Opinion: What’s the rush on quantum-safe security? You already may be too late

By Scott Totzke, CEO & Co-Founder, ISARA Corporation

The dawn of the quantum computing era promises to fundamentally change the way we approach big problems – from researching cures for cancer to alleviating traffic in urban centers. But – and this is a very significant but –  large-scale quantum computing also has the potential to create catastrophic problems if we don’t take steps now to ensure that data such as financial transactions, medical histories and government records are protected with quantum-safe encryption.

One of the great accomplishments of the modern computing era is the ubiquity – and relative invisibility – of data security. Most of us communicate, transact business and share vital information without fear that the information will be compromised. Data security and encryption are seamlessly built into nearly every technological device at our disposal and we don’t even have to think about when encryption is happening.

A large-scale, general purpose quantum computer is expected to break today’s encryption with ease.

Although it’s estimated that large-scale quantum computers are seven to 10 years away from being powerful enough to break through current encryption standards, companies and governments are running out of time to prepare their networks and data from the quantum threat. This poses challenges for network administrators, executives and corporate boards – not to mention medical providers, military strategists and world leaders.

The reason is simple: Complexity. Today’s global networks are so interconnected that ensuring the security of data against a quantum threat requires a holistic approach that involves software vendors, hardware makers, customers and partners at virtually every level of the computing stack.

Ask a Chief Technology Officer or Chief Information Officer how long he or she needs to successfully implement even a relatively modest system upgrade and it’s almost always months or years rather than days or weeks. Taken on their own, the systems that manage identity and security for everything from online purchases to connected cars are complex, but when we see them becoming increasingly connected to each other the complexity gets even more significant.  This level of connectivity and interdependency underscores just how much of a security threat advances in quantum computing will pose to our existing infrastructure. Collectively, the technology industry has never faced an upgrade cycle this complex. Quantum is exponentially more complex than anything we’ve undertaken and the stakes are infinitely more significant.

For example, the quantum threat will almost exclusively be executed at the level of a hostile nation-state simply because large-scale quantum computers are bulky, expensive and, outside of North America, largely funded by foreign governments. We’ve all seen the damage smart, but loosely organized hacker groups can cause today by accessing Social Security numbers or other customer data. And with the last US presidential election, we caught hints of what organized cyberattacks by nation-states can look like even without piercing encrypted secrets.

These adversaries don’t mind playing the long game. We’re already witnessing instances of nation-states maliciously harvesting encrypted data that they plan to decrypt later with a quantum computer – essentially putting data confidentiality at risk within a decade. Top secret military and government files have at least 20-year privacy requirements.

Similarly, auto manufacturers that increasingly incorporate software in their vehicles are today putting in showrooms cars that will receive over the air software updates. Those cars still will be on the road when large-scale quantum computers arrive and those computers will be capable of compromising software updates.

The question security and risk management leaders need to ask themselves is how long it will realistically take to migrate to a quantum-safe environment. Getting to that answer and helping corporate or organizational leadership embrace it requires understanding a few key factors:

• Where does encryption reside in your stack? Cryptography has become so ubiquitous that many security leaders don’t even know the distinct points at which they might be vulnerable. RSA, the current standard, has been around for decades – in many cases as long as an IT manager has held the position – and few technology leaders have even had to contemplate an entirely new approach to encryption. Only recently did the National Institute of Standards and Technology recommend moving to crypto-agility, the ability to quickly switch out cryptographic algorithms. Migrating a system to a quantum-safe state can’t be started until you understand exactly where it’s vulnerable.
• Which partners and vendors do you rely on for systems or parts? After understanding the vulnerability points, many organizations will have to work with their vendors and partners to ensure the entire chain is quantum-safe. For example, a smartphone manufacturer installing a quantum-safe chip into new devices would need a chipset vendor that could produce a chip with quantum-safe cryptography embedded. That could take the chipset vendor three to five years to develop. Then it could take another two to three years to incorporate it into new products and manufacture them.
• How adept is your organization at dealing with even routine changes? Every organization has its strengths and weaknesses. But few excel under haste. As the points above illustrate, preparing for a quantum threat requires a level of detail and planning many managers will find unprecedented. Understanding how an organization handles routine tasks such as updating things like access key cards tells you a lot of about your readiness for the task ahead.

No matter how prepared we think we are for the quantum era, it’s safe to assume it will be upon us before we currently estimate. Such is the history of technology. Two decades ago, the very notion of quantum computing seemed like a dream. Five years ago, it was viewed as utterly impractical. Today, separate teams around the world are on the cusp of achieving quantum supremacy – representing the first time a quantum computer will solve a problem that current supercomputers can’t.

That’s a major milestone. It should also be a wake-up call.

Global preparation to mitigate the threats posed by large-scale quantum computers will be extensive. And while we may not be able to pinpoint a specific date, we can say that the need to address this problem is an absolute certainty. Will we be ready? The time to start preparing is now.

Scott Totzke is Chief Executive Officer of ISARA Corporation, a Waterloo, Ontario-based security solutions company that offers companies and government agencies quantum-safe products and implementation tools.