The very foundation of cybersecurity is at risk as quantum computers become more advanced. The ability of threat actors to access otherwise secure digital communications and data is known as the “post-quantum threat.” This threat has been thoroughly covered by government agencies, in the media and by analyst firms over the past decade. This brief offers an update on the topic and outlines actions that organizations can take today given recent research breakthroughs.
Quantum Computing and its positive impactQuantum computing has transformative potential across many industries. In the pharmaceutical space, for example, it could significantly accelerate drug discovery. In finance, quantum algorithms could model market dynamics with unprecedented precision. Quantum computing could also generate innovations in material science, supply chain management and weather forecasting. Artificial intelligence, meanwhile, stands to benefit from this technology as it becomes capable of processing vast datasets far more efficiently than what today’s classical computers can achieve.
The urgency of the threatSeveral technical issues are currently limiting the scalability of quantum computing. If solved, we’ll witness a new era of computing that is more significant even than the recent rise of generative artificial intelligence. Within the next decade, or sooner, it’s possible that a quantum computer powerful enough to become a serious cybersecurity threat could be built.
A fully functional quantum computer capable of breaking current cryptographic systems is not yet a reality. The threat is imminent enough, however, to cause some to take action in anticipation of nation state and other threat actors gaining access to quantum computing. The idea of hackers using a “harvest now, decrypt later” tactic poses an immediate risk. Adversaries could be collecting encrypted data with the purpose of decrypting it once quantum computing becomes sufficiently advanced.
This would especially affect sensitive data intended to remain confidential for many years, such as state and military secrets, proprietary research (from universities, government, corporations, etc.), health data and more. Organizations in industries such as finance, governments and verticals involved in critical infrastructure are beginning to plan for the threat.
Organizations like IBM, Google, and various vendors and consultancies are making significant progress towards a functional quantum computer. Recent research led by a team at Harvard University demonstrated promising new techniques for a far more scalable quantum computer (e.g., far more logical qubits operating on physical qubits). Their work could have the unintended side effect of dramatically accelerating the timeline of the post-quantum threat.
Getting ready, just in caseIn response to these challenges, the security industry, researchers and cryptographers are actively working on developing post-quantum cryptographic algorithms. These new algorithms are designed to be secure against both classical and quantum computing threats. The National Institute of Standards and Technology (National Institute of Standards and Technology (NIST)) in the United States is leading an initiative to standardize post-quantum cryptography. Their work will allow the flexible and scalable forms of encryption we need to continue to operate over the public internet.
Certain forms of encryption are more vulnerable to the quantum threat. Asymmetric encryption, the underlying form of encryption used for browsing, online shopping and doing most everything over the internet, is particularly vulnerable. This is due to quantum computers' potential ability to solve problems, such as factoring large numbers, used in asymmetric encryption such as RSA that are currently not possible for classical computers.
Symmetric encryption, on the other hand, appears to be more resistant to the quantum threat. Algorithms like advanced encryption standard (AES( (AES) are not based on the same mathematical problems as asymmetric algorithms. Symmetric encryption, however, does not have the scalability of asymmetric encryption, making it unsuitable for ecommerce and most common B2C and B2B use cases.
Transitioning to post-quantum cryptography is not just a technical challenge but also an operational and logistical one. It requires updating and replacing a vast array of technologies currently in use, including those embedded in our everyday lives, like web browsers, email servers, and Virtual Private Network (virtual private network (VPN)). The transition also involves a learning curve for cybersecurity professionals, who must familiarize themselves with the new tools, processes and their implementation / operations.
In addition to quantum-resistant algorithms, techniques such as Quantum Key Distribution (QKD) can use the properties of quantum mechanics to secure communications.
As the quantum threat advances, your organization should consider the following actions:
- Quantum risk assessment: Start with a risk assessment to understand the potential impact of quantum computing on your organization's data security. This involves identifying sensitive data that could be at risk as well as understanding its lifespan. Consider how long data needs to be secure and whether it could be a target for future quantum attacks.
- Inventory of current cryptographic systems: Take inventory (and assess the capabilities) of your current cryptographic systems. This includes understanding which systems rely on quantum vulnerable algorithms and key management. The goal is to identify where cryptographic changes are required and to prioritize the systems that handle the most sensitive information.
- Research and adopt Post-Quantum Cryptography (PQC): Start researching and gradually adopt post-quantum cryptographic algorithms (much of which will come by way of technology vendors). Keep up with emerging standards from NIST, which is in the process of standardizing PQC algorithms. Create a transition plan for migrating to post-quantum algorithms.
Continue to monitor advancements in quantum computing and engage with the security community for best practices and emerging technology to stay ahead of potential risks.
Get ready for the opportunities and challenges of quantum computingQuantum computing promises impressive breakthroughs in many aspects of industry and our daily lives, but it also presents a significant challenge to cybersecurity. As the advances in quantum computing accelerate, the need for robust post-quantum secure systems becomes more urgent. This transition requires monitoring and early efforts from government, industry and academia in order to develop secure cryptographic standards and implement them effectively.
While quantum computing has the potential to affect the very foundation of cybersecurity, we have time to approach this evolving field carefully and to make needed changes and updates.
David Senf is the National Cybersecurity Strategist at Bell Canada. Marcus Mesan leads the Enterprise Security Architecture team at Bell Corporate Security.