Quantum resilience is not science fiction – it’s an imperative
For years now a future-focused cadre of cybersecurity experts have dedicated themselves to understanding, combatting, and raising the alarm about the security risks which will come with the arrival of quantum computing. In spite of their hard work, though, most enterprises still see ‘quantum computing’ as a nebulous term sitting somewhere in that fuzzy area between science fiction and reality. Maybe scientists are hard at work on it, they seem to think, or maybe it’s just something for writers to speculate about – but either way, it’s not something they’re investing time or money into.
That needs to change, and fast. If there’s a single thing that every business needs to know about quantum computing from a security perspective, it’s this: while modern cryptography would take centuries to be broken by a conventional computer, a quantum one will be able to so in hours or minutes. That means that every customer record, every payment detail, every trade secret, and every personal conversation will be accessible if it falls into the hands of someone with access to quantum computing.
The countdown to quantum is on
Such technology is not, as far as we know, here yet. While some have claimed breakthroughs in decrypting information using quantum tools, those claims have been met with significant scepticism. However, the wise money says that ‘Q-day’ – that is, the turning point when quantum computers become viable enough to challenge conventional ones – will arrive within two decades, and possibly as soon as 2030.
To some, that will still feel like a distant issue. Security experts, on the other hand, are well used to factoring in the significance of a problem, as well as its likelihood and immediacy, when making decisions. A single open vent on the surface of the Death Star is perhaps not such a big problem; one that blows up the entire station if a missile is shot into it certainly is. A high chance of losing all data control in a decade’s time is something that calls for major collective action.
Behind the scenes, important steps are being made to enable quantum-resistant security strategies ahead of Q-day. Leading the charge on these efforts is the US National Institute of Standards and Technology, which is expected to finalise a set of post-quantum cryptography standards in 2024. Initiatives are also emerging in industry to apply quantum computing principles to organisational security, essentially using the power of quantum to protect against quantum decryption.
This high-level research and development activity does not, however, mean that businesses should simply take comfort that the problem is being addressed and then carry on as usual. For one thing, putting these developments into action in your own organisation will require new practices around cryptographic agility: the ability to adopt new security standards at pace, across systems, as the security context evolves.
There is also a growing risk of “harvest now, decrypt later” attacks. As Q-day draws nearer, it will become more tempting for criminals to speculatively acquire encrypted data and hold onto it until they can crack its code. While the value of stolen information certainly diminishes with age, great harm could still be wrought with years-old data, and security postures need to be ready for this emerging threat. Policies around loss of encrypted data will need to change in the short-term as we can expect DPA and GDPR regulations to start covering these events as Data Loss events which as we near Q-Day will surely start to attract fines!.
To get ready for the change, all organisations need to start taking deliberate steps towards quantum resilience.
Three steps to Q-day readiness
The first step is to add an aspect of quantum-awareness into the security posture assessments which should form the basis of any cybersecurity planning. In the process of analysing an organisation’s exposure to risk, testing its security implementation, and reviewing its IT budgets, the consequences of Q-day should already be in the picture. Understanding the regulatory, financial, and reputational impact of decryption is essential to assigning proper resources to the response.
With that analytical foundation in place, the next step is about internal communication and awareness-raising. Organisational change is always a big task, and quantum education should span both leadership roles that will need to make budgetary and personnel decisions and workers who will need to shift their routines towards quantum-safe behaviours in the future. At the same time, remember that quantum computing offers opportunity as well as risk, taking a holistic approach that enables smart decisions to be made when the time comes.
Finally, start designing a quantum-safe strategy – and a transition plan to get there – as early as possible. There will be interdependences between systems that pose a roadblock when moving to new cryptographic standards. Some technology may no longer be supported in the new strategy and will need to be decommissioned and replaced. Implementations of new standards will demand testing and validation before they go live. Knowing how and where these issues will arise today is what will make it possible to react efficiently and effectively tomorrow.
The stories that get told about future technology are often, and for good reasons, starry-eyed and excitable in their tone. We shouldn’t let the starriness and speculation blind us to the pragmatic certainties at hand. We don’t know when exactly Q-day will come – but it is coming, and the time to prepare for it is now.
Cyber Security updates
Sign-up to get the latest updates and opportunities from our Cyber Security programme.