Why Businesses Must Address Risks of Quantum Computing NOW Rather Than Wait Until Problems Arrive

There is little doubt that quantum computing will ultimately undermine the security of most of today’s encryption systems, and, thereby, render vulnerable to exposure nearly every piece of data that is presently protected through the use of encryption.

What remains uncertain, however, is when the day of so-called “quantum supremacy” will arrive.

As such, many organizations have hesitated to start preparing for the quantum era – after all, they reason, there are enough fires to fight now, and limited resources with which to do so.

But, quantum supremacy is not something that can be addressed when it becomes a fire – if we do not start protecting ourselves until encryption-busting devices are known to exist, we are likely to suffer severe consequences. Such an attitude is not alarmist – it is reality, whether we like it or not.

Remember, quantum computers already exist. And, while today’s commercially-created quantum machines are nowhere near powerful enough to approach quantum supremacy, absolutely nobody knows the true extent of the quantum capabilities of all of the technologically-advanced governments around the world.

Even if no governments can already quickly crack the asymmetric encryption mechanisms used to protect so much of our digital economy, there is no way for the public to known when governments do obtain such capabilities. Unlike commercial sector R&D centers, intelligence agencies certainly are not going to broadcast anything about their accomplishments and advancements. In short, the public is not likely to know when quantum supremacy actually arrives until well after it has arrived.

Another important reason why we must address quantum-supremacy risks well in advance has to do with the nature of data.

Unlike computer hardware and software that are regularly replaced when they become obsolete, data often remains in its original form for many years, if not for decades. As such, one cannot simply address encryption algorithm obsolescence on a forward-thinking basis – all of today’s sensitive data that is currently protected by encryption will likely need to be identified, decrypted, and re-encrypted with quantum-safe encryption — and all copies of the original data in any and all stores in which it resides – must be properly destroyed.

Identifying, locating, and converting all data requiring conversion may be a task that is relatively easy for an individual to accomplish, but, for a large enterprise merely identifying and locating the data, never mind actually converting it, is a task is likely to prove complex, time consuming, expensive, and prone to error.

And, of course, the consequences of not fully locating and re-protecting old data can be catastrophic; a single long-forgotten laptop, ZIP disk, CD, or backup tape – or even an old floppy disk! – could potentially lead to terrible financial losses, legal headaches, and ruined reputations. Organizations that have utilized encryption to protect healthcare information within their possession, for example, could become flagrant violators of HIPAA and face stiff penalties for simply allowing existing backups to remain as is within storage facilities.

On that note, we must realize that at some point in the future, even before encryption-busting quantum computers arrive on the market, those in the know will consider it gross negligence to encrypt data with algorithms known to be vulnerable to quantum compromise. Imagine the reaction from customers, the media, and regulators if IBM announced that it would deliver an encryption-breaking quantum computer in 6 months, and cybersecurity professionals working at a bank reacted by saying that they would wait until after the device arrived on the scene to upgrade their encryption mechanisms? And, again, we won’t even get a 6-month warning – or any warning at all – if, as expected, governments achieve quantum supremacy before industry.

Clearly, there is a need to act in advance – and acting takes time. For most organizations, transitioning from today’s encryption technologies to quantum-safe encryption mechanisms will likely be a more complex, expensive, and timely process that many people expect, in some cases, even taking years to properly plan and execute. As such, despite the fact that today’s known quantum computers are nowhere near ready for prime-time encryption busting, we may already be late vs-a-vis preparing for quantum supremacy; it is possible that we have already reached a point at which it will take the world longer to completely replace its existing encryption mechanisms and re-encrypt its data than it will take for encryption-busting quantum computers to arrive on the scene

One other important note: Sensitive information that is relayed and stored today may remain sensitive in the future, including after quantum computers have rendered today’s encryption impotent. In 2022, for example, people around the globe who bank, shop, chat, and use social media online rely on encryption known as TLS to prevent anyone from capturing and viewing communications flowing across the insecure Internet as network traffic. Quantum computing, however, will ultimately render today’s TLS impotent; if someone records encrypted sessions as they pass over the Internet now, that party may be able to decrypt such sessions in the future, and expose all of the relevant contents. In short, any data that is captured now can potentially be decrypted and exposed tomorrow; the photos that you just sent your romantic partner over WhatsApp, the results of your recent bloodwork, and your credit report that you accessed over the weekend could all leak. With storage so inexpensive, various governments – and perhaps corporations – are, in fact, collecting and storing huge amounts of data – and who knows how they will use that data once quantum-supremacy arrives. The bottom line is that if we truly want today’s communications to remain secret for years to come, we should already be using quantum-safe-encryption to protect it.

Finally, keep in mind that while adding additional transistors to today’s classic CPUs grows processing power linearly, quantum computing capabilities expand exponentially with physical system growth; as such, our human experience observing the advancement of technology likely misleads us into wildly underappreciating how fast quantum computing may advance. IBM’s recent forecast of its quantum capabilities growing from around 1,000 Qubits next year to over 4,000 Qubits 2 years later, to potentially hundreds of thousands of Qubits shortly thereafter, clearly reinforces the concern about rapid growth delivering quantum supremacy to the market in the not so distant future.

Experts have already identified already several methods of encrypting that we believe will remain safe from quantum cryptanalysis for the foreseeable future – yet such technologies are barely leveraged anywhere in the commercial sector. Rather than trying to scramble once we have an unsolvable problem, it would be wise for us to start planning to augment our encryption as needed. NIST has already begun to narrow down its list of recommended ways to address quantum’s risks to encryption – and products have already hit the market already that enable businesses to begin such transitions.

This post is sponsored by IronCAP™. Please click the link to learn more about IronCAP’s patent protected methods of keeping data safe against not only against today’s cyberattacks, but also against future attacks from quantum computers.