How CIOs Can Prepare for the Not-So-Distant Quantum Security Threat
‘What’s more concerning is that people are just waiting and doing nothing’
Sign up for smart news, insights, and analysis on the biggest financial stories of the day.
Quantum computing is coming faster than we think. IT leaders need to prepare.
That’s in no small part because these promising, powerful devices present a threat to modern cryptography, which is a pillar of most cybersecurity practices. But the movement toward quantum-resistant cryptography – that is, building cryptographic systems that can’t be broken by the immense computational power of quantum computers – may help enterprises get ahead of threats before they happen, said Karl Holmqvist, founder and CEO of cybersecurity firm Lastwall.
So what exactly does it mean to be “quantum-resistant?” While current cryptographic algorithms would take a supercomputer roughly until the end of the universe to crack, these endless strings of numbers can be easily strung together by quantum computers, Holmqvist said. Conversely, quantum-resistant encryption essentially applies new, more difficult types of mathematical equations in place of traditional cryptographic ones – ones which a quantum computer (so far) can’t crack.
“What quantum resistance is doing is saying, ‘Let’s stop using this thing that we know – when we have a large enough quantum computer – will just be able to break cryptography,’” said Holmqvist.
The potential capabilities of quantum computing threaten to upend security and cryptography as we know it.
And even though quantum computers are still nascent, breakthroughs are happening at an increasingly rapid clip: Earlier this month, Google unveiled a quantum chip called Willow, which can perform calculations in five minutes that would take a supercomputer 10 septillion years, excessive even by universe standards. Holmqvist added that Google’s Willow “paved the way for larger-scale systems,” and removed the “major roadblocks” in adoption.
As researchers continue to make breakthroughs, malicious actors are also preparing for a quantum reality with “harvest now, decrypt later attacks,” Holqvist said. This is when hackers breach encrypted data and store it in the event that quantum computing gives them the capability to crack it later.
“The risk here to enterprise leaders and CIOs is if somebody can capture your secrets now while they are encrypted, and those secrets are actually relevant five years from now, that’s a big risk,” Holmqvist said.
But teaching an old dog new tricks is never easy. A lot of enterprises are so focused on more imminent threats, like ransomware or phishing attacks, that they don’t have the bandwidth to handle the problems that are a mile away, Holmqvist said.
“It makes it really hard to look at this longer term threat that has an unknown timeline,” he added. And like adopting any tech, many firms have reservations about quantum resistance.
- A lot of enterprises are nervous about the overhead costs of new hardware or routers that are incurred making the switch, he said. Some worry that the complexity of this robust cryptography will have a “detrimental” effect on the latency of their networks. “The reality from our experience has been that’s not really the case – it’s not as bad as people think,” he said.
- Some enterprises have bided their time waiting for quantum-resistant algorithms to be standardized by the National Institute of Standards and Technology, Holmqvist noted, a breakthrough that came in August of this year.
What security teams should be doing now is “getting past the unknown,” he said, by starting to test these standardized algorithms in the field. Figuring out what data, information or secrets are most important to protect can help enterprises decide where it’s most vital to deploy quantum-resistant security.
“You can start making these plans part of your normal business operation, instead of having to do them urgently later,” Holmqvist added. “There will be cases where there are some performance implications. But what’s more concerning is that people are just waiting and doing nothing.”