Episode 5 - Quantum Technology Explained series

Quantum computing is no longer science fiction. It is real and imminent. And it’s a challenge that CISO’s need to learn to tackle – today.

Quantum computing is a new technology that brings disruptive advancements into many areas. Its ability to effectively solve mathematical problems that we couldn't solve before and that underpin cryptography algorithms is having a significant impact on the information security industry. It poses serious security issues. Not in the future but now.

Many security teams still believe that quantum computing is an esoteric problem, leaving them seriously unprepared for its looming impacts and potentially exposing their organisations to serious risk.

If an organisation’s encrypted data is intercepted today, it can be recorded in its encrypted format for decryption when quantum computing capabilities are available. This means that if the underlying information will still have value in the future, it is currently not well protected.

Cryptographic algorithms that protect our information underpin so much of our daily lives and the successful operation of organisations: remote connections, banking transactions, messaging and confidential documents. As quantum computing matures, cryptographic algorithms currently protecting information that were expected to work for the next 30 years should begin to be replaced today. It won’t be a quick fix, but it’s an issue that CISOs need to be taking action on before the cyber risks turn into reality.

CISOs should begin by taking the following proactive steps to assess their organisation's quantum computing exposure and preparedness.

1. Identify what cryptographic solutions are used and where.

2. Assess and rank the potential impact of a failure of cryptographic algorithms for applications and services.

3. Launch a cryptographic agility program. The aim of the program should be to change the DNA of the organisation and make cryptographic libraries a variable rather than a constant.

4. Increase the length of symmetric cryptographic keys to extend the lifespan of algorithms.

5. Adjust security policies to provide a robust framework that supports cryptographic agility.

6. Include risk descriptions in regular board reporting packs to increase senior management awareness and lodge risks in a risk register system.

7. Facilitate and support IT and development education campaigns to nurture community knowledge and increase public awareness.

There are also some things a CISO needs to avoid.

1. Avoid thinking that quantum computing is an esoteric concept. It is happening right now.

2. Do not lose sight of the bigger picture due to operational routines. Quantum computing will be a wildly disruptive change, and cybersecurity will be the first to experience it.

3. Simply changing internal processes is not enough. If it does not enforce the implementation of new requirements, CISOs should manually drive this change.

4. As preparation is key, the most wrong behaviour today is to do nothing.

Apart from bringing risk, quantum computing also brings new security techniques and opportunities, such as through Quantum Key Distribution (QKD). The crux of QKD technology is the continuous generation of a key between two nodes, guaranteeing security through our knowledge of the laws of quantum physics.

Security is assured unless a new explanation of the quantum world can be developed. In contrast, classical cryptography operates on difficult-to-solve mathematical problems, such as the Prime Factorisation problem, which is only secure until the underlying problem is solved. This makes QKD secure from quantum computing capabilities.

Quantum computing is a new technology that CISOs must monitor closely and start to take action on. It has already begun to disrupt information security. In theory, it could be said that classical cryptography algorithms are no longer secure. While quantum computers are still being improved and confidential data may not yet be exposed, the quantum computer development timeline is quickly approaching the period for which information must be protected.

To stay in-the-know, follow IBM, Google, IonQ and Honeywell publications.