Is your organization prepared for the arrival of quantum computing?
The arrival of quantum computing will cause a ripple effect that will touch every corner of the technological landscape. This isn’t an exaggeration—it’s a fact. In general terms, quantum computers will be able to solve certain complex problems much more quickly than traditional computers are able to today. In more specific—and concerning—terms, quantum computers will be able to crack much of today’s most widely used cryptographic algorithms. It isn’t hard to imagine the catastrophic consequences of this veritable cryptographic skeleton key falling into the wrong hands. Preventing this disaster will necessitate a complete overhaul of the way organizations approach encryption.
Practical quantum computing has not yet arrived, but steady progress has been made by companies like Google, Microsoft, and others vying for what many have dubbed “quantum supremacy.” Make no mistake: quantum computers are on the way, and they will be here sooner rather than later. Preparing for the cryptographic apocalypse should be a top priority for today’s IT teams. Any organization failing to plan for the inevitable shift to new quantum-resistant algorithms risks falling dangerously behind, leaving their network and devices exposed to savvy attackers ready to exploit those who fail to adapt to the new reality.
Understanding the Cryptographic Quantum Apocalypse
In 1994, a mathematician by the name of Peter Shor discovered a new algorithm capable of breaking conventional public-key cryptography—but it required a then-theoretical quantum computer with a certain number of qubits (a basic unit of quantum information). Shor’s algorithm, as it would come to be known, demonstrated that a quantum computer can factor integers much more efficiently than a traditional computer. Unfortunately, this would make quantum computers much more efficient at cracking Rivest-Shamir-Adleman (RSA) encryption and elliptic-curve cryptography (ECC)—the two most common types of encryption in use today.IT professionals know how essential encryption is to every facet of modern life, but it is worth taking a moment to stress the sheer number of industries and critical processes it touches. Encryption has fundamental uses in government, defense, finance, commerce, communication, transportation, healthcare, and logistics, to name just a few. The systems using encryption (public key infrastructure, or PKI) help secure everything from email accounts and Internet of Things (IoT) devices to financial transactions and healthcare data. In short, the arrival of quantum computing will effectively force nearly every organization on the planet to rethink its approach to encryption before it’s too late.
Making the Most of a Head Start
The coming cryptographic quantum apocalypse is neither a secret nor a surprise. Security and IT professionals have known this was coming for some time. In fact, one could argue they have known this was a likely possibility since the discovery of Shor’s algorithm, but recent progress in the field of quantum computing has suddenly made it a much more tangible threat.
The arrival of quantum computing began to feel more imminent in 2019 when the public at large—and not just specific mathematicians—began to realize the impending need for new cryptographic algorithms. Throughout 2020, a considerable amount of work was done, both by those working to develop quantum computers and those working to defend against their capabilities. Quantum computers are consistently growing more powerful, with an increasing number of stable qubits. The development will likely continue at this steady pace—it seems unlikely that there will be a “eureka” moment in the immediate future, where the number of stable qubits suddenly begins to grow at a faster rate than expected.
In many ways, this is good. Stable quantum computing will introduce exciting new technological possibilities. Its ability to solve complex problems quickly promises potential breakthroughs in fields like artificial intelligence, financial modeling, chemistry, and others. But the world is not yet prepared for the potential danger the technology brings with it. Fortunately, the National Institute for Standards and Technology (NIST) has been hard at work identifying potential algorithms capable of withstanding the expected encryption-cracking capabilities of quantum computers. The organization has been soliciting quantum-resistant encryption algorithms since 2015 and has since narrowed the 69 candidate algorithms it received down to the nine most likely to lead to viable, quantum-safe encryption methods. Though there is no firm timetable, NIST plans to release its final list of recommended algorithms sometime in the near future.
Quantum Skepticism Has Risen, but Don’t Be Fooled
Not every organization is ready to upend its operations to account for quantum computing, and IT and security professionals have noticed even some computer scientists expressing skepticism over whether quantum computing will live up to its considerable hype. This is understandable—for a long time, quantum computing was the quintessential technology that was perpetual “five years away,” always coming “soon” but never seeming to get any closer. With that in mind, it isn’t hard to see why some technology experts are challenging the idea that the world is on the verge of a quantum computing breakthrough—or even that it will have as great an impact as people fear.
While understandable, this skepticism is dangerous. Ready or not, quantum computing is coming, and every form of encryption in widespread use today is vulnerable to Shor’s algorithm. Short of quantum computing development stopping dead in its tracks, quantum computing will inevitably defeat conventional cryptography. Anyone using any form of encryption needs to be prepared to replace it with a quantum-safe alternative.
One might even argue it is too late. Cybercriminals who believe in the viability of quantum computing may already be planning for a post-quantum future: after all, if an attacker has harvested and stored an encrypted file, all it needs is a quantum computer to crack it. Today’s attackers have demonstrated a clear willingness to play the long game, laying the groundwork for attacks months (even years) before their execution. Attackers are not taking a “wait and see” approach to quantum computing—they understand that if they can get their hands on encrypted files now, it is just a matter of time until they have the ability to crack them. Today’s organizations should assume any information they transmit could be recorded by malicious parties waiting for the chance to decrypt it.
Who Needs to Hear This?
Given the critical role encryption plays in modern society, it is not an exaggeration to say that any organization sending or receiving information encrypted with a traditional algorithm needs to be planning for a post-quantum future right now. This applies to any organization using email, file transfers, financial transactions, cloud storage, SSL certificates, and countless other modern conveniences. In other words, just about everyone.
IoT device manufacturers stand out as particularly vulnerable. Consumer IoT devices have an average lifespan of three to five years, while commercial devices tend to remain in use for seven to 10 years—meaning manufacturers need to plan for the long term. Manufacturers absolutely need to begin wrapping their heads around quantum cryptography and putting a plan into place regarding how to implement it once the algorithms are finalized. This has admittedly put manufacturers in a sticky situation: some may need to decide whether to delay a product until after NIST makes its final recommendations. For some companies, a product delay may not be financially viable, but releasing a potentially vulnerable product can put the company in an equally dangerous predicament.
When it comes to the cryptographic quantum apocalypse, planning ahead is the only way to survive. Organizations need to take advantage of the head start they have been given. In addition, even without the final algorithms, manufacturers can begin planning firmware updates designed to implement quantum-safe encryption. Failure to do so may force a company to later recall or replace devices that cannot be updated sufficiently. It is imperative for decision-makers ranging from those dealing with cryptography and digital certificates to those issuing company laptops to begin educating themselves on quantum cryptography.
The Time to Act Is Now
Updating all encryption across an entire organization cannot be done with the snap of a finger. It takes time. But an organization starting the process now might be finished in a year—well before potential attackers will be in a position to exploit the power of quantum computing. On the other hand, an organization waiting to act until NIST finalizes its list of algorithms (or IBM or Google announces the creation of a quantum computer capable of breaking RSA encryption) will be scrambling to play catch up.
The time to act is now. Organizations need to begin conversations with board members and C-Level executives to impress upon them the urgent need for those changes. The need for quantum-safe cryptography has been apparent for years, and some of the smartest people in the world have been working on it. But organizations must choose to act—and those that don’t may quickly find it is too late to catch up.
About the author: Tim Callan is the Chief Compliance Officer at Sectigo. He is responsible for ensuring Sectigo’s CA practices conform to industry and regulatory requirements and the company’s published Certificate Practices.