Guest Post By Robert Haist, Chief Information Security Officer (CISO), TeamViewer
While the concept of quantum computing is far from new, today, leading companies like Google and IBM along with startups, research institutes and universities are making massive strides in the field. Subsequently, businesses are starting to follow suit by thinking seriously and proactively about quantum and its implications for IT security.
McKinsey & Company estimates that quantum computing could account for nearly $1.3 trillion in value by 2035. With this comes many considerations for security professionals in terms of both leveraging and protecting their organizations against such a fundamental shift in the world’s computing process and power.
Over the next decade, we can expect that big tech companies will continue to increase their focus and efforts on quantum and its potential to solve problems faster than ever before, while transforming business operations and society as we know it.
Post-Quantum Encryption is Coming
Today, functional quantum computers exist and some companies even provide access to them; however, these computers have a very limited number of qubits, meaning they’re not powerful enough to solve problems beyond what the supercomputers of today can already do.
To surpass what current supercomputers can do will require up to 20 million qubits. Currently, the biggest quantum computer has only 1,200, so there is still a way to go before the computing power is strong enough to get us there. However, with estimates that capable quantum systems could be ready by 2030, IT teams will need this time to prepare encryption to ensure it is secure enough to protect data and privacy at the level of complexity that quantum brings.
Today, some bad actors are already harvesting data they cannot yet decrypt, waiting for the arrival of quantum and the day they can. While this data will be outdated at that point, it could still be critical, take for example intelligent services data. Given the expense of storing data, most bad actors will only keep information relevant to them immediately; however, it is never too early for organizations to start planning.
Thankfully, cryptography experts are currently building cryptographic schemes that quantum computers won’t be able to break. This type of encryption is called post-quantum cryptography (PQC). The National Institute for Standards and Technology in the U.S. (NIST) is already certifying post-quantum encryption methods for various applications; it is expected that NIST standards will be adopted throughout the industry. For IT professionals, this means there’s no time like the present to start building a PQC plan to protect all personal customer and corporate data.
A Starting Point: Identify Current Encryption Use
When preparing for PQC, a good place to start is to identify all the points of encryption in your organization. Start with sensitive areas including VPN, external server access and remote access. IT leaders should also identify the cryptographic methods you’re currently using and think about how your organization can upgrade to post-quantum standards in the future.
Some encryption methods that are currently in use are particularly vulnerable to future quantum computers. For example, a method called RSA (named after Ron Rivest, Adi Shamir and Leonard Adleman, who publicly described the algorithm in 1977) encrypts a large portion of internet traffic. While this method uses prime factors that are difficult for traditional computers to decode, it’s much easier for a quantum computer. Prior to a powerful quantum computer being released, organizations will need to replace RSA. Fortunately, there are many options to do this. One is to double the number of bits current RSA encryption uses from 2048 to 4,096. This number is difficult for even quantum computers to crack.
The same goes for other encryption schemes. By increasing the problem size, you can make it much harder to solve.
In the coming years, we can also expect to see most operating systems deploying post-quantum safe crypto libraries. A browser will be able to use those libraries to protect browsing data. Thus, ensuring software is patched and up to date will become increasingly important.
Additionally, for companies providing web services to customers or employees, now is a good time to start thinking about how they will need to be compatible with these crypto libraries.
Focus on the Now with an Eye on the Future
The probability of a company’s network being attacked due to an outdated system is by far the more urgent threat security teams face today versus the threat of quantum computers. So, while IT professionals are right to focus on those more immediate threats now, it is important to also stay abreast of the latest developments in quantum and give consideration to what PQC will mean for their organization in the coming years.
Setting the stage and encouraging conversations now for a not-so-distant quantum future is a great way to begin elevating the topic internally to best prepare for future needs.