations to start preparing now for the transformative, yet potentially disruptive possibilities of the quantum era, but what does this mean for security leaders?
If powerful enough, the breakthrough that quantum computers could provide also poses a serious risk to the cryptographic systems safeguarding our online communications and sensitive data. In the wrong hands, quantum computing could compromise the privacy and security of digital communications across industries.
Malicious actors are already stockpiling encrypted data, waiting for quantum technology to mature. A sufficiently powerful quantum computer could unlock the secrets within this data, jeopardizing the lifeblood of organizations, including intellectual property, trade secrets and confidential communications.
Fortunately, the solution comes in the form of post-quantum cryptography (PQC), a set of alternative cryptographic systems designed to resist quantum attacks. Testing began at Google with PQC in Chrome in 2016 and we have been using PQC to protect internal communications since 2022.
This summer the US National Institute of Standards and Technology (NIST) published quantum-safe cryptographic standards and in November suggested a transition timeline with target dates to retire some of today’s public-key cryptosystems by 2030 and at the latest by 2035.
How to Address the Quantum Risk
While the quantum threat may not feel imminent, we expect new regulations across various industries, and thus need to move into the next gear.
Concretely, this means taking the following steps to reduce risks, build resilience, and ensure your organisation is ready to face the quantum era head-on.
Develop a Clear Plan for Quantum-Safe Security
Transitioning to PQC doesn’t have to be an all-at-once effort. From past experiences, cryptographic migrations can take years. CISOs, CIOs and CTOs should collaborate to develop a roadmap for implementing quantum-resistant cryptography. This plan should balance cost, risk and usability while ensuring the new algorithms integrate seamlessly into existing systems.
Building expertise is critical to separating genuine advancements in quantum computing from exaggerated claims. Stay informed by consulting industry best practices, academic research and reputable resources.
Identify and Protect Your Most Sensitive Data
Begin by assessing the data and systems most at risk from quantum threats. These include all systems using asymmetric encryption and key exchange which is prone to store-now-decrypt later attacks, systems using digital signatures such as PKI, software/firmware signatures, authentication mechanisms and a few others. Google's quantum threat analysis can serve as an example of how to determine which changes should be addressed first.
Anticipate System Wide Ripple Effects
Moving to post-quantum cryptography can have downstream effects on other systems. For example, larger cryptographic signatures may require significant updates to databases, software and applications. Think of this challenge as similar to Y2K, where structural changes to accommodate new data formats had widespread implications. Identifying these dependencies early can streamline implementation and avoid disruptions.
Learn from Experience
Reflect on how your organization has tackled previous cryptography-related challenges, such as the Heartbleed vulnerability in TLS and retiring SHA1. Understanding what worked well – and where improvements are needed – can guide the approach to PQC adoption. Consider conducting a tabletop exercise with leadership teams to simulate the complexities of migrating cryptographic systems and outline the necessary steps.
Conclusion
The timeline for a quantum breakthrough remains uncertain – whether it’s five, 10 or 15 years away, preparing for it is a significant but necessary task. With NIST’s new PQC standards in place, regulators, governments, customers and auditors are likely to question your organization about its PQC plans. By acting early, you can ensure a smooth transition to quantum-resistant cryptography and stay ahead of evolving expectations.