No enterprise—whether a government, a military or a private company—can afford to be unprepared.
To channel former Defense Secretary Donald Rumsfeld, the dawning field of quantum computing is full of “known unknowns’’ that will pose unprecedented challenges to IT managers and cybersecurity professionals.
The biggest of those is timing. We know that after billions of dollars and decades of research into quantum computing, it’s a virtual certainty that a large-scale quantum computer will be a reality in the first half of the 21st century. We don’t know precisely when we will hit certain milestones—when, for example, a quantum computer will overtake even the most powerful classical supercomputer in a wide range of practical applications. Or even when, exactly, we must begin preparing for that day.
We must begin preparing now because no enterprise—whether a government, a military or a private company—can afford to be unprepared.
The security risk posed by quantum computers is existential: As Dr. Deborah Frincke, director of the National Security Agency’s research branch, has pointed out, a practical quantum computer will be capable of cutting through public key cryptography standards and exposing everything from banking accounts to military secrets.
Scary stuff, but Dr. Frincke rightly advises not rushing headlong into a security upgrade before the National Institute of Standards and Technology certifies a variety of quantum-safe cryptographic algorithms currently under evaluation. That could be like showing up early to a gunfight with a very expensive rubber knife.
But that doesn’t mean savvy cybersecurity leaders should sit on their hands until the NIST process concludes in 2022 (or at the latest 2023). Don’t let the absence of standards become an absence of plans. The cryptographic revolution will be unlike any change in the modern computing era. Cryptography is baked directly into so many layers of the computing stack and embedded in so many connected devices (access keycards, for instance) that untangling it all will be a challenge of epic logistical and technical proportions.
Adding to that complexity is the reality that quantum computing may usher in a need to evolve cryptographic approaches far more rapidly than we have in the past. That underscores the need for crypto-agility, the ability to respond and adapt to the ever-changing cybersecurity environment, needs and threats without fundamental changes to the underlying infrastructure. This matters whether we are 10, 20 or even 30 years from a truly practical quantum computer—and presents an opportunity to build in cryptographic resilience into devices and infrastructure today that can quickly accommodate future cryptographic transitions.
This interim period before standards are set is the right time to begin planning—both because it reduces capital outlays and because it allows comprehensive assessments of what will need to change and in what order it should be changed. This process alone could take years—meaning that, once standards are set, organizations will have already done the heavy lifting and be ready to adopt them rapidly.
Then, time will be of the essence, particularly with regard to protecting sensitive data that has long-lasting value. Even before a quantum computer is capable of breaking encryption, we know malicious adversaries are harvesting vast amounts of encrypted data in anticipation of the day that they can break the locks. The sooner that data is secured with a hybridized approach that marries the best classical encryption with emerging quantum-safe approaches, the better.
Despite the many unknowns presented by the advent of quantum computing, we know enough to know that failing to plan will be planning to fail—and the consequences of that could be catastrophic.
Scott Totzke is chief executive officer and cofounder of ISARA Corporation.