The cybersecurity implications of quantum computing

Feb. 21, 2023
Organizations enter a new era of cyber threats despite the exponential technology advances

Rapid developments in quantum computing, such as IBM's Quantum Condor processor with a 1000 qubit capacity, have prompted experts to declare that the fourth industrial revolution is about to make a “quantum leap.”

The exponential processing capability of a quantum computer is already being welcomed by governments and corporations. New drug discovery, more in-depth and faster analytics for financial trading, increased efficiency in supply chain management systems, and many other exciting and cutting-edge applications are all possible thanks to the ongoing transition from academic and physics principles to commercially available solutions.

While organizations explore how to maximize these new capabilities, they must also ensure they are fully prepared for the cybersecurity implications of quantum computing.

Quantum Computing and the Cybersecurity Threats

Quantum computing will enable great innovations in the future, but it will be accompanied by diverse risks. The potential of quantum computers to break the current security of common activities in our daily lives could have severe consequences. The quantum cybersecurity threat forebodes data breaches of sensitive health and financial personal data, challenges to the integrity of digital assets, and breaking the fundamental cryptography underpinning cryptocurrencies.

But what are the key cybersecurity threats at play?

Threat 1: Harvest Now, Decrypt Later

According to a Deloitte poll, just over half of its surveyed professionals (50.2%) believe that their organizations are at risk for "harvest now, decrypt later" (or HNDL) cybersecurity attacks. This refers to an attack where threat actors collect encrypted data from target organizations today, fully anticipating that data can be decrypted later when quantum computing reaches a maturity level capable of rendering many publicly utilized cryptographic algorithms like RSA entirely obsolete. HNDL poses a risk to enterprises, banks, intelligence agencies, and even military capabilities – nothing will be safe from sophisticated threat actors equipped with advanced quantum computers.

Although the initial weight of resources required to conduct such an attack makes it unlikely to target your average enterprise, accelerating advancements in technology and volumes of data being regularly transmitted under encryption means we can anticipate them to become more likely in the future. In fact, it’s entirely possible such attacks have already taken place, and the targeted organizations lack the sophisticated capabilities to detect them. Despite the risk, nearly 20% of enterprises appear to be taking a “wait and see” approach.

Whether or not organizations intend to turn to quantum computing, HBDL attacks are an inevitable threat to all enterprises in a post-quantum world.

Threat 2: Making Asymmetric Cryptography Obsolete

Implementation of a practical quantum computer will render most current asymmetric encryption methods unsafe, such as RSA, Diffie-Hellman (DH), and Elliptic Curve Cryptography (ECC).

Back in 1994, Peter Shor developed a theoretical quantum algorithm to find the prime factors of a large integer. While important research, it was not considered an immediate risk, given the lack of the technology to implement quantum computers.

Now, however, quantum computing is much closer to becoming mainstream. In 2021, IDC estimated that by 2027, the market for quantum computing may grow to $8.6 billion, a 50% compound annual growth rate since its value of $412 million in 2020. It poses a “Quantum Threat,” a match for the complicated math problems previously unbeatable by classic computers. The world's data, currently protected by asymmetric cryptography algorithms such as RSA, DH and ECC, will soon become readable – and subsequently, easy for cybercriminals to infiltrate and bring down global digital security.

Put simply, a practical quantum computer could not only render traditional online activities insecure; it could break most of the security underpinning the internet.

Threat 3: The vulnerabilities of blockchain technology

Besides threatening current encryption schemes, quantum computing has the capacity to render blockchain technology extremely vulnerable. Because blockchain depends on the disseminated consensus of trust, achieved through the use of public-key cryptography, it is particularly susceptible to attacks that reveal a user’s private key given, only the public key.

A recent study found that 25% of all bitcoins in circulation and 65% of ether — the tokens in the Ethereum network — reside in addresses with a public key that is published on the blockchain. This means they could be stolen by leveraging a quantum computer with sufficient resources. Hundreds of billions of dollars’ worth of cryptocurrencies could be vulnerable to this attack vector.

Developing Post-Quantum Cryptography and Encryption Solutions

Although there is no consensus on a timeline for when practical quantum computers are expected to mature, it is clear that institutions with information that holds value beyond the next decade or so should prepare for quantum threats.

For organizations, it is important to build awareness of the threat quantum computing poses beyond the cybersecurity experts to the senior leaders and executive decision-makers. This will help organizations to develop a more cohesive response across different levels and stakeholders.

Governments and businesses have already begun preparing for a post-quantum world. For example, CISA and NSA recently released quantum-resistant algorithm recommendations and requirements for critical infrastructure and national security systems based on the post-quantum cryptography selections from NIST.

With time, it will become even more important to be agile. Organizations can focus their strategy on “crypto agility,” by which they will be able to switch between crypto algorithms seamlessly in case one or more become vulnerable to attack. For enterprises hesitant to adopt new and untested algorithms, there is the option of integrating classical and quantum-based solutions for a hybrid approach.

Other technologies, like Post-Quantum Cryptography, or technologies based on the characteristics of quantum mechanics – think Quantum Key Distribution and Quantum Random Number Generation – is also a way to strengthen cryptography.

As we have seen in recent years, companies unprepared for the worst outcome became victims to new and unstoppable breaches and ransomware attacks. Regardless of the uncertainty around quantum threats, taking necessary precautions and keeping an eye on the horizon could have a significant impact, beyond seamlessly transitioning companies in the quantum era. In fact, it may make all the difference as to whether or not a company will succeed in a post-quantum world.

About the Author: Robert (Bob) Burns is the Chief Product Security Officer for Thales Cloud Protection & Licensing (CPL) in the US. He has more than two decades of experience in the design, development, and delivery of high-assurance security products, combining a formal education in computer science with extensive expertise in cryptography projects for IBM and the U.S. Department of Defense.

In his role at Thales CPL, he leads a team of cloud security, product security and certification specialists as they build the next generation of products and technologies for enterprise cloud security. Robert also works strategically across CPL to help drive the quantum/post-quantum strategies, mapping Thales’s product portfolio to address the growing ransomware threat and bringing data protection technology to address cloud-native security concerns. Over the course of more than 20 years at Thales, he has built a global product security program and community, taking a lead role in defining the security roles that would oversee all product security and certification efforts across the company.

Robert holds a Bachelor of Science in Computer Science from the University of Delaware, as well as a Master of Science in Computer Science from George Washington University. He can be found on LinkedIn.