By Michele Mosca, Chief Executive Officer of evolutionQ and Vikram Sharma, Founder and Chief Executive Officer, QuintessenceLabs.
EXECUTIVE SUMMARY:
- Quantum computers provide transformational opportunities, but could threaten the security surrounding everyday computational tasks and sensitive data.
- Mitigating the cyber security risks from quantum computers will require organizations to implement quantum-secure cryptography over several years, although there are steps that can be taken now.
- Three transition approaches are likely to be adopted by most organizations to enable the quantum transition.
When it comes to certain types of complex computational problems – advanced statistical modelling in the financial sector, accelerated research and development for pharmaceutical companies or a more efficient supply chain in the automotive industry – quantum computers promise organizations transformative power.
But, for maximum transformative gains, quantum computers must manage a particular risk: The cryptography used to secure many of our daily digital tasks, such as browsing the internet or online banking, will be broken by sufficiently powerful quantum computers.
Recent alarm in the security community around reports that researchers may already be able to break a common type of cryptography on an existing quantum computer reiterates the seriousness of this risk – and how ill-prepared we are if such a report is true.
Furthermore, attackers may already be engaging in Harvest Now, Decrypt Later (HNDL) attacks in which they steal sensitive data today, such as personal health information or military secrets, and retain it until a sufficiently powerful quantum computer arises to break its encryption. If this occurs while the data retains its sensitivity, the consequences could be significant.
Therefore, organizations must act now to understand and prepare to mitigate the risk of quantum computers as soon as possible.
Mitigating cyber security risks, embracing the economy of quantum computers
Mitigating the risks quantum computers pose to our cyber security infrastructure will require organizations to implement quantum-secure cryptography, elements of which are currently being standardized by the National Institute of Standards and Technology. The European Telecommunications Standards Institute and other organizations are also standardizing other encryption methods, including quantum key distribution.
Similar implementations have shown that the process can take many years, as cryptography is often deeply embedded in systems with multiple dependencies, including from third-parties through the supply chain. Nevertheless, there are several steps leaders can take now before embarking on a more significant transition.
- Assign responsibility for managing quantum risk within your organization. Providing someone with a sufficient mandate and resources helps ensure that preparatory steps are taken and is a meaningful first step in understanding your quantum risk.
- Know what you have to protect and the tools used to protect it. Creating and managing inventories of sensitive assets and security tools is challenging for any organization. But knowing where and why cryptography is being employed will make it easier to take action to address your quantum risk.
- Assess your quantum risk. Define to what extent your organization relies on vulnerable cryptography and to what extent it can effectively manage this cryptography. The results can guide further steps and create awareness across the organization.
- Include a focus on basic cyber hygiene. Cryptography is one of many protection mechanisms modern organizations have at their disposal. Organizations should ensure that other cyber security measures are effective to partly minimize quantum risk for now and ensure that these measures effectively complement cryptographic solutions.
3 approaches for enabling the quantum transition
Because cryptography is used as a security control in many places throughout systems in organizations, the scope of the transition will be broad and with many dependencies. It is, therefore, essential to start today.
Clear leadership and directive from the board are needed to help executives develop and implement an effective quantum cyber strategy. This engagement should include a consistent review of meaningful key performance indicators to track progress.
Three transition approaches are likely to be adopted by most organizations. The first approach may be combined with either of the other two.
1. Introduce parallel quantum solutions
Managing a parallel implementation is suitable for most organizations if they have sufficient resources. Various cryptographic algorithms publicly available and reviewed are already potentially quantum-safe. Organizations can start using these quantum-secure solutions today in addition to existing classical cryptography, combining their powers.
There are two major benefits to this approach. First, it provides organizations with a low-barrier opportunity to experiment with implementing quantum-secure cryptography to see what expected and unexpected consequences it may have for their IT systems. This prepares them for when they eventually embark on their complete migration. Secondly, combining quantum-secure and classical cryptography offers a double-layered defense that may protect against today’s and tomorrow’s threats.
2. Follow a phased approach
Organizations with more complex infrastructure or resource limitations may transition in distinct phases. That means starting with migrating groups of systems to quantum-secure cryptography and having interim “cool-off” periods to define lessons learned to incorporate in the next phase.
Phase-based transformations allow for investments and milestones to be spread, which can help leaders create support for the migration throughout affected business functions due to less downtime of affected systems. In addition, the continuous adoption of lessons learned from the previous phases and new industry insights (such as developments in the standardization of quantum-secure algorithms) allows for a constant improvement of the quality of the migration.
3. Complete migration to quantum computers in one go
Some organizations, especially smaller or emerging ones, have smaller infrastructure deployments or have limited business needs to communicate sensitive information. These might consider a full overhaul, in which the goal is to become quantum-secure as soon as possible with the knowledge and experience that is currently at hand. Such an approach applies to projects in the early stages of development or deployment of new capabilities.
A complete “big bang” approach can theoretically provide immediate protection and safeguard against HNDL attacks, which can be valuable for organizations that process very valuable data and may be specifically at risk of HNDL attacks. However, limited preparation and lack of intermittent learning may result in implementation challenges and hamper the longer-term utility of the solution.
Irrespective of the chosen transition scenario, organizations must act now to embrace the quantum era and confidently reap its benefits.
Quantum resilient cryptographic standards and regulatory requirements will be commonplace sooner rather than later. Digital encryption may not yet be broken today, but will you be ready when it is?
This article was originally published by the World Economic Forum and has been reprinted with permission.