In the cat-and-mouse game of cybersecurity, it’s essential to always be thinking ahead about the next big thing. What’s next around the corner, and how can I ensure that I don’t fall behind? One such emerging technology that’s looming is quantum computing. While the positive potential for the technology is enormous, it also brings with it daunting challenges, particularly in the cybersecurity space.
On Dec. 21, 2022, President Biden signed into law the Quantum Computing Cybersecurity Preparedness Act, which encourages federal agencies to adopt technology that is protected from decryption by quantum computing. At a high level, this can make it appear as though the danger of cyberattacks buoyed by the power of quantum computing is imminent, making security professionals across the public and private sectors nervous. But it isn’t time to panic just yet. Let’s dive a little deeper into what the dangers are and then look at why most organizations, especially those in the private sector, shouldn’t be concerned in the immediate future.
Security Dangers of Quantum Computing
The biggest fear with quantum computing is its use in decrypting data. The current paradigm of information security is based on five pillars: confidentiality, integrity, availability, authenticity, and nonrepudiation. These all rely (at least to some extent) on public key cryptography, which is built on the fact that it is difficult for classical computers to factor prime numbers. However, one of the things quantum computers are much better at than classical computers is factoring primes — which fundamentally undermines traditional cryptography. This puts not only newly stolen information at risk but also all information that has previously been intercepted and stored by hackers.
The ability to break public key cryptography puts most of our digital economy at risk and requires the adoption of a whole new approach — namely the migration to using quantum resistant algorithms. Although these algorithms already exist, we can’t be sure of their real-world efficacy because there isn’t yet a quantum computer large enough to validate them. Additionally, utilizing these algorithms will require a time-intensive and tedious process of end-to-end implementation across an entire environment.
Why Most Organizations Don’t Need to Worry — Yet
The good news is that the best predictions on a quantum computer capable of factoring prime numbers with a low enough error rate to be useful is likely still a decade or more out. Additionally, Western governments and companies currently hold some of the most cutting-edge research in this area, so if things continue along this path, many businesses and most federal agencies will have some runway to prepare for when the threat truly materializes.
That said, this timeline is of little comfort for any organization that has already had critical data with a longer shelf life stolen. While we may have some runway to set up new security approaches to better protect ourselves from quantum-powered cyberattacks in the future, data that is already in the hands of a malicious actor is now on a timeline. While most enterprises don’t have data that will still be critical 10 years from now, agencies or organizations dealing with homeland security or other mission-critical information most certainly do.
What Actions Should We Take Now?
Right now, it’s all about preparation and planning. For some, that involves thinking through how to deal with the fallout of older sensitive data being decrypted, but the most important step is ensuring quantum cryptographic readiness. This involves a complete inventory of existing cryptographic assets and certificates and making sure they are all up to date. This is critical because it not only prepares an organization for a wholesale migration to using quantum resistant algorithms, but it also helps ensure safety in the meantime.
The risk at this moment is that organizations will expend too much energy worrying about how to deal with the threat of quantum computing rather than focusing on the more mundane issues of proper cyber hygiene. Assets that aren’t protected with the most up-to-date cryptographic methods or employees that haven’t had the necessary training on how to suss out phishing emails are currently a far greater threat to organizations than quantum computing. While it’s important to consider the threats of tomorrow, the current risk landscape should be our primary focus.
A decade or so from now, quantum computing will very likely be a top concern as it breaks the foundations that information security is built upon. Information cannot be considered confidential, authentic, accessible (to the right parties), or verifiably created by a specific person if the underlying technology can be circumvented. But at the moment, we still have ample time to prepare. For now, organizations will benefit more from establishing strong cyber-hygiene policies for today’s threat landscape. Ten years is a long time in security, so it’s unlikely that quantum computing will be the lone emerging technology to challenge the status quo — only time will tell!