Why organisations must protect data from the quantum threat

As quantum computers inch closer to practical application, concerns around their capabilities to crack conventional encryption algorithms have given rise to a critical dialogue in cybersecurity circles.

According to a recent Forrester study, quantum computers could be able to crack all current cryptosystems in the next five to 30 years, with a majority claiming there is between a 50% to 70% chance of this occurring in the next five years.

With this in mind, we speak to experts in the field of quantum computing about the threats the technology poses to data security and what organisations should be doing to protect their valuable information.

The quantum threat to data security

"Quantum computers have already initiated a paradigm shift in the ways researchers think about data security," says Sarvagya Upadhyay, Senior Research Scientist Manager at Fujitsu Research. 

This, he describes, began within academic circles when highly efficient quantum algorithms for seemingly intractable computational problems underpinning encryption schemes were unearthed. “This led to the development of cryptosystems designed to withstand quantum attacks. In recent years, with attention mounting around the potential capabilities of quantum computers, various organisations and governments have initiated frameworks to safeguard against such attacks.” 

According to Upadhyay, quantum algorithms capable of solving the computational problems that underpin encryption schemes are already in development. Organisations and governments are now striving to keep pace. The US, for instance, enacted the ‘Quantum Computing Cybersecurity Preparedness Act’ just last year, signalling a proactive approach to this looming challenge.

“When we talk of securing sensitive data today there is strong focus on, and argument for, encryption,” comments Gavin Millard, Deputy CTO at Tenable. “As advances in quantum computing are made, decryption at lightning speed is increasingly possible. For organisations, this both helps and hinders security practices as it introduces a number of risks, including retrospectively. 

“Algorithms used to encrypt data a few years ago could easily be deciphered by threat actors harnessing quantum computing tomorrow. Security teams should consider the viability of retrospectively encrypting data to ensure continuously strong protection.”

Why organisations must be aware of the risks

As explained by Andersen Cheng, CEO of Post-Quantum, organisations need to be aware of the threat of quantum computing. The advent of a quantum computer, he says, is not a matter of “if but when”. 

“Research suggests that within three years, there is a one in seven chance that quantum computers will break the most used computer encryption systems — this number goes as high as 50% by 2031,” he says. “Therefore, failing to secure your digital infrastructure against the threat of quantum computing leaves your data and systems vulnerable to attack.” 

Most important for organisations however is not the sheer code-breaking capabilities these machines will usher in, it’s the threat they are already posing today in the form Harvest Now, Decrypt Later (HNDL) attacks. “Any data with a multi-year lifespan, such as government secrets, R&D innovation, asset ownership data in financial services and strategic plans, could be collected today and decrypted in the future,” says Cheng. “No matter what industry you are in - the private keys of utilities providers or the cardholder's information held by big banks - all data is vulnerable.

“This HNDL threat is backed-up by numerous pieces of research, which find that nation-state adversaries are already collecting encrypted data with long-term utility. In fact, we are already seeing instances where internet traffic has been routed on unusual global paths for no apparent reason before returning to normal, which are indicative of such attacks occurring. 

“Organisations that fail to recognise this threat and secure their data today, particularly those holding highly sensitive data with a long shelf life, are potentially putting themselves and the wider economy at huge risk in the future.”

Immediate steps for organisations

For organisations today, Upadhyay insists that acknowledging quantum threats should be the first step. Then comes “serious engineering and rigorous research efforts” to transition to post-quantum cryptographic systems. 

“The field of quantum data security is evolving and organisations will undoubtedly require talent equipped with expertise in both quantum computing and security,” he says.

As Gavin Millard adds, it's “pointless having 'post-quantum' levels of encryption on data when other parts of the business are exposing easily exploitable vulnerabilities.”

“It’s really important that we recognise that, even with good data security practices today, it's often weaknesses in other areas that potentially leave the organisation exposed,” he describes. “Security teams need processes in place to continuously assess certificates — know where old certificates and standards are stored and update when they can,” he says.

It’s also imperative that security teams remain up to date with emerging capabilities and retrospectively address introduced weak or broken security practices — such as outdated encryption standards.”

Cheng, meanwhile, recommends a more radical approach: creating an end-to-end infrastructure that's quantum-safe ‘by design’. This would include everything from quantum-proofing your identity access management system to utilising a quantum-safe VPN. Cheng advises businesses to think about "crypto-agility, backward compatibility, and hybridisation" as they migrate to post-quantum cryptography (PQC).

“For example, the Internet and Engineering Taskforce (IETF) recently created a new VPN standard that helps specify how VPNs can exchange communications securely in the quantum age. The novel approach prioritises interoperability by making it possible for multiple post-quantum and classical encryption algorithms to be incorporated into VPNs, ensuring no disruption to the functioning of existing IT systems, and protecting data from attack by both classical and quantum computers.

“At-risk organisations might also consider establishing secure end-to-end messaging infrastructures that they control and can quantum-proof today. Such an approach allows different business processes to be created within an end-to-end secure environment so critical data is verifiably quantum-safe throughout its lifecycle.”

The road ahead for quantum data security

As quantum computing continues to evolve, Upadhyay is optimistic about the future. “I foresee a rapid expansion in the field of quantum data security,” he says. Upadhyay believes that “post-quantum cryptosystems will find widespread adoption among organisations,” thereby creating significant economic opportunities for security firms specialising in this area. He also notes that transitioning from RSA or ECC-based systems to alternatives that are secure against quantum attacks is not only “economically viable” but also “less technically demanding.”

Millard warns that while defenders will have better technologies, “attackers will get smarter and more automated.” He points out that the time required to decrypt data will dramatically decrease, going “from weeks or months to hours or seconds.” However, Millard is quick to add that data secured by quantum-level encryption will remain robust.

Cheng highlights the disparity between the development of quantum computers and quantum security, especially in terms of funding. However, he observes a positive change, particularly in government action. “The US has now firmly taken the lead following a series of orders and legislation,” he states, referring to the Quantum Computing Cybersecurity Preparedness Act and the recent 2023 US National Cybersecurity Strategy. Cheng also mentions the National Institute of Technology's (NIST) global competition to develop new algorithms, stating that “four have been shortlisted and are on track to be standardised,” which many see as the catalyst for post-quantum migration.

“The truth is that post-quantum migration can and should have begun earlier. Especially with the threat of HNDL attacks, everyone is playing catch-up. It’s not too late, but the next few years are crucial for the future of data and information security.”