Last Updated on September 27, 2024
Quantum computing is a world-changing emerging technology that exploits the laws of quantum physics to solve complex problems much faster than conventional binary computers. While promising many benefits, quantum computing advances will soon create a catastrophic cybersecurity risk—enabling cybercriminals to break current public key encryption systems and view encrypted data at will.
While the exact timeline of quantum computing’s emergence is unknown, it is certainly close. Businesses and government entities across the globe need to prepare now for a quantum computing attack that could come at any time.
What is a quantum computer?
Quantum computers generate massive processing power by applying the laws of quantum physics. Using specialized hardware under extremely cold conditions, quantum computers leverage the ability of physical matter to behave like both a particle and a wave.
In traditional computing, the basic operational unit is the binary digit or bit, which can represent either zero or one. Quantum computing is based on the qubit, which can represent 0, 1, or a combination of 0, 1, and all the possibilities in between at the same time— a state called a quantum superposition.
To solve complex problems involving multiple variables, traditional computers must recalculate the equation each time a variable changes. The approach is deterministic, with each calculation representing a linear path to a single result.
But quantum computers use the wave-like properties of qubits to interfere and amplify or cancel each other, deriving a solution by measuring amplitudes of probability. This ability to leapfrog conventional computation’s “brute force” approach makes quantum computers orders of magnitude faster at solving certain problems.
For example, a conventional computer would need 300 trillion years to decrypt an RSA 2048 prime number factor encryption key, while a 4,099-qubit quantum computer could theoretically do it in about 10 seconds.
Why do quantum computers put encrypted data and transactions at risk?
Current cryptographic systems can protect sensitive data from even the most sophisticated and determined attackers using traditional computers. But none of them will withstand quantum attacks. It is only a matter of time before quantum computers become powerful enough to make this scenario a reality.
Meanwhile, cybercriminals may already be hard at work preparing for that eventuality. Applying a hypothetical strategy called “harvest now, decrypt later” or retrospective decryption, highly sensitive data could be acquired and stored for later quantum decryption.
The time when this wholesale decryption becomes possible is popularly referred to as Y2Q or Q-Day. At that juncture, any data that adversaries have exfiltrated before it could be re-encrypted with quantum-safe techniques could be decrypted at any time. The competitive, economic, and national security implications of these hacks might not be felt for years.
Major cryptographic standards that will break under future quantum attacks include:
- RSA encryption
- Digital Signature Algorithm (DSA)
- Advanced Encryption Standard (AES) 256
- Secure Hash Algorithm (SHA) 256
- SHA-3
Organizations whose data has long-term value or relevance are most at risk from early Y2Q attacks, and many are already interested in a post-quantum strategy. These include critical infrastructure verticals like government, finance, defense, and healthcare.
What is the timeline for quantum cyber threats?
Nation state research institutions, universities, and major technology companies are collaboratively developing quantum computing technology at an accelerating pace. Amid much debate, a consensus is emerging that cryptanalytically relevant quantum computers (CRQCs) will probably be developed by the 2030s.
For example, the Global Risk Institute predicts that quantum computers will overcome today’s encryption schemes as soon as 2027 and probably by 2030. Similarly, McKinsey has been predicting “capable quantum systems by 2030” for several years.
More concretely, the US National Security Agency (NSA) has mandated that all national security systems transition to quantum-safe cryptographic algorithms by 2033, with highest-priority use cases required to migrate as early as 2030.
The NSA requires all national security systems (NSS) to fully transition to PQC Algorithms by 2033, with some use cases required to complete that transition as early as 2030.
A surer prediction is that transitioning to post-quantum cryptography or quantum-resistant cryptography could take several years for many organizations. Businesses need to consider these three related factors:
- How long does their sensitive data need to be protected?
- How long will it take to migrate to a quantum-safe encryption strategy?
- How long before Y2Q?
If the sum of #1 + #2 exceeds #3, all a company’s data, networks, applications, and communications would potentially be at risk of decryption and compromise.
Are quantum-resistant cryptographic standards available?
On August 13, 2024, the Biden administration released a fact sheet announcing new post-quantum cryptographic standards developed by the US National Institute of Standards and Technology (NIST). These are said to be the first global standards for post-quantum cryptography.
NIST’s new standards meet two vital criteria for pervasive use:
- They are suitable for encrypting data transmitted over a network or at rest on a digital device.
- They are suitable for creating digital signatures and identity authentication schemes.
Organizations can now begin transitioning from current cryptographic standards to using these new standards within their systems and products, and are encouraged to do so as soon as possible. This NIST news release provides more details on this ongoing effort.
What can organizations do now to implement a post-quantum strategy?
Now that NIST has made quantum-safe cryptographic standards freely available, organizations can begin implementing them immediately.
The US Critical Infrastructure Security Agency (NISA) recommends these key steps as part of its Post-Quantum Cryptography Initiative:
- Inventory your current IT estate for systems and applications that use public-key cryptography.
- Inventory and categorize your sensitive data types to understand their priority, their lifecycles, and how long they need to be protected.
- Begin testing the new NIST standards and make a plan for putting them into production leveraging a best-practice approach that avoids creating new attack vectors.
- Develop a plan to transition your cryptographically reliant systems to the new standard(s) in priority order, including validation of new solutions and decommissioning legacy technology.
- Design for “cryptographic agility” to take advantage of new algorithms and minimize risk of current approaches are rendered insecure in the future.
- Communicate with your IT staff and across your organization, as well as with appropriate vendors, about the criticality of this transition and its potential impacts on business as usual.
- Start educating and training your workforce to use the new cryptographic standards.
Does our organization need a post-quantum strategy?
Every organization that holds sensitive data and has a connection to the internet needs a post-quantum strategy as a foundational element of its cybersecurity program. No business, no matter how small, can continue using traditional encryption tools for long.
It is also important to recognize that moving to quantum-safe encryption tools will probably not happen overnight. Many companies do not yet have a catalog of where they are using encryption, or an inventory of their most sensitive data.
Understanding your cryptographic attack surface and prioritizing your highest-value assets are essential preliminary steps to keeping your business safe in a post-quantum world. Meanwhile, the specter of a “harvest now, decrypt later” attack strategy increases the urgency of being prepared in advance for these looming risks.
What’s next?
For more guidance on this topic, listen to Episode 143 of The Virtual CISO Podcast with guest David Carvalho, Founder, CEO, and Chief Scientist at Naoris Protocol.