On January 26, the famous Time Magazine devoted its cover story to quantum computers. In and of itself, it is remarkable that quantum computing has reached a point where it gets pride of place on the cover of one of the world’s most important magazines (TIME has over 20 million subscribers). It says something about the journey this technology has been on. From an esoteric, theoretical research area to an overhyped phenomenon resembling something from sci-fi-stories… to where it is today: a factor considered in sober and serious forecasts on the development of IT in society. Citizens, businesses, industrial sectors, states, defence ministries… everybody is aware of – or is going to have to become aware of – the rise of quantum computing, within a few short years. This I can guarantee.
Today’s encryption techniques are 45 years old
Data security is a vivid example of an area which quantum computing is going to both redefine and problematise. What I mean by “problematise” becomes clearer when we look back in history: because it was back in the 1970s when mathematicians came up with the encryption methods we still use today to securely exchange data online. These encryption methods are found in billions of computers and communication systems: when we receive results from our doctor; when we chat with friends; when we shop online; when we review insurance or tax documents; when data is exchanged in the financial world; and in almost all situations where we transport information digitally, the RSA and Diffie-Hellmann encryptions methods are used.
There’s a certain irony in the fact that, not long after RSA was invented, the idea of quantum computing was suggested by the Nobel Prize winning physicist Richard Feynman. Indeed, in 1994 it was discovered that a large, functional quantum computer would only need a few hours to crack RSA encryption, whilst it would take the computers we use today billions of years to do this. The consequences of this are terrifying.
All the information which we have for generations treated as confidential will, as quantum computers become widespread, be rendered easily accessible. The security systems we use today were invented with an expiry date – and that date has now passed. We shall now see why.
An entire era of data security is coming to its end. “Harvest Now, Decrypt Later” is an attack strategy hackers are already using today, where they collect and store sensitive, business-critical information in encrypted form. The hackers know that they cannot break the RSA encryption today, but that they will be able to in the future. And the most important thing to bear in mind here is the fact that the best and brightest physicists and engineers are hard at work constructing quantum computers – and that their progress is already following a Moore’s law for quantum computers: exponential increases in computing power over time.
Quantum resistant encryption is on the market
As promised in the headline, there are solutions to these data security challenges. Hard work is being undertaken to come up with quantum resistant encryption methods, which can be used for both the storage and transfer of data. The America National Institute of Standards and Technology (NIST) is well on its way to developing a quantum-secure standard for encryption – Post-Quantum Cryptography (PQC), as it is known. NIST expects to have that standard ready sometime during 2024. The preliminary standards are already being recommended by the National Security Agency (NSA), and US President Joe Biden has issued a legislative requirement for US infrastructure to employ quantum-resistant cybersecurity. All this safeguarding work will take many years, which merely accentuates the need for action.
Whilst waiting for NIST’s quantum resistant standards to arrive, businesses and organisations need to do the following. Firstly, they need to consider whether they have effective encryption key management – also known as Public Key Infrastructure (PKI) Management. Then, they need to consider whether they will apply some of the early quantum resistant solutions, which – whilst not yet recognised as widespread standards – still provide quantum resistant encryption to websites and APIs. This could, for example, be done through partnering with a forward-thinking tech supplier.
On top of this, there are security products on the market which allow the storage of sensitive data in quantum-secure storage – either in the cloud or in data centres. Secure storage of data is, however, only half the answer – and the problem with the storage of encryption keys becomes even more pressing in case the entire organisation is not quantum secure.
A popular solution to current cyber security challenges is to implement Zero Trust Architecture (ZTA), that can provide robust security against many types of attacks, including traditional attacks like phishing, malware, and unauthorized access. Unfortunately, ZTA do not specifically protect against quantum computing attacks.
That’s why it is important to continue complying with today’s data management policies. Swathes of data are exchanged today internally and externally, with the belief that this material is protected from prying eyes. But now that we know that quantum computing has changed the rules of the game, shouldn’t business’ data policies in turn be updated? Our recommendation is to map out, already now, which data is the most critical to protect. Which digital assets – the crown jewels of data – absolutely cannot be security compromised, either now or in twenty years. Firms need to consider using resources to protect these assets with quantum-safe encryption methods.
Quantum computers possess an incredible potential to develop society in ways that benefit us all. And the time will come to talk about those benefits. But right now, in the world of data security, quantum computing represents a threat – and one that needs to be responded to as quickly as possible.
Jacob Bock Axelsen (Snr Manager) is CTO in Deloitte Risk Advisory and is an expert in mathematical modeling and a specialist in artificial intelligence. Jacob is educated in mathematics- economics (BSc), biophysics (MSc) and physics (PhD) with nine years of research experience abroad. His scientific background has proven useful in advising both private companies and public institutions on AI, AI governance, Quantum Computing, Organizational Network Analysis, Natural Capital Management and much more. After six years in Deloitte he has developed a strong business acumen. He holds the IBM Champion title for the fourth year in a row and is part of Deloitte’s global quantum computing initiative.