In a week where we saw major announcements in quantum computing, are we preparing too soon?
Discussions on quantum computing were all the rage as the new decade began, and developments this week showed the preparation for those enhanced capabilities.
At the start of 2020, I reported on how quantum computing was seen as the next wave of technological development, and as millions were being spent on this form of computing. While it is in its infancy and not an immediate threat, it could be one in the coming decades, so it is time to prepare and consider converting now.
Bringing Reality Forward
At that time, the talk was of the development of a quantum computer by Google. Named Sycamore, it was able to complete a complex computation in 200 seconds.
Moving forward to August 2024, and this week saw two announcements that have brought the reality of quantum further forward. A number of banks announced plans to collaborate on studying the application of Quantum Key Distribution (QKD) to help address quantum computing cyber threats by protecting the exchange of cryptographic keys.
In the other announcement, a principal set of encryption algorithms were released by NIST, designed to withstand cyber-attacks from a quantum computer. Described as “marking a critical advancement in securing our digital infrastructure,” the release was a culmination of eight years of work and was welcomed by industry.
A BT Group spokesperson called the publication of NIST’s first set of post-quantum cryptography (PQC) standards as “a significant milestone for modern cybersecurity” and called the set of algorithms “a globally leading standard in a new era of protecting communications against cyber-attacks by quantum computers.”
The statement from BT Group made a fair point - quantum computers are not yet able to break cryptography. In fact, all of this preparation could be a bit like stockpiling water and canned goods in advance of Y2K. In reality, it is important for organisations to have a plan for managing risks and threats such as this, with BT Group saying that “quantum readiness for these systems is a priority.”
In agreement was Roger Grimes, data-driven defence evangelist at KnowBe4, saying every organisation, if they have not already done so - and most have not done so - will be creating a multi-year post-quantum migration project involving far more resources than they have experienced in decades.
“What was needed for most organisations to care and start creating their very necessary, required, post-quantum project” he said, calling the NIST announcement as the equivalent of a starting shot to allow everyone to start their own post-quantum migration products.
“Now there is no reason for anyone to not have a post-quantum migration project,” Grimes said. “The only question now might be why you haven't already started yours?”
Common Within the Next Decade?
Is this going to be the start of a move to adopt and embrace quantum more? Jamie Boote, associate principal consultant at the Synopsys Software Integrity Group, said the NIST standards are all about futureproofing the next generation of products, and while it’s not likely that quantum computers, capable of breaking current encryption algorithms will be common within the next decade, “it is very likely that hardware and software with long lifespans may operate in future environments where not running post-quantum encryption algorithms is a real vulnerability.”
So again, the message here seems to be about futureproofing yourself against what could be a major offensive capability. After all, if we had known about every potential vulnerability that could be exploited on the way to a major incident, then we would do something about it, right?
What we need now is a reason to implement quantum computing across the board. Major companies may be able to spend the money and make the space available to do this, but otherwise are the majority of businesses capable of deploying quantum computing defences? The answer is probably not, but perhaps what we are seeing is the start of some level of enablement.
Retrofitting Applications
So what about this from the perspective of the practitioner? Ian Thornton-Trump is CISO of Cyjax, and he told SC UK that he felt quantum cryptography was his “retirement bus stop.”
He said: “As your career moves through technology you end up confronting the future reality which is beyond your current comprehension. I’m there on this subject: I get it’s the future but, I would say I will probably be long dead before it really impacts my life and it becomes ‘a thing’.
On the earlier comment about deployment, Thornton-Trump said there are probably several million applications in this world dating back to the mainframe era which would need retrofitting with this quantum technology.
“I get that better or even unbreakable encryption is necessary, but as a practical matter in everyday life, the use case seems elusive to me,” he said. “So many security problems are human problems and/or architecture problems, and I can’t or maybe don’t have the knowledge required to trace a path from quantum encryption to actual practical security controls.”
He concluded with a comment that will likely resonate with many practitioners: “What I dread is my LinkedIn and inbox filling up with an orgy of security products which claim they are new and improved by quantum encryption. I can’t wait for VPN vendors to volley fire ‘quantum VPN’ at me relentlessly. Oh the infosec future looks great but I’m sure we will be told ‘certified quantum’ is the way forward.”
This leaves me with the question of if this preparation is being done, is it being done for the next generation to be better defenders? Are these announcements really required for industry in 2024, given the conversation has been relatively quiet since 2020 - in my view.
Preparation is no bad thing, but are we setting ourselves up for a challenge that could take years to be reality? It’s good to see steps forward, but who does this really benefit at this stage.
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.