Amid the flurry of news, government and corporate announcements regarding the many milestones crossed by the quantum sector, firms can understandably struggle to know how they can prepare for burgeoning technology.
Quantum computing is a term that encompasses vast amounts of complex technology both hypothetical and actual, with use cases as varied and exciting as they are alarming.
One area that is particularly on the verge of quantum disruption is cybersecurity.
The evolution of quantum computing technology and its intersection with cyber presents organisations with a double-edged sword.
As the National Cyber Security Centre (NCSC) and others have warned, there is a real danger that quantum computers will be used to bypass current security standards. At the same time, the UK Technology Secretary Peter Kyle has been insisting the very same computers will be used to “take the fight to the criminals”.
In any case, it is an undeniable fact that the field of quantum has advanced so far, and continues to advance at such an incredible rate, that businesses and organisations in any sector can no longer afford to dismiss it as science fiction.
So, what do companies need to know about quantum cybersecurity?
Are quantum computers already dangerous?
The good news for now is that currently, no known quantum computer can break standard cryptography, but where once the field spoke in decades, now the timeline for accessible quantum computing is significantly tighter.
The NCSC in its guidance has given firms roughly 10 years to have successfully migrated their security systems to post-quantum cryptography (PQC), but that does not mean they have a decade to prepare.
Most estimates from within the industry put the turning point – the moment at which quantum computers surpass classical computers – at around 2030. This is why the NCSC’s guidance notes that by 2028, organisations should have identified cryptographic services that need upgrades and by 2031 should have already executed high priority security upgrades.
Even the five-year timeline for quantum security is generous, however, as bad actors may already be taking early steps to capitalise on quantum’s future capabilities.
“Today’s threat actors are preparing in the same way as any other organisation in using quantum computing to their advantage,” Omer Kidron, a security consultant at cybersecurity group Sygnia told UKTN.
“We are seeing the sentiment of ‘harvest now, decrypt later’ where they can capture and archive encrypted traffic like diplomatic cables, trade secrets, health record and decrypt this valuable data once quantum hardware matures.”
Why can’t current standards handle quantum computers?
While quantum computers for now are not capable of breaking standard cryptography, there is little question over whether they will be able to in the future.
Cryptography algorithms essentially rely on complex mathematical problems like integer factorisation and discrete logarithms to protect digital assets and information.
The processing power of a fully operational fault-tolerant quantum computer is exponentially greater than classical machines, meaning those mathematical problems can be solved with relative ease.
“The risk is significant since quantum computers threaten some of the most widely used cryptosystems, like RSA and ECC,” Alvaro Véliz Osorio, head of technology partnerships at quantum company Riverlane, told UKTN.
What steps can I take?
The earliest concrete step required is briefing security and compliance teams on the known risks and timelines, as well as the aforementioned “harvest now” scenarios.
Though threats from quantum technology may be coming soon, we are still at the start of the NCSC’s PQC transition timeline, meaning now is the time for detailed risk analysis and evaluation of the gaps in current systems.
High level organisations holding extremely sensitive data will likely have to eventually onboard in-house quantum cyber experts to manage their systems, but Kidron noted that “we need to tailor preparation efforts to each organisation’s industry, operational field and risk appetite”.
Therefore, for many groups the role of PQC managed service providers will likely become key. Pilot programmes and testing of PQC models over the next one to two years will be critical and will require cooperation within the industry.
“As PQC becomes the default, everyday adoption will be simplified, and more businesses will need post-quantum readiness strategies and protocols,” Kidron added. “Regulatory drivers will also encourage more businesses to prepare.”
The post How can companies prepare for quantum cybersecurity? appeared first on UKTN.
