Giving a cyber attacker access to a quantum computer is kind of like handing the keys to a Ferrari Portofino M to a 12-year-old. You really don’t want to think about the possible consequences.
It’s not a question of if, but when, the security risks posed by quantum computers become a significant danger, warns Colin Soutar, a Deloitte & Touche managing director and US cyber quantum readiness leader, as well as a member of the World Economic Forum’s Expert Network. He observes that some threats are already impacting organizations. “Adversaries are targeting organizations via Harvest Now-Decrypt Later (HNDL) attacks, which enables them to steal sensitive data with the intent to decrypt it once quantum computers become [widely] available.”
The security of today’s public key encryption is based on the fact that huge computational resources are required to solve factoring problems, especially for large integers, says NTT Research CEO, Kazuhiro (Kazu) Gomi. This may no longer be true in the years ahead, he warns. “Shor’s algorithm, running on a scalable quantum computer, will change this environment entirely,” Gomi predicts. With scalable quantum computers, factoring problems will no longer be difficult to achieve, and attackers will be able to determine secret-keys from public-keys. “Once the secret-key is known, the bad actors can complete many different attacks, including pretending to be the legitimate party in exchanging sensitive information,” he notes.
The timeline for the arrival of quantum cyberattacks depends on the widespread availability of sufficiently powerful quantum computers. “Progress in quantum computing is ongoing, and various organizations, including technology companies and research institutions, are working on quantum hardware and algorithms,” Gomi says. “However, it’s important to note that building stable and scalable quantum computers is an extremely challenging task, and significant technical hurdles remain.”
A quantum cyberattack would likely be similar to today’s identity theft and data breaches. “The only difference is that the damage would be more widespread, since quantum computers could attack a broad class of encryption algorithms rather than just the particular way that a company or data center implements the algorithm, which is how attacks are currently done,” explains Eric Chitambar, associate professor of electrical and computer engineering at the Grainger College of Engineering at the University of Illinois Urbana-Champaign. Chitambar also leads the college’s Quantum Information Group.
We do have some idea of what to expect, Soutar says. “A cyberattack targeting quantum computers could [be] a bad actor accessing a network and looking for indicators that it includes valuable data traffic that would be subsequently captured and decrypted,” he observes. “Stolen data online today may already be a result of a HNDL attack, so it’s important we become better at recognizing these attacks, and of generally protecting access to such data.”
The best way to get a step ahead of quantum attackers is to change current data encryption methods to “quantum-safe” strategies, Chitambar says. “A quantum-safe algorithm is a security method using conventional computers that [would be] difficult to break, even for quantum computers,” he explains. Another possible path is to consider using quantum computers to store and transmit information securely. There are already known quantum methods for secure communication, and these would be safe against quantum cyberattacks, Chitambar notes. “In this scenario, we would be fighting quantum with quantum.”
While “Q-Day” might still be at least 5-10 years away, it’s coming faster than most security experts would like. Organizations should consider developing and deploying quantum-resistant security strategies now, says Torsten Staab, chief innovation officer and principal technical fellow at defense technology firm Raytheon.
Conducting an enterprise-wide quantum risk assessment to help identify systems that might be most vulnerable to a quantum attack would be a good place to start, Staab says. He also recommends deploying enterprise-wide Quantum Random Number Generator (QRNG) technology to generate quantum-resistant encryption keys. This approach promises crypto agility, implementation of Quantum Key Distribution (QKD) and the development of quantum-resistant algorithms. “As we head toward a quantum computing era, adopting a zero-trust architecture will become more important than ever,” Staab states. “Zero-trust principles such as ‘never trust, always verify’, ‘network micro-segmentation’, and ‘least-privilege access’, will be key to any organization’s security protocol.”
The good news is that the cryptographic community has been working to address quantum threats for several years. “The idea is to apply more complex mathematics to public key encryption so that even quantum computers cannot crack its security,” Gomi says. The latest encryption strategy is Post Quantum Cryptography (PQC). PQC’s key benefit is that although it has a more complex mathematical basis, widely deployed hardware can handle encryption/decryption processes in a manner similar to today’s public key system.
Staab says that building an effective quantum-readiness strategy, including a roadmap that addresses all potential threats, is essential. He notes that during the transition from today’s classical to tomorrow’s quantum crypto world, IT/OT solutions will have to be updated to support both technologies in order to properly function within mixed environments that include both legacy and next-generation PQC-enabled systems.