Post-Quantum Cryptography: security implications for the boardroom

Post-Quantum Cryptography: security implications for the boardroom

Nils Gerhardt, Chief Technology Officer and Head of Product, Utimaco, on the security implications of quantum computing.

Nils Gerhardt, Chief Technology Officer and Head of Product, Utimaco

We can safely assume that most of the top-level executives are aware of quantum computing, especially when 100% of Fortune 500 companies and the majority of Global 2000 companies have a Chief Information Security Officer (CISO) who has certainly done at least a first assessment of the impact of Quantum Computing.

The key conversation now is around securing their organisations against quantum computing threats.

This requires engagement from an entire company. For those operating in certain industries, it could be a costly, lengthy process that involves securing millions of digital assets.

So, what does the rest of the boardroom need to know about Quantum Computing?

It would be difficult to explore the inner-workings of quantum computers in this article without going into the complex, counter-intuitive theory behind them – what most people need to know is that they could be vastly more powerful than conventional computers.

To over-simplify the complex world of digital security, a company’s digital assets are protected by mathematics. The long and complex numbers that function as ‘keys’ to a particular digital lock could take upwards of trillions of years for a standard computer to solve, but they can be solved, and this means that the only thing preventing your digital assets from being open to all is computing power.

‘Quantum Supremacy’, the point at which a quantum computer can carry out calculations for certain problems faster than a conventional computer, was achieved several years ago. While we are perhaps years or even decades away from a Quantum General Computer, the fact that they could break standard forms of encryption that all digital security relies upon has been known about for years.

The first and most significant point to note in quantum computing is that we don’t know when working, commercially available quantum computers will be created. Just as at the quantum level everything is a jumble of shifting probabilities and contradictions, the world of emerging quantum computers is similarly unclear. The systems themselves are being developed by governments and very large corporations such as IBM and Google, so the most up-to-date developments are often behind closed doors and any information in the public domain should always be treated with caution.

Any announcements that a company or government has achieved a new fastest quantum computer do not necessarily mean that we are much closer to working quantum computers. Current quantum computers make one error in every hundred operations, but to be truly useful they would need an error ratio of one in a trillion. Algorithms can be used to compensate for these errors to a point, but to truly correct for them major advances need to be made in the systems themselves – and the problem is so severe that IBM has a ten-year roadmap for developing fault-resistant quantum computers.

That in no way means that usable, fault tolerant quantum computers are guaranteed to arrive in 2034 but does mean that we need to question anyone who claims that it will arrive within the next few years.

I would always encourage all companies to carry out an audit of which of their resources need to be secure (at the very least), but there are industries in which deploying post-quantum cryptography should be a matter of absolute urgency.

Firstly, any company that sells goods with long life cycles. The average car spends 11 years on the road before being scrapped, and a lot can happen in that time.

As a rule of thumb, if a connected device is likely, or even possibly, going to be used for five years or more then you should make sure that it is prepared for quantum cryptography.

For a similar reason, companies that manufacture components used by other companies also need to look at their quantum security.

You won’t know how long your components will be in use for, and their end-users may not know or be able to control the way they are secured, so it is best to be safe and protect them now.

Moreover, it is likely that the first instances of harm caused by quantum computing are going to be between state actors, as opposed to smaller cybercrime gangs. In this case, critical infrastructure such as power, water and transport will be the first civilian networks to be targeted – this has been the case for literally decades and will only become more dangerous as states have access to quantum computing.

Similarly, it goes without saying that companies that either work directly with or around the defence industry, not just in their own country but in any, will be prime targets for state-based or aligned bad actors with access to quantum computing.

Finally, regulated entities such as those in financial services and healthcare keep long-term, highly sensitive data on their customers, and if this data is altered -or even could be altered- then this would have major effects on the world’s financial environment, which relies on accurate records.

I must make clear that none of the above means that companies that aren’t in these sectors are safe – if any company leaves themselves unprotected then various bad actors will, in time, find a way to exploit that, perhaps by decrypting the data much later.

And although there is a great deal of complexity around quantum computing, organisations like NIST have already worked out quantum-safe algorithms to protect data, and hundreds or thousands of companies are already using them to secure their data, even though the threats to that data have not emerged.

In fear of labouring the point, we simply don’t know exactly when quantum computing will go from being a hypothetical to a threat, but it’s essential that the C-Suites of any and every company, not just the CIO or CISO, start preparing now by assessing what cryptographic assets are in use today that need to be protected against tomorrow’s threats.

Browse our latest issue

Intelligent CIO Africa

View Magazine Archive