Navigating Quantum Risks – Proactive Strategies for Cybersecurity Professionals

In an era of rapid technological advancements, quantum computing stands out as a groundbreaking innovation with the potential to revolutionize industries from pharmaceuticals to financial services. With unprecedented computational power, quantum computers promise to solve complex problems at speeds unimaginable with classical computers. But like all great advancements, quantum computing isn’t just about potential—it’s also a looming threat that demands the attention of today’s security professionals. At the World Knowledge Forum, Skip Sanzeri, Co-founder and COO of QuSecure, didn’t mince words when he said:

“This threat is existential; this threat is a global threat which will change the balance of power if somebody comes online with a quantum computer and wants to do bad things.”

As IT pros, we’ve seen our fair share of doomsday scenarios—remember Y2K? And while security pros are usually more pragmatic than panicky, the question remains: How close are we to a real-deal quantum computer, and just how big of a threat does it pose? Let’s dive in and uncover the answers.

The concept of Quantum computing began with the convergence of quantum mechanics and computer science. Quantum computers are basically superpowered calculators that use quantum bits (qubits) instead of classical bits (0/1). Qubits can exist in multiple states simultaneously, allowing quantum computers to solve certain problems faster. 

Understanding the threat

Quantum computers pose a significant threat to classical encryption methods. Their ability to rapidly factor large numbers jeopardizes the security of encryption techniques we currently depend on to protect our data and communications. Much of internet security, including online shopping and Wi-Fi connections, relies on public key, or asymmetric key cryptography—a vulnerable target for quantum attacks. For example, Diffie-Hellman (DH), used for secure communication key exchange, is susceptible to compromise by quantum computers that efficiently solve the discrete logarithm problem. Similarly, Shor’s quantum algorithm can rapidly factor large semiprime numbers, jeopardizing RSA encryption. For instance, a 20-qubit quantum computer could potentially break RSA encryption in as little as 8 hours.

Quantum computers threaten classical encryption because they can quickly factor large numbers and thus have the potential to break many of the encryption methods, we currently rely on to secure our data and communications. Today, the backbone of internet security, from online shopping to Wi-Fi connections, hinges on public key, or asymmetric key cryptography—a vulnerable target for quantum attacks. Take Diffie-Hellman (DH), utilized for key exchange in secure communication, is vulnerable to compromise by quantum computers that efficiently solve the discrete logarithm problem.  Similarly, RSA (Rivest–Shamir–Adleman), for instance, which depends on the complexity of factoring large semiprime numbers. Shor’s algorithm, a quantum algorithm, can swiftly factor large numbers, posing a threat to RSA encryption. Potentially a 20 qubit quantum computer may be able to break RSA encryption in 8 hours. 

So, how close are we to developing a quantum computer, possibly a 20-qubit one? Surprisingly close. In February, IQM Quantum Computers, a leading player in the quantum computing field, achieved significant milestones with its 20-qubit quantum computer.

Even legislatively, the momentum is evident. In December 2022, the Quantum Computing Cybersecurity Preparedness Act became law in the USA. This legislation urges federal agencies to adopt technologies that protect against quantum computing attacks, ensuring cybersecurity that’s resilient to quantum threats.

The Response

The signs are undeniable: quantum computing is on the horizon, and readiness is key to meeting its arrival head-on. Here are three pivotal steps for security professionals to take immediately in order to adeptly navigate the quantum risk landscape:

  1. Understand Your Organization’s Current State: Do you have a list of assets vulnerable to quantum computing? To address this, undertake the following steps:
    1. Identify critical areas and sensitive information.
    2. Assess your cryptography inventory for any asymmetric encryption.
    3. Recognize and potentially address immediate risks, such as the “Harvest Now, Decrypt Later” tactic used by malicious actors.
  2. Assess the Potential Impact: Examine how quantum computing risk could affect your organization.
    1. Evaluate the potential impact on essential data, code, cryptographic technologies, and critical services.
    2. Prioritize identifying critical areas and systems safeguarding sensitive data with enduring value, possibly exceeding 10 years. Adapt impact assessments according to the evolving relevance of data and code, aligning with retention policies.
  3. Develop a Quantum-Safe Strategy: Craft a tailored strategy to safeguard your organization.
    1. Define operational and structural adjustments required for swift integration of Post-Quantum Cryptography (PQC) standardized algorithms into your technology stack, ensuring sensitive data security in the long term.
    2. Establish a roadmap for organization-wide remediation efforts, driven by insights from the business context. For instance, Microsoft’s Quantum-Safe strategy prioritizes symmetric encryption adoption, transitioning to PQC for asymmetric encryption upon standardization and approval by relevant authorities and cybersecurity agencies worldwide.

In conclusion, as quantum computing advances, so does the urgency for security professionals to fortify their defenses. By understanding the current state of their organizations, assessing potential impacts, and developing quantum-safe strategies, they can effectively mitigate risks and safeguard critical assets. By taking these proactive measures, security professionals can navigate the quantum risk landscape with confidence and resilience, ensuring the security of data and communications in the face of emerging threats.

The time to act is now. 

About the Author

Somdutta Banerjee

Somdutta Banerjee, CISSP, CCSP. is a seasoned cybersecurity professional with over a decade of experience across various financial institutions worldwide contributing to a wide portfolio of cybersecurity expertise spanning cybersecurity strategy and cybersecurity evaluations, Cloud Security, IT risk governance and information system security.  One of her foremost skills is implementing cybersecurity solutions that align with business constraints and ensure operational efficiency in a hybrid cloud environment. She has a keen interest in staying ahead of emerging threats, particularly in the realm of quantum computing. Outside of professional pursuits, Somdutta is an avid reader, enjoying literature that broadens her horizons.

LinkedIn profile