Quantum computers will likely become the next disruptive technology. They have the ability to reduce computer processing from years to hours or even minutes, and to solve problems heretofore unsolvable using current computing technology.
There will be another type of disruption if the “powers that be” do not start thinking about the implications of what that massive computing power will mean.
Fortunately, there are experts looking at this right now. One such expert is Ali El Kaafarani, PhD, CEO of PQShield. In his HelpNetSecurity article Quantum computers: How to prepare for this great threat to information security published on Nov. 6, 2020, Kaafarani begins by stating that quantum computers can introduce a huge security challenge. He adds, “With exponentially higher processing power, they will be able to smash through the public-key encryption standards widely relied on today, threatening the security of all digital information and communication.”
Historically, this type of problem has been put off until it is a pressing matter. “While it’s tempting to brush it under the carpet as ‘tomorrow’s problem,’ the reality of the situation is much more urgent,” explains Kaafarani. “That’s because quantum computers don’t just pose a threat to tomorrow’s sensitive information: They’ll be able to decrypt data that has been encrypted in the past, that’s being encrypted in the present, and that will be encrypted in the future (if quantum-resistant algorithms are not used).”
What industries are affected by this security threat?
Put simply, every industry is affected. Any organization that warehouses and encrypts sensitive information or intellectual property needs to take this issue seriously.
Kaafarani uses the pharmaceutical industry as an example. “A quantum computer could allow competitors to gain access to valuable intellectual property, hijacking a drug that has been in costly development for years,” suggests Kaafarani. “As we’re seeing in the race for a COVID-19 vaccine, this IP can sometimes have significant geopolitical importance.”
What about quantum cryptopgraphy?
Government agencies are already working on this issue. For instance, in 2016, the National Institute of Standards and Technology (NIST) sponsored a competition to develop “quantum-resistant” algorithms; it resulted in the following report: NIST Internal Report (NISTIR) 8105: Report on Post-Quantum Cryptography (PDF).
“There has been a lot of research into quantum computers in recent years, and everyone from major computer companies to the government want their cryptographic algorithms to be what we call ‘quantum resistant,'” writes mathematician Dustin Moody in this 2016 NIST news post. “So if and when someone does build a large-scale quantum computer, we want to have algorithms in place that it can’t crack.”
What can businesses do to prepare for quantum computing security threats?
Business owners typically do not keep quantum-computing experts on their payrolls; still, Kaafarani suggests how companies can prepare for the quantum threat.
Start the conversation early: Knowledge is always a good defense. “Begin by promoting quantum literacy within your business to ensure that executive teams understand the severity and immediacy of the security threat,” writes Kaafarani. “Faced with competing priorities, they may otherwise struggle to understand why this issue deserves immediate attention and investment.”
Work out what you’ve got and what you still need. According to Kaafarani, most businesses do not have a good handle on the amount of their encrypted data and what types of encryption are used. He suggests asking the following questions:
- What cryptographic standards are you relying on currently?
- What data are you protecting, and where is it located?
Kaafarani offers an example: Information stored in cloud-based collaboration software likely relies on public-key cryptography, and that will not be quantum-secure.
Build a long-term strategy for enhanced security: Once all sensitive data and the various encryption schemes are inventoried, Kaafarani says the next step is to start planning what will be required to migrate to a quantum-ready architecture. More questions he suggests asking are:
- How flexible is your current security infrastructure?
- How crypto-agile are your cryptography solutions?
- In order to migrate to new technology, do you need to rewrite everything, or could you make some straightforward switches?
Post-quantum encryption standards will be finalized by NIST in the next year or so, suggests Kaafarani. He adds, “Now that finalist algorithms have been announced, businesses don’t need to wait to get quantum-secure–they must simply ensure that they design their security infrastructure to work with any of the shortlisted approaches that NIST is currently considering for standardization.” Check out the NIST’s page on post-quantum cryptography.
Why a hybrid security solution might be best
It appears the best solution might be to pair existing defenses with one of the post-quantum schemes named as a NIST finalist. This will introduce resilience and flexibility into the current security platform. Kaafarani explains further, “By doing this, you’ll be able to comply with whichever new industry standards are announced and remain fully protected against present and future threats in the meantime.”
Like most complex projects, moving to a hybrid security infrastructure including something as complex as post-quantum encryption technology will take a good amount of time, so plan for it. Kaafarani feels it is important to have a solid plan in place and possibly partner with an accredited expert.
This is a serious and pressing threat. The good thing is that Kaafarani believes we have all the ingredients to get a safety net in place. He writes in his commentary that, “We can be confident in the knowledge that the algorithms being standardized by NIST will protect businesses from even the most powerful computers.”