Why experts are warning businesses to prepare for quantum now – or face critical cyber risks when it arrives
Quantum computing will threaten the foundational encryption techniques underpinning digital trust everywhere, so businesses have a limited time window to prepare
Quantum computing is a technology that has repeatedly been hyped as around the corner, despite many being unable to pinpoint exactly when it will materialize. While its unknown arrival date has allowed CISOs to kick the can down the road, experts have declared that there is limited time to get a quantum resilience strategy in place.
Speaking to ITPro, Colin Soutar MD of risk & financial advisory at Deloitte & Touche LLP, says the main problem for organizations right now is that there’s no exact date for when a cryptographically relevant quantum computer might be developed.
“Therein lies the crux of the challenge with this particular issue, in terms of getting it on the radars of business professionals and IT specialists,” he says.
Quantum computers would be able to complete tasks that are incredibly computationally intense much faster than the computers we have today. Though this will bring lots of benefits, it also means it will be much easier to crack the most common encryption algorithms that currently keep the world’s data secure.
Without a clear indication of when businesses could be attacked with quantum techniques, many organizations are prioritizing other cybersecurity concerns. Soutar says he prefers to take a different approach when discussing the issue with clients to get through to them, citing the ongoing studies conducted by Michele Mosca, cofounder at the Institute for Quantum Computing (IQC).
Mosca’s research projects a 6% likelihood of quantum computing becoming a reality in the next five years, or 10% in the next decade.
As a result, Soutar said he likes to express the imminence of quantum computing more generally as a finite probability – in other words, it's exceedingly likely to happen eventually.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
“At Deloitte, as a firm, [we] tend to push that aside a little bit and put it more starkly like this: if you accept that there’s a finite probability that a cryptographically relevant quantum computer will exist in, let’s say, the next five to ten years. How long is it going to take you to upgrade your infrastructure, third-party dependencies, supply chain, and so on? Eight, ten, twelve years?”
In this way, Soutar urges firms to get started on preparedness for quantum computing now, so they’re finishing up when breakthroughs in the space inevitably occur.
IDC’s 2024 CEO survey indicates large swathes of the business landscape had taken heed of experts’ warnings and were actively into post-quantum cryptography.
Just over one-fifth of respondents (21%) said they were already implementing solutions, and 36% stated they had started to prepare for post-quantum cryptography adoption but were still exercising a ‘wait-and-see’ approach.
But 31% of CIOs said they had taken no action to prepare for quantum threats, with a further 13% admitting they did not know about post-quantum cryptography.
The scale of this threat cannot be underestimated, Soutar warns. The problem is that many algorithms used for secure data encryption, such as Rivest–Shamir–Adleman (RSA), were not created with quantum systems in mind. An RSA algorithm creates a public key by multiplying two prime numbers and a private key which is kept secure and used to decrypt the public key.
The public key can be safely shared in the knowledge that only the intended recipient – who holds the private key – can decrypt the transferred data. This is because the time it would take to crack a 2048-bit RSA key would take many billions or even trillions of years, given the number of possible combinations a standard computer would have to run through.
But quantum computers could run algorithms that can efficiently work out the private key using the public key.
“The whole premise of trust in the internet between any two entities, whether they’re machines or they are people or institutions, all of that trust is typically derived from mutual authentication, the ability to share a piece of information that can be verified as being from the legitimate holder or issuer of that information,” Soutar explained.
“Quantum computers, should they materialize into this cryptographically relevant quantum computer, will attack the very bedrock of what we look at today in terms of trust fabric, and trust across all digital interactions.”
NIST’s release of three post-quantum encryption algorithms this summer has accelerated the level of research businesses are putting into the area. The new algorithms were specifically designed to be as difficult for quantum computers to crack as they would be for traditional computers and are being shared alongside instructions for how businesses can implement them.
How businesses can prepare for quantum computing
Soutar tells ITPro that business leaders, and CIOs in particular, should appreciate the scale of this threat and invest in developing contingencies.
“You really need to start understanding what the magnitude of the problem is and start to build out a strategy, particularly a governance around that as well so that you know who in the organization is on the hook for this,” he advises.
Speaking during a panel on post-quantum cryptography at Venafi’s annual Machine Identity Summit in Boston, Carl Mehner, security business architect at insurance firm USAA, explained what quantum readiness meant to him.
Mehener said leaders need to understand where every one of their cryptographic assets are at present, be clear-eyed about the alternative algorithms available to them, and lay the groundwork to automate these assets. This, he explained, would allow for a more agile and scalable response as and when further changes are required down the line.
Ultimately, Souttar says that there is good news in that firms have some time to get ready, but the indeterminate nature of this timeframe should be cause for concern. Prudent businesses, he tells ITPro, will be putting frameworks and policies for quantum threats in place now.
“We’re not saying everything needs to change now, we’re not being alarmist, but we do feel that the sooner you get ahead of this, the sooner you prepare to act when something comes along.”
Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.