In a quantum future, our economy needs to be protected. A cyber security expert explains why 

The privacy of online communication is currently protected by cryptography, which shields information as it travels around the internet. It secures everything from making online purchases to accessing work email remotely. With capabilities of quantum computing growing rapidly, industry experts reckon that it will take at least another 10 years before quantum computers with very large numbers of qubits are available.

Quantum computers could run algorithms that could break the public key encryption we use today. Researchers are performing intensive research to review, select and improve several dozen different algorithms to replace the current ones to prevent this.

The technology is still at an early stage and will take several decades before it reaches full fruition, which allows us a brief window to develop the current digital and IT infrastructure to be prepared for a quantum future.

We discussed why and how the current cyber landscape could develop and prioritise certain areas to avoid the potential harms and risks from developments in quantum computing with Jaya Baloo, Chief Information Security Officer at Avast.

Jaya has been working in the field of information security, with a focus on secure network architecture, for over 20 years and sits on the advisory boards of the Netherland's National Cyber Security Centre, PQCrypto and EU Quantum Flagship's Strategic Advisory Board. She is currently a member of the World Economic Forum's Global Future Council on Quantum Computing.

For many years, the quantum threat to cryptography was considered theoretical. However, with recent advances in building a physical quantum computer, Jaya believes we are not far from our currently used cryptographic algorithms breaking down.

What drew you towards developing your expertise in cyber security and becoming a leader in this domain?

I think I've always been curious about security. When I was a child, I was fascinated by phone phreaking and my interest developed in earnest when I was working as a network engineer at KPN. The fact is, once you get started in cyber security, it's hard to remain on the sidelines and instead you’re very quickly drawn to taking a position because there are so many foundational dilemmas that we deal with just in a day’s work. Global issues influence security teams at an incredibly operational level and include everything from the impact of geopolitics on supply chain security to policies on cryptography as well as the use of certain tooling to assess the security posture of networks.

What is most misunderstood about your work? What do you wish people knew?

The thing that is most misunderstood about working in cyber security is how it often becomes visually characterized by Hollywood. It is often depicted as incredibly fast paced and exciting, as a sort of cat and mouse game between hardened defenders and hooded attackers. Unfortunately, the truth is a lot more about doing the regular, diligent, routine, and day-to-day incremental efforts to prevent an attack or to analyze and respond to one when it does happen. In reality, it’s still about a lot of dedicated people staring at their screens with very few car chases in between.

I wish people understood better just how fragile our cyber security position is and just how much effort we need to put in to improving the basics now to be prepared for the future. We still rely on foundational protocols that were developed in the 1970s and haven't changed a lot since then for our primary transmission communications layer. We have lots of new tools developed with old classes of vulnerabilities in them. We still don't proactively test and change rapidly enough to evolve in line with the new threats that we’re facing. Added to that is that there’s an enormous interdependency from a critical infrastructure point of view because we rely on the same tools all over the world, so a single successful attack has a very large ripple effect.

In your opinion, what is the most critical cyber security challenge that leaders currently face?

Currently, I think the biggest challenge that leaders face is understanding that we have excluded the cost of cyber security in our existing IT infrastructure. The sunk cost of these old investments means that fixing or upgrading is not always an easy decision and organizations have extensive risk management tactics to explain rather than adhere to best practices. When this is already a challenge, thinking about additional safeguards for new technology often seem to be a nice to have rather than a need to have unless compelled by regulatory requirements. A good practice is to reserve about ten percent of IT budget for your non personnel spend for information security. If all parties started doing that, our innovation capacity would catch up on our legacy infrastructure. Then, we would slowly but assuredly be more secure.

Why do we need a tighter focus on encryption as a guarantee of privacy and online safety?

Cryptography is at the heart of our global internet economy from online banking to guarding intellectual property as well as the more foundational need to have secure and private communications between individuals. It guards human rights but also supports national security. Unfortunately, this does not mean that we have not had challenges to this capability as evinced by the cryptography wars of the 1990s. It always makes me think of a quote by Benjamin Franklin, that “those who would give up essential liberty for a little bit of temporary safety deserve neither liberty nor safety”, which speaks to the tension between national surveillance capabilities versus individual privacy needs. We need good, strong, well tested cryptography without backdoors in order to protect a free and democratic society. There are alternatives available for law enforcement to conduct targeted investigations without jeopardizing the common security available to us all and our fundamental human rights.

How could developments in quantum computing disrupt this?

The promise of quantum computing is that very long held and difficult scientific problems will be solvable in a novel way. Our current cryptography is based on difficult math problems, such as integer factorization and discrete logs, which would take our current computers a very long time to solve. However, a quantum computer of sufficient scale can speed up the solving of these problems so significantly that it will effectively break our currently used cryptographic algorithms.

What actions are required to enable a secure and sustainable transition to the quantum economy?

First things first, we need to know where we use our current cryptography and for what purpose. Most organizations have no idea what their cryptographic resources are and how it enables daily operations. Once we've completed that inventory, we need to figure out how to transition to new post quantum algorithms which are a new set of algorithms that will still be resistant to a quantum computing attack, while potentially also looking for very specific opportunities to deploy something called quantum communications (secure communications links based on the principles of quantum mechanics). Looking through an organization’s supply chain, there may be vendors that are working in this area and will afford easy transition opportunities to an organization. However, no matter what, they should be thinking about it and just understanding a vendor's maturity in this area is vital to enable a smooth transition.

What would be your advice to policymakers and other cyber security experts to achieve this?

Although it would be wonderful if everyone just voluntarily adopted best practices habitually, I fear we require some regulatory framework and national strategy to make sure that the most vulnerable and critical parts of our economy are quantum ready. My biggest concern is the time we have left to transition to a secure post quantum future. It’s important to be able to embrace the benefits of quantum computing and quantum technologies to advance our society while managing any potential downsides from the weakening on cryptography. Since there is such a strong strategic and national security advantage in terms of surveillance capabilities, I fear that certain infrastructure and software will find its way onto the Wassenaar Arrangement on export controls for conventional arms and dual use goods and technologies.

I would urge policy makers to ensure that there are no export restrictions against export of quantum technologies which would only further deepen the digital divide. Due to our interconnected economies, we need democratization of technology and must ensure global participation to be collectively secure, a sort of digital version of herd immunity.