• The impact of quantum computing on internet security will be so great we must start planning now.
• Its exponentially higher processing power will render widely used cryptography obsolete.
• 'Security agility' – crypto agility – is a key concept in being quantum-ready.
Strategic thinking has enabled many of mankind’s greatest successes. But when some leaps are just too big for a single bound, or seem too far into the future, strategic acting – incremental, consistent decision-making consistent with a long-term vision – can serve as an enabler for future success.
While an operationally viable quantum computer seems beyond the horizon to most, the steps needed to prepare for its inevitability are indeed within sight. We need more advanced planning in cyberspace to prepare for the impact of quantum computing, where, without some changes, it will undercut all internet integrity and confidentiality – an economic and social disaster. This is where strategic acting can come into its own.
Have you read?
A quantum computer is radically disruptive; it will use a different method to represent and compute information, allowing much, much faster speeds. It’s not just evolutionary, but revolutionary. Quantum computers will be as revolutionary in this century as computers were to last century’s mechanical calculators. They’ll be built by, essentially, leveraging the properties of atoms we studied in physics class. They can be millions of times faster.
A quick primer on internet security foundations might help us understand this disruptive potential.
Confidentiality, Integrity and Authentication – of people, machines, software and data – underpin all internet security (and undermines it when poorly implemented); cryptography – the use of mathematical equations to protect information – is at their foundation:
• Confidentiality (e.g. scrambling data to render it private)
• Integrity (e.g. preventing attempts to falsely change “deposited $100” to “deposited $10,000”)
• Authentication (e.g. verifying the identity of the person you’re communicating with)
How does something as important as cryptography work? A good analogy is a combination lock on a high-school locker. (In this analogy, the padlock is the cryptographic “algorithm”, and its secret numbers are the cryptographic “key”.) Combination locks have two security functions: lock – a simple mechanism that requires you to do nothing more than push it together to close/secure; unlock – a relatively complex mechanism that relies on secret numbers provided to the lock through a clockwise/counter-clockwise motion. That’s what well-designed and implemented cryptography is: a mechanism to easily apply the security, but completely impractical to guess unless you know the key to unlock it.
But once an operationally viable quantum computer is produced, it can guess the possibilities at a substantially faster rate: exponentially so.
If you tried to read a cryptographically scrambled message by guessing the cryptographic key with today’s fastest computers – even working together – it is not practical. The mathematics of cryptography triumph over computer science. Cryptanalysts may try to use supercomputers (combined with mathematical insights), but it’s completely impractical to brute-force a modern crypto algorithm’s key, which is why cryptography serves as the foundation of security.
For decades, engineers made computers with more computational power by either speeding up the time it takes a processor to evaluate each individual binary possibility, or adding multiple processors that look in parallel at different possibilities. In theory, with enough speed and parallel processing, you could test all possible lock combinations (the cryptographic key).
But manufacturing complexities create a practical limit to the first approach. And the second technique, parallel processing, becomes prohibitive due to processor costs and the expense to power and cool them (they melt or otherwise malfunction when running fast and in close proximity).
Therefore, well-designed and implemented cryptography is far beyond the reach of fast/parallel processor supercomputers’ ability to guess each possibility.
But quantum computers can make many more guesses at once. Sometimes resulting in exponential (the doubling, of a doubling of an amount, etc.) increase in processing power, rather than the incremental increases possible with traditional computers. Importantly, certain kinds of mathematical problems are well-suited for a quantum computer.
Most believe an operationally viable quantum computer – one that is both reliable and has a useful number of qubits (the data units of quantum computers) – is five to 15 years away and that a handful of countries are pursuing that goal.
We need to prepare now. This is how:
1. Make “security agility” part of your operational security doctrine. When purchasing cybersecurity in the next two to five years, tell your providers you want “crypto agility”, i.e. the seamless ability to swap to “quantum-resistant asymmetric cryptographic algorithms” when available.
2. Adopt quantum-resistance cryptographic algorithms when available. Ideally, use a standard quantum-resistant algorithm several years before a quantum computer is thought to be available, because:
• Uncertainty: Quantum computer availability is unknown (the most advanced research on them is classified).
• Interoperability: There needs to be a seamless transition to this new class of cryptography. There will be a time where crypto agility – the ability to securely and agilely choose and use different types of cryptography – will enable communication with both those who use quantum-resistant cryptography and those who don’t yet.
3. Inventory your data assets to see which ones need to be re-encrypted with quantum-resistance cryptographic algorithms. Some data is so valuable that it has a long shelflife (decades) and must be protected from those adversaries who would steal your encrypted data now and “break” it with quantum computers available in the future.
4. Awareness and education. Tell your colleagues what it’s all about and why they should care, making a distinction between three main topics: quantum computing (much faster computers);quantum-resistant cryptography (algorithms that need to be developed and adopted to prepare for the eventual computers); and quantum key exchange (a means to privately share information while detecting when it has been compromised).
What is the World Economic Forum doing on cybersecurity?
The World Economic Forum’s Centre for Cybersecurity is leading the global response to address systemic cybersecurity challenges and improve digital trust. The centre is an independent and impartial platform committed to fostering international dialogues and collaboration on cybersecurity in the public and private sectors.
Since its launch, the centre has driven impact throughout the cybersecurity ecosystem:
- Training a new generation of cybersecurity experts
Salesforce, Fortinet and the Global Cyber Alliance, in partnership with the Forum, are delivering free and globally accessible training through the Cybersecurity Learning Hub.
- Building a global response to cybersecurity risks
The Forum, in collaboration with the University of Oxford – Oxford Martin School, Palo Alto Networks, Mastercard, KPMG, Europol, European Network and Information Security Agency, and the US National Institute of Standards and Technology, is identifying future global risks from next-generation technology.
- Improving cybersecurity in the aviation industry
Through the Cyber Resilience in the Aviation Industry initiative, the centre has been improving cyber resilience in aviation in collaboration with Deloitte and more than 50 other companies and international organizations.
- Making the global electricity ecosystem more cyber resilient
The centre and the Platform for Shaping the Future of Energy, Materials and Infrastructure have been bringing together leaders from more than 50 businesses, governments, civil society and academia to develop a clear and coherent cybersecurity vision for the electricity industry.
- The Council on the Connected World agreed on IoT security requirements for consumer-facing devices to protect them from cybers threats, calling on the world’s biggest manufacturers and vendors to take action for better IoT security.
- The Forum is also a signatory of the Paris Call for Trust and Security in Cyberspace, which aims to ensure global digital peace and security.
Contact us for more information on how to get involved.
Quantum computers will be revolutionary in their speeds, so much so that they can undermine the foundation of the internet’s security. They are not simply a technical curiosity to marvel at, but a revolution that requires us to plan for their arrival ahead of time, since they can undermine internet security. We should adopt agile, integrated cybersecurity strategies now – including agile cryptography – to ensure we’re prepared for the age quantum computers will usher in.