In 1999, the world was preparing for the potential fallout of Y2K. While the catastrophic predictions did not materialize, the extensive preparation ultimately ensured that world systems and services continued to operate. Technology leaders were not sure what to expect, but their knowledge of the timeline was exact.
Quantum computing poses the opposite problem. The potential danger to cybersecurity is clear, but the timeframe for when the threat will become real is uncertain. The parallel between the two is that, in both cases, organizations need to proactively ensure the next Y2K-type scenario is as uneventful as the first.
From Research Niche to Potential Disruptor of the Business World
Quantum computing is a fast-growing technology at the intersection of computer science and physics. It is capable of surpassing the classical computation we all know and use today. By improving the efficiency of computation through quantum mechanics, quantum computers can solve computational problems that a classical computer cannot. Research in the field of quantum computing is not new; the quest to bring quantum laws into computer science and develop functional quantum computers started in the late 20th century. Since then, significant contributions have been made by the scientific community to bring this technology to life.
In 1994, Peter Shor, a scientist at the Massachusetts Institute of Technology (MIT), proved that a quantum machine could break online encryption. This claim led to a surge of research in the field of quantum computing. It is believed that Shor’s approach requires machines that possess many hundreds of thousands of quantum bits – or qubits, the basic unit of quantum computing – and experts believe that such machines are years away from realization.
But just in the past two years, researchers have claimed that we may not be that far from the point when quantum computing will pose a serious threat to online encryption. One such claim was made in 2022 by a group of Chinese researchers who claimed that their method could be used to break the RSA algorithm, the most widely used method for securing communication over the internet, using a quantum machine with only 372 qubits.
Research experts believe that, while the approach used by the Chinese researchers seems theoretically possible, it may be difficult to put into practice. There are still questions about how fast the algorithm will run, which could put it well beyond the reach of present quantum technology. At the pace developments are happening in the quantum computing field, it is only a matter of a few years before the technology starts to disrupt the business world.
The Advent of Commercial Quantum Computing
Marking a breakthrough advancement at its Quantum Summit 2022, IBM unveiled a 433 qubit “Osprey” processor, which it made accessible for exploratory technical demonstration on its own cloud last year.. You may wonder why these chipsets have strange numbers of qubits like 127 and 433. It is related to the “hex lattice” structure used by IBM to connect its qubits. Osprey is the fastest quantum computer known and has the potential to run complex computations that are well beyond the capability of any classical computer. IBM has plans to scale up its quantum systems to 4000+ qubits by 2025 and beyond.
As quantum computers become more powerful, organizations across industries must take steps to protect their systems and data from quantum computers that are capable of breaking today’s security standards.
Such developments present significant implications for businesses around the globe. As quantum computers become more powerful, organizations across industries must take steps to protect their systems and data from quantum computers that are capable of breaking today’s security standards. Solving a problem that might take hundreds of thousands or even millions of years to solve on a classical computer could take hours or even minutes on a large quantum computer. Quantum computing will have a significant impact on the encryption, hashing and public key algorithms we use today.
The Quantum Computing Cybersecurity Threat
As the commercialization of quantum technology advances, it is easy to imagine a scenario in which hackers or state-sponsored threat actors gain access to quantum computers and launch large-scale attacks on companies and governments around the globe. And since it is inevitable that quantum computing technology will eventually become functional, hackers may also begin to harvest data today in encrypted form and hold on to it until it can be decrypted. While harvesting for the future would be limited to data that does not lose its value with age, this threat alone should raise the level of urgency for any organization that has known vulnerabilities in its cyber policy.
It must be understood that any data for which security is based on mere difficulty in solving “hard problems” is under threat from hackers in possession of quantum computers. Organizations widely use public-key cryptography to secure email traffic, chats, digital signatures and cryptographic protocols such as SSL/TLS, SSH and HTTPS. Current public-key cryptography assumes that some problems may take extremely long to solve, but the advent of quantum computing severely challenges this assumption.
The markets affected will be initially in the IT and telecommunications industries. They will need to update a wide variety of software and hardware solutions, overlapping a wide series of verticals including BFSI, Energy, Healthcare, Utilities, Military and Defense and other public institutions.
How to Prepare for Quantum in 2024
To stay ahead of the curve, some organizations like multinational telecom giant Vodafone have already started exploring quantum-safe cryptography. Other organizations such as Microsoft, HP, Airbus, Volkswagen, Goldman Sachs and Intel have all started investing and engaging in the development of quantum computing and are exploring various use cases. While it may seem like quantum computing is still some years away from gaining large-scale application, the time to invest and prepare is now.
As per European Telecommunications Standards Institute (ETSI), some security protocols and algorithms are considered safer than others. Symmetric key ciphers such as advanced encryption standards (AES) are considered quantum-safe for now, while public key ciphers like RSA are not. RSA encryption is used to encrypt online communication and remote connections, such as when we use a browser to connect to a website or log on to a website with a username and password. As per the World Economic Forum, breaking RSA 2048 cryptography would require 6,200 qubits to complete the task in about eight hours. Symmetric algorithms, such as AES, are considered safer as their size can be increased to resist a quantum attack. But, because of the pace of development in quantum computing, we must remember that what is quantum-safe today may not be in the future.
Companies must be forward-looking and proactive in their approach to information security. Instead of focusing on how long it will take for a large-scale quantum computer to be built, companies should be evaluating how long their encryption will stay intact and how long it will take for them to make their existing IT infrastructure quantum-safe. If a sufficiently large-scale quantum computer is built before the existing infrastructure has been reconfigured and before certain categories of data become irrelevant or inconsequential, then the encrypted data will be vulnerable to a quantum attack.
Post-quantum cryptography (PQC) is already on top of the agenda for many public institutions. In January 2022, the U.S. administration published a Memorandum and Executive Order 14028, asking all federal administrations to prepare a PQC deployment plan in 2022. In July 2022, the National Institute of Standards and Technology (NIST) published a first final list of four validated PQC standards, one for a public key infrastructure (PKI) and three for a digital signature.
Security Actions Organizations Should Take Now
- Move toward being crypto-agile, i.e., be able to work with encryption keys of greater length and replace old encryption algorithms with the new quantum-resistant encryption algorithms (QRA) recommended by the NIST.
- Create an inventory of critical data that remain consequential for an extended amount of time and must be protected for a prolonged duration. For example, PII may be stolen now and decrypted once a sufficient quantum computer is available, leading to identity thefts in future.
- Review data inventories and define and implement robust data retention and deletion policies to limit exposure.
- Inventory all systems that use cryptographic technologies. Identify where and for what purpose public key cryptography is used and mark those systems as “quantum vulnerable.” Manage risk accordingly.
- Strengthen symmetrical encryption by using keys that are twice as long as those used today to enable similar protection.
- Prioritize and replace systems with quantum-resistant cryptography based on whether the system is supporting critical infrastructure and what it is protecting, e.g., key stores, passwords, root keys, signing keys, PII, etc.
Before large-scale quantum computers are built, organizations must migrate their systems and practices to ones that cannot be broken by quantum computers. ISG helps enterprises take proactive steps to assess their vulnerability to quantum computing, invest in post-quantum cryptography and formulate their quantum security strategies. Contact us to find out how we can help.