With the rapid advancement of quantum computers, the threat they pose to encryption is no longer a question of if, but when. The NSA and UK National Cyber Security Centre have been warning companies for years to secure their systems as the threat is both severe and imminent.
While quantum computers have huge promise, they also risk introducing an unprecedented cybersecurity problem. Quantum computers will have the power to crack the encryption used to protect almost all of the world’s sensitive information, enabling them to smash through the encryption standards used today to protect workers’ most sensitive conversations, personal data, secure networks, and business transactions.
Research from the likes of Goldman Sachs, IonQ, and QC Ware shows the successfully improved performance of a specialized quantum algorithm on real hardware.
The Scale of Quantum Security Threat
Quantum computers will have the power to solve computational problems that were previously thought impossible, and while this presents many opportunities, it also poses a significant security risk as it renders traditional encryption methods – particularly RSA and ECC that are used to protect virtually all of the world’s sensitive information – obsolete. Modern computers would take years to crack the mathematical problems that underpin all modern encryption, but fully scalable quantum computers will be able to do it efficiently. This means that virtually every organization and the device is at risk.
The quantum threat is not just a worry for future data – it is also possible to store information now and decrypt it later. Companies are currently at risk of having data stolen now and stored for decryption once quantum computers have been fully developed. A recent report by Booz Allen Hamilton reveals the likelihood of major players in the quantum field, fostering information now that they plan to decrypt later. This outlines the importance of companies preparing for the threat as soon as possible, as security is already at risk.
Roadmaps laid out by experts have predicted that quantum computers will surface sometime this decade, but companies need to begin preparations now for implementing new cryptography to ensure their future data is protected. The threat of such an attack is credible and urgent enough that the NSA and other government agencies across the world have warned that ‘we must act now’ to prepare for it.
Designing New, Quantum-ready Encryption Standards
After the NSA’s warning on the quantum threat in 2015, the US Government’s National Institute of Standards and Technology (NIST) initiated a process to define new, quantum-ready cryptographic standards – known as post-quantum cryptography. Implementing these standards will be the biggest cryptography transition that has taken place in decades.
For the last 6 years, NIST has been in the process of identifying and standardizing post-quantum algorithms to establish a clear starting point to guide us toward a quantum-secure future, with the new algorithms replacing the current classical-security standards. With over 80 submissions from over six different continents, it has truly been a global effort followed closely by academia, industry, and government.
The NIST standardization process is coming to a conclusion in the coming weeks as NIST plans to pick a handful of diverse algorithms out of the remaining candidates.
How Can Companies Prepare for the Threat?
NIST is unequivocal that businesses should be preparing now, stating that “it is critical to begin planning for the replacement of hardware, software, and services that use public‐key algorithms now so that the information is protected from future attacks”.
Understanding the timeline for necessary post-quantum security is essential for ensuring the safety of the company. Businesses should consider the timeline in which they need to employ quantum-safe solutions and choose a strategy to gradually implement new cryptography – in some cases, a complete transition could take up to 5-10 years. CISOs should be aware of a realistic path to implementation which, for many companies, will likely involve integrating hybrid cryptography solutions. A number of offerings now exist that provide widely used public-key encryption and incorporate one of NIST’s finalist algorithms that will soon be established as a benchmark for protection against quantum attacks.
In terms of preparation, businesses should begin with a “quantum risk assessment” that consists of the following; a software/hardware cryptography audit, establishing what information needs to be kept confidential and for how long, identifying data that requires long term integrity, identifying what data privacy regulations need to be followed, review their infrastructure and flexibility, assess their crypto agility and the potential limitations on their infrastructure. Based on the outcome, a transition to the Post-Quantum Cryptography roadmap should be put in place. Organizations should keep the NIST guidelines in mind and follow their updates during the design and implementation phases of their PQC roadmap.
Changing the standards of a technology that is deeply embedded in our daily lives is a tremendous task that will take a lot of preparation and a long time to execute securely. We are changing the standards because we have to. Because the potential damage of the quantum threat to our society is wide-scale, it threatens all industries from finance and utilities to national intelligence. Speaking of which, intelligence agencies are taking the threat seriously, and have made it crystal clear that Post-Quantum Cryptography provides the best mitigation against the quantum threat. However, with the NIST standardization process coming to a conclusion by the end of this year, it’s time for companies and the whole supply chain of cybersecurity products, software, and hardware, to take action.
About the Author
Dr. Ali El Kaafarani is the CEO, Founder, and Researcher at the Mathematical Institute, University of Oxford, where he co-founded the cryptography group when he joined in 2015. Prior to that, Dr. El Kaafarani was a Research Engineer at the Cloud and Cybersecurity team at HP Labs. He holds a Ph.D. in cryptography from the University of Bath, U.K.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.