About eight years ago, toward the end of a panel I was moderating on cybersecurity, I turned to the panelists and asked them to tell me what to expect when quantum computing would come online. I got blank stares.
Quantum computing, and its implications for national security and cybersecurity, had not yet made its way into the consciousness of most experts. Today, that has changed and lawyers, particularly those advising on system and data security issues, need to get ahead of the upheaval that is coming.
For those unfamiliar, quantum computing is based on the principles of quantum physics, which govern matter and energy at atomic and subatomic levels, where classical physics ceases to apply. Quantum tech has already begun to influence areas like medical imaging. Once they become commercially viable, quantum computers will launch a sea change in many additional areas of technology. Quantum computers’ use of qubits that can hold multiple values simultaneously will inaugurate an era of computing exponentially more powerful than binary computing, which is based on bits that only represent zero or one but never both simultaneously. For certain types of problems, Quantum tech will allow computers to explore multiple possibilities in parallel rather than sequentially, leading to solutions thousands or even millions of times faster than classical computers.
This is not the stuff of science fiction. Certain cloud-accessible quantum computers already exist. It is estimated that practical, commercially useable quantum computers will be available in the next 1-3 years. That’s right, as early as next year. The implications for security, and for coming standards and regulation, are manifold.
Particularly notable among these repercussions will be the effect on data encryption. The data you safely encrypt today will suddenly be rendered insecure by quantum computing. That is because the standard encryption technology that is in common use today (and has been for decades) is no match for quantum computing. Today’s public key technology relies on classical computing’s inability to quickly solve certain math problems. It would take a classical computer decades or longer to crack it, making it effectively impregnable to thieves and spies who do not have the key to unlock it. Quantum computers, however, will be able to break today’s encryption in hours, or even minutes. That means that all the data your company currently considers secure thanks to today’s encryption – including sensitive financial data, private health information, protected government data, and encrypted personal communications among others – will suddenly be there for the taking.
But it gets worse. The bad guys know this is coming, and they’re not waiting for tomorrow. They are engaging in what has been termed “harvest now, decrypt later,” grabbing encrypted data from companies and private individuals, and simply storing it until they gain access to quantum computers to break the encryption. Today’s secrets are already not safe from tomorrow’s computers.
The good news is solutions are emerging. Post-Quantum Cryptography (PQC) has already been developed as a solution to quantum’s ability to break standard encryption. PQC is based on cryptographic algorithms that are designed to defeat the abilities of quantum computers, moving away from the mathematical problems that have been the hallmark of conventional cryptography to so-called “hard problems,” which can’t just be solved by a faster computer.
The less good news is that converting a company’s systems to PQC is no simple, let alone quick, endeavor. It can take 3-5 years to accomplish. With “Y2Q,” the day when current algorithms will no longer be impregnable, rapidly approaching and adversaries harvesting data now for later decryption, the urgency of adjusting to the quantum future is growing daily.
So, what should you be doing to adapt your data security to the post-quantum world?
1. Audit and analyze your system. Virtually every IT system uses conventional encryption, if they encrypt at all. These systems are all vulnerable to quantum attacks. Managers of these systems need to be thinking now and implementing their strategy for moving to PQC, aware of how long that move will take and how soon quantum computing will be everywhere. They need to identify the cybersecurity products and services they currently use and determine what will need updating or replacement, including where those soon-to-be-outdated algorithms are in use and which systems contain high-priority data, so they can be replaced. And don’t stop with your own internal system. Audit the products your vendors are providing to you; their vulnerabilities are your vulnerabilities.
2. Monitor developing standards. Standards for PQC are developing rapidly and have already achieved an advanced state. The National Institute of Standards and Technology (NIST) has issued several Federal Information Processing Standards (FIPS) publications to address this new challenge (see FIPS 203, 204 and 205) and has endorsed four new post-quantum algorithms for use in encryption. NIST advises that organizations “begin applying these standards now to migrate their systems to quantum-resistant cryptography.” It is moving its standards away from conventional encryption and will remove it from those standards completely by 2035, with high-risk systems transitioning well before that. As it always has, by setting standards for the Government NIST is also setting the framework for private sector security. Ignore it at your peril.
3. Keep an eye out for legislation and post-quantum regulatory standards. As with all emerging issues, Congress and the Administrative State are turning their attention to quantum and beginning to lay out the frameworks that will govern it for decades to come. A variety of legislation has already been introduced, and the President issued National Security Memorandum 10, Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems. To date, these and other efforts have focused mostly on what the US Government must do to protect itself, and setting deadlines for doing so. However, we can expect these requirements to make their way into the private sector over time, through the FTC, the SEC, CISA, and other regulatory agencies.
4. Prepare for new procurement standards. Just as post-quantum standards will be integrated into regulatory requirements generally, they are likely to become mandatory for government contractors even sooner. In the cybersecurity field, we have seen the development of cloud security standards via FedRAMP and general cybersecurity standards for military contractors via CMMC. We can expect the Government to adapt these programs for quantum computing and/or develop new compliance programs in the near future. In some cases, the Government is already advising it, including in NIST IR 8547, Transition to Post-Quantum Cryptography Standards, which requires all new acquisitions for National Security Systems to use NSA-approved, quantum-resistant algorithms by 2027 and all keys to be replaced with NIST-approved PQC algorithms by the end of 2030.
Conclusion
David Bowie once said that “tomorrow belongs to those who can hear it coming.” If you don’t hear quantum computing coming, you’re not listening. Commencing countdown, engines on….