While many IT teams are currently focused on evolving their security infrastructure to combat the new wave of AI-based attacks, there is another emerging technology that’s set to cause significant disruption in the next few years: post-quantum cryptography.
The coming commercialization of quantum computing – and the cryptography implications this brings with it – could introduce serious dangers for cybersecurity teams if not defended against early enough. But how close is this technology to being a viable force for bad actors and how should businesses be securing their networks and data now to set themselves up for future success?
Understanding the quantum risk
As its core function, quantum computing is able to solve the mathematical problems that traditional computers find too challenging, such as the factorization of large numbers. However, this ability also means that quantum computing will be able to crack many modern cryptographic algorithms that are ubiquitously used across various IT platforms to encrypt communications, to secure data or to create digital signatures.
Quantum computers that pose a threat to modern cryptography are not yet commercially available. However, I believe post-quantum cryptography should be seen as an organizational strategic concern for two key reasons. Firstly, there is the very real potential of retrospective attacks. Cryptographic technologies have become so ubiquitous and integrated into business processes that most data is digitally encrypted at rest as well as in motion to minimize risk. But retrospective attacks, also known as ‘harvest now and decrypt later’, mean that bad actors can collect encrypted data that they aren’t able to crack with traditional computers now and store it until large enough quantum computers become available to solve the problem. While the data may be a few years old by the time it is accessible, it may still be sensitive and could cause damage to businesses, employees and customers if disclosed.
The second key reason for concern among board-level executives should be the size of the capital investment and operational overhead needed to upgrade or replace legacy IT systems leveraging encryption vulnerable to quantum computers. There are a lot of risks, from both a financial and a security perspective, in migrating from older legacy systems to newer versions – and all are made worse when this activity is rushed. As of today, there are no quantum computers that are big and powerful enough to break traditional cryptography. However, large private companies and governments are making significant investments into this field, so there is an expectation that we are only a few years away from this breakthrough. To ease the financial burden they face, businesses should be upgrading their systems incrementally in the lead up to commercial quantum computing rather than waiting for the breakthrough and being forced to invest heavily in a foundational rebuild (or risk being left behind by the competition).
Understanding the timeline to act
While consensus on when commercial quantum computers will be available is not yet aligned, most scientists agree that it won’t be for at least 3-5 years. But governments are already outlining recommendations for businesses to start preparing for the transition to quantum encryption now. For example, the UK’s cyber security agency – the National Cyber Security Centre (NCSC) – recently published guidance which encouraged businesses to prepare for the transition now to allow for a smoother, more controlled migration that will reduce the risk of rushed implementations and related security gaps. As part of this, the NCSC called for organizations to invest in visibility, to understand what systems they have and what needs to be upgraded ahead of the migration.
The European Union is also working on guidance around quantum encryption and I expect to see industry regulations, such as NIS2 and DORA, soon evolve to capture post-quantum cryptography as part of their foundational compliance measures. With this in mind, while any government documentation around quantum is currently just directional vs. mandated, I would suggest that CISOs and IT leaders ensure it is on their board’s agenda as soon as possible. This will help them avoid having to rush to reach compliance and spend a lot of time and money all in one go when this guidance becomes regulation.
Understanding your next step
While the tangible threat of quantum computing may still be a few years away from a cybersecurity perspective, the risks it poses are significant enough to warrant proactive measures today. Businesses should start preparing now by understanding their current systems and planning incremental upgrades to ensure a smooth transition to post-quantum cryptography. By doing so, they can mitigate the risk of retrospective attacks and avoid the financial and operational strain of rushed implementations.
Governments and cybersecurity agencies are already providing guidance to help organizations navigate this transition. It is crucial for CISOs and IT leaders to prioritize this issue and bring it to the attention of their boards. Early preparation will not only safeguard sensitive data but also position businesses to keep their edge in the competitive landscape as quantum computing becomes a reality.
Ultimately, the key to future success lies in foresight and strategic planning. By addressing the quantum risk now, organizations can ensure their security infrastructure remains robust and resilient in the face of emerging technological threats.
Join our LinkedIn group Information Security Community!
