The quantum security era is coming – here’s how leaders can prepare for it

When it comes to certain types of complex computational problems – advanced statical modelling in the financial sector, accelerated research and development for pharmaceutical companies or a more efficient supply chain in the automotive industry – quantum computers promise organizations transformative power.

But, for maximum transformative gains, quantum computers must manage a particular risk: the cryptography used to secure many of our daily digital tasks, such as browsing the internet or online banking, will be broken by sufficiently powerful quantum computers.

Recent alarm in the security community around reports that researchers may already be able to break a common type of cryptography on an existing quantum computer reiterates the seriousness of this risk – and how ill-prepared we are if such a report is true.

Furthermore, attackers may already be engaging in Harvest Now, Decrypt Later (HNDL) attacks in which they steal sensitive data today, such as personal health information or military secrets, and retain it until a sufficiently powerful quantum computer arises to break its encryption. If this occurs while the data retains its sensitivity, the consequences could be significant.

Therefore, organizations must act now to understand and prepare to mitigate the risk of quantum computers as soon as possible.

Mitigating the risks quantum computers pose to our cybersecurity infrastructure will require organizations to implement quantum-secure cryptography, elements of which are currently being standardized by the National Institute of Standards and Technology. The European Telecommunications Standards Institute and other organizations are also standardizing other encryption methods, including quantum key distribution.

Similar implementations have shown the process can take many years as cryptography is often deeply embedded in systems with multiple dependencies, including from third parties through the supply chain. Nevertheless, there are several steps leaders can take now before embarking on a more significant transition.

Because cryptography is used as a security control in many places throughout systems in organizations, the scope of the transition will be broad and with many dependencies. It is, therefore, essential to start today.

Clear leadership and directive from the board are needed to help executives develop and implement an effective quantum cyber strategy. This engagement should include a consistent review of meaningful key performance indicators to track progress.

Three transition approaches are likely to be adopted by most organizations. The first approach may be combined with either of the other two.

Managing a parallel implementation is suitable for most organizations if they have sufficient resources. Various cryptographic algorithms publicly available and reviewed are already potentially quantum-safe. Organizations can start using these quantum-secure solutions today in addition to existing classical cryptography, combining their powers.

There are two major benefits to this approach. First, it provides organizations with a low-barrier opportunity to experiment with implementing quantum-secure cryptography to see what expected and unexpected consequences it may have for their IT systems. This prepares them for when they eventually embark on their complete migration. Secondly, combining quantum-secure and classical cryptography offers a double-layered defence that may protect against today’s and tomorrow’s threats.

Organizations with more complex infrastructure or resource limitations may transition in distinct phases. That means starting with migrating groups of systems to quantum-secure cryptography and having interim “cool-off” periods to define lessons learned to incorporate in the next phase.

Phase-based transformations allow for investments and milestones to be spread, which can help leaders create support for the migration throughout affected business functions due to less downtime of affected systems. In addition, the continuous adoption of lessons learned from the previous phases and new industry insights (such as developments in the standardization of quantum-secure algorithms) allows for a constant improvement of the quality of the migration.

Some organizations, especially smaller or emerging ones, have smaller infrastructure deployments or have limited business needs to communicate sensitive information. These might consider a full overhaul, in which the goal is to become quantum-secure as soon as possible with the knowledge and experience that is currently at hand. Such an approach applies to projects in the early stages of development or deployment of new capabilities.

A complete “big bang” approach can theoretically provide immediate protection and safeguard against HNDL attacks, which can be valuable for organizations that process very valuable data and may be specifically at risk of HNDL attacks. However, limited preparation and lack of intermittent learning may result in implementation challenges and hamper the longer-term utility of the solution.

Irrespective of the chosen transition scenario, organizations must act now to embrace the quantum era and confidently reap its benefits.

Quantum resilient cryptographic standards and regulatory requirements will be commonplace sooner rather than later. Digital encryption may not yet be broken today but will you be ready when it is?