By now, we hope that you understand that, sooner or later, your company will have to become quantum secure. In 2021, IBM announced ‘Eagle’, a working quantum computer with 127 quantum bits (or ‘qubits’) followed closely on the heels of China’s announcement of two quantum computers. Even the slowest of these new machines can perform calculations millions of times quicker than the fastest conventional supercomputers, meaning that many of the encryption techniques on which digital security is built could become insecure. Laboratories around the world are all chasing ‘quantum advantage’, the point at which a quantum computer can reliably do anything that a classical computer can – millions of times faster.
However, given how difficult quantum computers are to manufacture it may be decades before they are available commercially, and therefore can be misused at scale. This means that although we cannot predict exactly when digital crime will become a threat, we can realistically expect that the majority of companies will have at least five years to prepare.
So, how can your organisation best use the time you have to prepare effectively?
How quantum computing will impact businesses
Since we know what should be quantum-resistant, we can start to find out just how much work needs to be done to make a company’s assets safe. Some systems will simply need to be switched from using one encryption method to another – Transport Layer Security, for instance, can be made quantum-resistant, and post-quantum cipher suites have been available in Amazon Web Services for several years. This will mean information in transit, for example credit card details being sent from a customer to an eCommerce retailer, should be secured in any future transactions. This same principle could apply to important systems like Public Key Cryptography (PKC) – a (relatively) simple switch from one form of encryption to another should mean that future public key usage will be quantum-safe.
However, there will still be a vast swathe of files encrypted with older, pre-quantum algorithms stretching back years, and these will be simple for a quantum computer to break into. This could mean that if an eCommerce company keeps records of previous transactions, those transactions could be decrypted and taken en masse, which perhaps won’t give criminals access to working payment cards, which would have expired, but could give them information that could be used for anything from creating synthetic identities to blackmail. Digitally signed documents created before a switch to quantum-resistant encryption would also be vulnerable, potentially invalidating millions of legal agreements unless they could be re-signed with better security. Even blockchains, which power the $2 trillion dollar cryptocurrency market and an increasingly large number of other applications, could be vulnerable to quantum computers.
How to prepare for the transition
If your company hasn’t implemented quantum-resistant security yet, then how can you go about it? Because the threat is at an indeterminate point in the future, and we still don’t know exactly what quantum computers will be capable of, it can be daunting to transition an organisation to quantum-resistance. And even more difficult for security professionals to persuade management that it is a priority when current cybercrime threats are so pervasive. It is also the case that there is a serious skills shortage in the cybersecurity industry, and cybersecurity professionals who are currently working will rarely, if ever, have training or experience in quantum security.
Although every company will have its own challenges, the start will always be an audit of every instance of encryption that a company uses. You’ll need an overview of how each item is secured and what encryption methods are used for ‘moving’ information being transmitted to and from your organisation (like the aforementioned credit card details being sent to an eCommerce company). This audit would need to be extremely thorough, and hopefully in time, systems will be created that can carry out these audits automatically.
There is also the problem that quantum-resistant cryptography is not going to be implemented everywhere by the time that quantum computing is commercially available. Like an iceberg, much of the digital world is under the surface in the so-called ‘deep web’, which includes internal intranets and email servers. The contents of this part of the internet are often forgotten, abandoned or just obscure, so it is unlikely that it will be properly secured.
Security in a post-quantum world
Although we still don’t know when security threats from quantum computing will appear, the capabilities of quantum computers are well understood, and computer scientists are confident that they understand which forms of encryption can stand up to quantum computers. This means that we can prepare for post-quantum security now, and solutions are readily accessible. HSMs are one example of how quantum-resistance is available today, and combined with a thorough understanding of what is and isn’t quantum-resistant in a company’s infrastructure, it will be possible for any company to secure themselves long before quantum computing enters the mainstream.
Discover how you can future proof your infrastructure today with Utimaco Q-safe, a firmware extension adding quantum-resistance to your applications and use cases.