In today's technologically connected world, it is paramount for organizations to have a strategy for managing their information technology cyber (IT) risks. Without one, organizations are not only more susceptible to cyberattacks, but it makes it harder for them to adapt to new technologies and risks as they emerge. "IT risk management is an essential tool for organizations to ensure data security, business continuity, compliance, competitive advantage and positive reputation," writes information security expert Hakan Kantaş in his ISACA blog post, Proactive IT Risk Management in an Era of Emerging Technologies.
Organizations should incorporate new risks into their risk management strategy as they emerge. Quantum computing risks should be no different. By adding quantum computing risks into their broader risk management strategies, organizations can more effectively understand and mitigate future risks — instead of treating them as separate issues.
Quantum computers pose a direct threat to many of the cryptographic algorithms (such as data encryption and digital signature schemes) used today, rendering them vulnerable to future attacks. "The federal government is already planning for the day when quantum hackers will try cracking the codes that protect your bank account," writes Alan Boyle, award-winning science writer and veteran space reporter, contributor to GeekWire.
Understandably, then, the question on everyone’s mind is "when will quantum computers arrive?" Unfortunately, the answer is impossible to know (without a time machine, that is). Some experts predict 2030. Some think earlier. Some think later. The U.S. government, for example, appears to be preparing for the arrival of cryptographically relevant quantum computers (CRQCs) by the middle of the next decade.
Since there is not an exact date for years to quantum (Y2Q), the next best thing is to estimate the likelihoods of CRQCs emerging at different points in the future. Global Risk Institute uses this approach in its Quantum Threat Timelines report.
Having a specific date in mind can help create a quantum-safe migration roadmap, but it can also make that roadmap less adaptable to, say, sudden technological breakthroughs or research advances. Because of the unpredictability, betting on a specific date can be a losing strategy.
What's more important is understanding your risk tolerance and planning accordingly. Instead of asking, "Will a cryptographically relevant quantum computer emerge by 2030?" organizations should be asking, "What is the probability that one will emerge by 2030?"
For example, suppose that you believe there is a five percent chance that a CRQC will be able to compromise your systems and data by 2030. That is, if you are not quantum-ready by 2030 there is a 1/20 chance that your sensitive data and IT systems will be vulnerable to quantum-aided attacks. Are you willing and able to take that chance? Would you risk your customers’ data? Your financial information? Your trade secrets?
Cryptography Today and What’s at Stake
Let’s take a step back and examine cryptography today and address why there is so much discussion and concern around the quantum risk to modern cryptography. Simply put, cryptography is the foundation of digital trust. For a good overview on cryptography and quantum, watch the recent interview with Atsushi Yamada, ISARA CEO.
In today's rapidly evolving landscape of business, e-commerce, and global communication, cryptography is indispensable to everything we do. Cryptography plays a pivotal role in safeguarding and securing digital data, protecting personal privacy, ensuring the integrity of financial transactions, protecting national security, healthcare data, supply chains, critical infrastructure, and so on. Cryptography enables the use of IT infrastructures and provides the foundation for information security systems. If cryptography disappeared tomorrow, most modern organizations would cease to operate, and the digital world as we know it would be vulnerable to breaches and fraud — and, ultimately, chaos.
Most contemporary public-key cryptography relies on mathematical problems that are computationally complex — such as factoring large integers or computing discrete logarithms — which would take conventional computers an implausible amount of time and resources to solve. Quantum computing leverages the principles of quantum mechanics, which enables it to perform certain types of calculations — such as factoring large integers and computing discrete logarithms — significantly faster than classical computers. Hence, quantum computers represent a notable threat to our information security.
How You Prepare for Quantum Depends on Your Risk Appetite
Determining the level of risk organizations can tolerate when it comes to quantum computers is complex and hinges on various factors. One of the primary considerations is the nature of the data itself. Highly sensitive and confidential information, such as financial records or personal health data, typically demands a very low tolerance for risk. Any breach or compromise of such data can result in severe financial and reputational consequences. An organization's industry and regulatory environment play a significant role in shaping its risk appetite.
On the other hand, less critical data, such as publicly available marketing materials, might allow for a higher degree of risk tolerance. Striking the right balance between security and risk tolerance requires careful evaluation and a comprehensive risk assessment. Thinking back to the five percent example above, you can only answer the question of whether you feel comfortable taking that risk if you also know the value of your assets and how they are secured today. Unfortunately, many organizations have a limited understanding of where and how they are using cryptography today, making cryptographic risk difficult to evaluate. And so, creating a cryptographic inventory is a critical early step for organizations looking to begin their quantum-safe migration journeys.
A Solution Today: Post-Quantum Cryptography
Global Risk Institute states that "the quantum threat to [cybersecurity] can be mitigated by deploying new cryptographic tools (both conventional and quantum) that are believed or known to be resistant to quantum attacks. Nonetheless, the transition to quantum-safe cryptography is a challenge itself, as it requires the development and deployment of hardware and software solutions, the establishment of standards, the migration of legacy systems, and more."
As quantum computing technologies mature, quantum-resistant cryptographic methods are critical to ensuring continued data security. "Post-quantum cryptography is about proactively developing and building capabilities to secure critical information and systems from being compromised through the use of quantum computers," said Rob Joyce, Director of NSA Cybersecurity. "The transition to a secured quantum computing era is a long-term intensive community effort that will require extensive collaboration between government and industry. The key is to be on this journey today and not wait until the last minute."
The National Institute of Science and Technology (NIST) has already released three draft standards of quantum-safe cryptographic algorithms for public comment. A fourth is expected to be available sometime in early 2024, with additional algorithms potentially being announced in 2024 or beyond. "We’re getting close to the light at the end of the tunnel, where people will have standards they can use in practice," said Dustin Moody, a NIST mathematician and leader of the project.
Quantum computers pose real risks to organizations. Becoming quantum-safe isn’t just an IT problem. Organizations that continue to use quantum-vulnerable cryptography (aka today’s public-key cryptography) could put their entire IT infrastructure and all their sensitive data at significant risk, as well as those of customers or clients they might supply products or services to.
The post-quantum migration is a journey. It won’t be done all at once and will require a phased approach over some number of years. Two important questions to ask today:
Need some help? At ISARA, we are focused on enabling quantum-safe migrations for government and enterprises. We can help you discover your quantum risks and help you to manage them. Contact us today!