Cybersecurity Risks of Quantum Computing

Quantum computing is either months or years from commercial release, by various reports, but the cybersecurity community isn’t waiting to see how this game-changing technology will impact data security.[1] The National Institute of Standards and Technology (NIST) and Department of Homeland Security have already sounded the alert: Quantum processors will be able to unlock today’s widely-used public key encryption — deemed virtually unbreakable by conventional computers — in a matter of seconds. 

Quantum Computing Cybersecurity Preparedness Act

In December, President Biden signed the Quantum Computing Cybersecurity Preparedness Act. The new law requires federal agencies to prioritize the adoption of “post-quantum cryptography,” defined as “encryption strong enough to resist attacks from quantum computers developed in the future.”[2]

Q-Day

The National Security Agency has issued a 2035 deadline for federal agencies and their vendors to adopt post-quantum algorithms in critical systems related to national security.[3] Yet, the impending computing breakthrough known as “Q-Day” won’t just be a problem for the feds. The Internet, including some forms of e-commerce, depends heavily on public key encryption, and concerns also apply to protecting private companies’ data and cybersecurity. 

“Once access to practical quantum computers becomes available, all public key algorithms and associated protocols will be vulnerable to criminals, competitors, and other adversaries,” cautioned NIST. The agency urged companies to migrate to post-quantum cryptography, such as Advanced Encryption Standard-256 (AES-256), which is deemed “quantum-safe” for now. NIST is also evaluating new cryptographic algorithms to replace public key encryption.[4]

Cybersecurity and Quantum Computing - Risk Assessment 

Dr. Francis Gaffney, Senior Director – Threat Intelligence Engineering at Mimecast, has advised organizations to prepare for this future risk in several ways:[5]

• Identify their instances of quantum-vulnerable cryptography, such as public key-secured data. What are the assets, where are they stored, and what can be done to protect them? 
• Mark the systems that contain public key cryptography as “quantum-vulnerable.” These audits may take considerable time, and should be done sooner than later, given the stakes. 
• Update cyber-response plans or create cybersecurity playbooks designed to mitigate quantum computing-related threats.

Harvest Now, Decrypt Later?

Though it may sound like a sci-fi plot, some cybersecurity planners subscribe to the theory that bad actors will grab encrypted data now and decrypt it when quantum computers become available in the future. A Dark Reading article points out that this type of attack could imperil “long-lived information assets” such as bank records.[6] 

In the face of this and other risks, some experts are calling for “crypto agility — the ability to rapidly reconfigure cryptographic algorithms and implementations.” Many believe an organization like NIST will create a conversion path for today’s public key-encrypted content. For its part, NIST is also launching a campaign to educate the cybersecurity community about risks, best practices, and solutions. In a whitepaper, NIST notes that one cure could take the form of a hybrid algorithm that combines classical quantum-vulnerable and quantum-resistant public key algorithms.[7]

Complicating matters, no one knows or can foresee every possible vulnerability, though considerable testing and modeling will ensue. And many important questions remain unanswered: Could sensitive business records from today be unlocked tomorrow? How will this post-quantum encryption vulnerability impact cybersecurity risk and insurance? How quickly will viable solutions become available? 

Of course, implementing any encryption solution won’t be trivial. Today, billions of programmable computing devices may lack resilience to quantum threats. And the matter recently took on added urgency following unverified claims that China had used a relatively light quantum computer to crack RSA encryption, a type of public key cryptography that is widely used for email and other Internet applications.[8]

The Bottom Line About Quantum Computing and Cybersecurity

In a conversation on Mimecast’s Phishy Business podcast, Duncan Jones, Head of Cybersecurity at Cambridge Quantum, said, “We know that there is this point in time coming, whether it’s 10 or 15 years, where the encryption systems that we rely on today could very well be broken on quantum computers. So our industry does need to take steps now so that we’re ready for that moment.” Dr. Gaffney underscored this point, recommending that organizations initiate technology audits and other actions today to start preparing a post-quantum cybersecurity strategy for tomorrow. For a deep dive into quantum computing and cybersecurity, listen to Mimecast’s Phishy Business podcast episode on the topic. 

[1] “Commercial Quantum Computer Disruption on the Horizon,” Insider Intelligence

[2] H.R.7535 — Quantum Computing Cybersecurity Preparedness Act, U.S. Congress 

[3] “NSA sets 2035 deadline for adoption of post-quantum cryptography,” FedScoop

^[4] “What Is Quantum-Safe Cryptography and Why Do We Need It?”, IBM

[5] “Tips to mitigate public-key cryptography risk in a quantum computing world,” Help Net Security

[6] “Crypto Agility: Solving for the Inevitable,” Dark Reading

[7] “Migration to Post-Quantum Cryptography,” National Institute of Science and Technology

[8] “Did China Break the Quantum Barrier?”, Forbes