Quantum Computing Is Coming: Are You Cyber Ready?

We’ve been hearing about the vast potential of quantum computing for years. With its exponentially superior processing power, this game-changing technology is expected to dramatically transform fields such as medical sciences, machine learning, particle physics, engineering and meteorology. Although widespread adoption is still in the future, 2019 marks a turning point in its commercial availability.

In January, IBM introduced the world’s first circuit-based commercial quantum computer, the IBM Q System One. This milestone in bringing quantum technology out of the lab and into real-world production environments is motivating IT to come to terms with its opportunities and risks.

Cybersecurity is among the top challenges to consider because industry experts predict that future quantum computers will soon be able to break today’s most sophisticated algorithms. According to “Quantum Computing: Progress and Prospects,” a recent report by the National Academy of Sciences, analysts agree that the time to start preparing for a quantum-safe future is now. For the time being, RSA and ECC algorithms still remain safe. However, the National Academy states that a powerful quantum computer theoretically could crack even a sophisticated 2048-bit RSA key in just a few months. In any case, enterprise and government organizations will need significant time to develop, standardize, and deploy new cryptographic algorithms that can withstand quantum computing threats—post-quantum cryptography (PQC).

The urgency of the risk is clear, especially for IoT-intensive industries. Businesses with IoT devices and applications that have long life cycles may have their products operating out in the world after the first quantum computers become a threat. That means products that had once been considered safe could become a liability. Some examples might include ATMs or automobiles with sensors, onboard computers and connections to the internet. If quantum-safe strategies are not put in place today when manufacturing these devices or products, they could be breached in the future. To be fully protected, businesses need to start addressing the quantum computing threat as soon as possible.

Broad Awareness of Quantum Computing and Plans for Action

For many organizations, the first steps toward managing quantum computing risks are not always clear. In some cases, enterprises may have only a limited understanding of PQC. To learn more about how enterprises are preparing for these new challenges, DigiCert commissioned ReRez Research of Dallas to survey IT professionals within 400 enterprises of 1,000 or more employees in the U.S., Germany and Japan. Participants included IT directors, IT security managers and IT generalists across a variety of industries.

The survey revealed that enterprise IT is well-aware of the threat that quantum computing poses to cryptography. Slightly more than half (55%) said quantum computing is a “somewhat” to “extremely” large threat today, with 71% saying it will be a “somewhat” to “extremely” large threat in the future.

However, the survey also underscored the fact that PQC is a new concept and that people are still learning about its meaning and significance. In fact, in a question designed to gauge understanding of the term, fewer than two-thirds of participants chose the correct definition of PQC.

Survey participants generally agree that the threat is rapidly approaching. The median response for when PQC would be required to combat new risks was 2022—just three years from now. With the threat on the horizon, 83% of respondents said it was “somewhat” to “extremely” important for IT to learn about quantum-safe security practices.

IT is also clear about the cryptographic risks they face from quantum computing. Survey respondents said they worry that the cost of fighting future quantum computing threats or attacks will spiral out of control. They are also concerned that data that is considered safely encrypted by today’s standards will become easy to decrypt in a quantum future, in which stolen data that may be safe for the moment could become vulnerable in the future.

A Proactive Approach is Key

With so much concern about post-quantum risks, putting a forward-looking strategy in place is essential to mitigating tomorrow’s threats. The DigiCert/ReRez survey identified three best practices for organizations seeking to secure their operations, including:

  • Knowing your specific risk and establishing a quantum crypto maturity model.
  • Understanding the importance of crypto-agility in your organization, and making it a core practice.
  • Working with leading vendors to establish digital certificate best practices and ensure they are tracking PQC industry progress to help you stay ahead of the curve, including with their products and solutions.

It’s not surprising that 95% of survey respondents reported that they are discussing at least one tactic to prepare for quantum computing. Organizations are also beginning to take the first steps to fund their initiatives: One-third indicated they have a PQC budget in place, while another 56% are working on establishing one.

Although the challenges of quantum computing are daunting, with advance planning backed by a solid strategy, organizations still have time to get ahead of tomorrow’s cybersecurity challenges.

To review a copy of the DigiCert 2019 Post Quantum Crypto Survey, visit https://www.digicert.com/post-quantum-cryptography/

Timothy Hollebeek

Avatar photo

Timothy Hollebeek

Timothy Hollebeek has more than 15 years of computer security experience, including eight years working on innovative security research funded by the Defense Advanced Research Projects Agency. He remains heavily involved as the primary representative for DigiCert in multiple industry standards bodies, including the CA/Browser Forum, striving for improved information security practices that work with real-world implementations. A mathematician by trade, Tim spends a lot of time considering security approaches to quantum computing.

timothy-hollebeek has 3 posts and counting.See all posts by timothy-hollebeek