Quantum computing used to be in the realm of imaginative technology of the future reserved only for sci-fi movies. However, the future is not so far away anymore, which is a problem when it comes to quantum computing and its associated security risks. Quantum computers will be 158 million times faster than the most sophisticated supercomputer today at solving complex computations in a trivial amount of time that ‘classic’ computers may take many years to complete.
In fact, a quantum computer can do in four minutes what it would take a traditional supercomputer 10,000 years to accomplish. Much of the encryption used to secure sensitive data today relies on this time discrepancy, utilizing complex math problems that ‘classic computers’ can easily calculate in a forward direction, but aren’t able to decipher in reverse. This includes the concept of factorization, which is used in most symmetric encryption. Quantum computers, however, can solve these problems rapidly, enabling them to decrypt otherwise inaccessible data.
While quantum computers with capabilities that could be leveraged for widespread use are not commercially available yet, within the next 5-10 years, they likely will be, making quantum technology a very real threat to encryption algorithms that rely on asymmetric encryption. Soon enough, top secret and secure data could be widely available on the Dark Web, chat forums and beyond. The implications of this are very concerning in both the public and private sectors, considering the amount of sensitive and classified data they hold.
In the near term, the most relevant (and arguably the most dangerous) threat is the disclosure risk of nation-state-level secrets. In the public sector, classified and top-secret government documents and intelligence are vulnerable to encryptions that can be broken by quantum computers and typically remain classified for long periods of time. Communications involving classified information are likely already being captured, even if bad actors cannot currently decrypt them. This ‘capture now break at leisure’ ethos creates a daunting fate down the road as quantum will be able to compromise this pre-captured traffic with ease.
In a memorandum from the White House published in May 2022, the Biden administration highlighted that amongst quantum’s vast applications for positive innovation lies a “threat to the public-key cryptography used on digital systems across the United States and around the world in essential industries.”
For the private sector, trade secrets, intellectual property, financial data and more – not to mention much of our nation’s critical infrastructure, which is supplied via the private sector – are at the same risk if a bad actor gets their hands on quantum computing capabilities.
Communications and internet service platforms will need to move first to ensure the interoperability of systems and to protect the deployed infrastructure based on PKI certificates that will become vulnerable. Even personal user data is at increasing risk as quantum technologies become more available.
It is clear that in the race to defend against the immense security risks of quantum computing, we, as the defenders, are behind. Quantum is making leaps forward in capability and narrowing the time to the commercial market, and the cyber industry is lagging considerably behind – but it is not too late to be the tortoise that beat the hare.
The security profession, especially nation-state security services, has long recognized the potential threat that quantum computing brings and is beginning to develop quantum-resilient algorithms that will provide the requisite protections. One of the global leaders in this effort is the National Institute of Standards and Technology (NIST) in the United States, which is running competitions to select quantum-safe/post-quantum crypto algorithms.
In July 2022, NIST announced its first four quantum-resistant cryptographic algorithms. However, with an early frontrunner algorithm failing against traditional computers, selected algorithms must be resilient to both classic and quantum computers. Additionally, in December 2022, President Biden signed the Quantum Computing Cybersecurity Preparedness Act into law to prioritize federal agencies’ acquisition of and migration to IT systems with post-quantum cryptography. Similar efforts are taking place in Europe with the ETSI’s post-quantum focus. Future product development will have to utilize these quantum-resilient algorithms and be designed for this new reality. Additionally, existing products and infrastructure will need to be updated as these algorithms are released.
While government agencies should continue to provide guidance and take action to prepare for a post-quantum world, education across the security industry and beyond is imperative in the race against the complex cyber challenges brought about by quantum. Upleveling the workforce’s understanding of quantum across the public and private sectors should be a concerted effort. Education should spotlight quantum’s capabilities to develop new product categories and solve complex problems while emphasizing the potentially devastating risks we must be prepared to thwart.