Jeff Margolies, Chief Strategy Officer at Saviynt, outlines how organisations and governments are preparing for the revolutionary rise of quantum computing.
Earlier this year, in his Spring Statement speech, the chancellor announced the UK Government’s new National Quantum Strategy, an ambitious ten-year strategy backed by £2.5bn of public funding to support the rise of quantum computing in the UK.
This isn’t the government’s only commitment to quantum innovation. It has also created the Department for Science, Innovation and Technology (DSIT), which has a mission to support the country’s ambition to be the most innovative economy in the world and a science and technology superpower. Quantum technology is essential for this mission, not only as one of the five leading future technologies – quantum computing, AI, engineering biology, semiconductors, and future telecoms – but also because it will enable every other technology on the list to reach its full potential.
Quantum computing is still in its early stages of maturity, with some experts predicting it will take more than a decade for quantum computers to run fault-free. Nevertheless, organisations are starting to take quantum computing seriously; indeed, IBM alone has deployed more than 60 quantum computers, enabling Fortune 500 companies, start-ups, academic institutions and research labs to explore practical applications.
This new era of computing will be transformative to many of these organisations. However, with every new technological advancement, it is vital that they also identify and mitigate all potential security risks.
Advantages of the rise of quantum computing
Quantum computing is inherently different from traditional computing, using an entirely new approach to calculation, based on principles of fundamental physics, to solve extremely complex problems very quickly. This quantum speed is expected to boost productivity and reduce costs in scientific research, engineering, finance, logistics, and manufacturing sectors. At the same time, supply chains and transportation networks are also predicted to benefit.
But while the rise of quantum computing will pave the way to discoveries and innovations, it will likely generate many new security risks. It’s hard to predict exactly what these threats will look like, as that will depend on how the technology develops. Nevertheless, organisations using or considering quantum must be cognisant of the potential threats and introduce new strategies to bolster their cyber defences.
Identity and security risks in the quantum realm
The speed at which quantum computers can make calculations could shorten the time required to break encryption keys. This will risk sensitive data, including financial records, intellectual property or even state secrets. Worse still, if quantum computers can break most of the encryption methods commonly used today, they could lose trust in digital systems and services altogether.
Threat actors will likely utilise the rise of quantum computing to target systems like encryption and to launch more fine-grained attacks targeted at particular users or machines. This means identity-based security will be vital for organisations across all sectors.
With many identity systems relying on cryptographic techniques to protect data and authenticate users, the main challenge for identity solutions will be mitigating the risk posed by cryptographic vulnerabilities. As quantum computing gets more powerful, the likelihood of breaking the cryptographic methods will increase, compromising the security of identity systems.
Another great risk is the potential of quantum to dramatically improve biometric spoofing techniques, which could be used to bypass verification systems. Attackers could conceivably create synthetic biometric data that is indistinguishable from real people’s data, granting them access to protected systems and datasets.
Preparing for the quantum future
While the rise of quantum computing is still in its early stages, and the associated risks are still to be defined, organisations should pay close attention to government and regulatory guidance.
Although there’s no legislation currently in place, the UK’s National Quantum Strategy states that the National Protective Security Agency (NPSA) and the National Cyber Security Centre (NCSC) will develop and introduce digital and physical security measures that protect assets and support growth.
Meanwhile, the National Institute of Standards and Technology (NIST) in the US started a process to standardise quantum-safe algorithms for key agreement and digital signatures in 2016 and has narrowed down a field of candidate algorithms, with draft standards expected in 2024.
According to NCSC, this extended period allows for thorough public scrutiny of the various proposals, while some experts argue it provides more time to close some of the gaps in the NIST guidance. These gaps are related to:
- Timing: Critics claim the timeline for developing quantum-resistant standards doesn’t match the speed of innovation. There’s concern that threat actors can outperform the wider adoption of quantum-resistant standards by developing new encryption-breaking code faster;
- Scope: Other areas of quantum computing may pose security risks, aside from the quantum-resistant encryption standards that are the focus of NIST’s efforts. Some of these could be unforeseen types of attacks or ways of bypassing security measures; and
- Adoption: The quantum-resistant encryption standards being developed by NIST may not be widely adopted due to a lack of awareness and understanding of the risks posed by quantum computing. The cost and complexity of implementing these new security measures may also slow adoption.
These regulatory efforts are certainly vital for the future of developing technology. But organisations must take a holistic approach to quantum security when preparing for its arrival. This should include maintaining an updated information flow about the latest developments, security risk profiling of the organisation and taking a more proactive stance towards mitigating vulnerabilities.
Additionally, organisations are well advised to develop an encryption roadmap so they are ready to update their cryptographic protocols as necessary. These roadmaps typically include steps on how to:
- Identify sensitive data: This may include financial information, personally identifiable information (PII), health data, or other types of sensitive data;
- Define encryption requirements: The focus here would be on selecting the appropriate encryption algorithms, key sizes, and other parameters;
- Assess existing systems: Before implementing any encryption, it is essential to assess the existing systems and infrastructure to identify any potential issues or compatibility problems;
- Develop an encryption plan: Following the analysis of the encryption requirements and system assessment, the organisation can develop an encryption plan outlining individual steps needed to implement the appropriate encryption technology;
- Implement encryption: After developing the encryption plan, an organisation can move to implement the encryption technology. This includes deploying the encryption software and hardware, configuring encryption settings, and ensuring that the system is running smoothly; and
- Monitor and maintain encryption: Once the encryption system is working properly, it’s vital to monitor its performance and perform regular maintenance. This may include regular updates of the encryption software and a review of encryption policies and procedures.
For now, governments should take precautions
With quantum computing technology still in development, it is the duty of security leaders to stay informed on the latest legislative guidance and key insights provided by experts in this field.
NCSC provides regular updates around quantum computing, including whitepapers and articles. At the same time, IBM, for example – which developed three of the four algorithms currently standardised by NIST for quantum-safe encryption – is another valuable resource for news on the progress of quantum computing development. Technological progress takes time, so it will take time for the rise of quantum computing to reach its full potential.
However, it’s never too early for organisations to start preparing for the risks and rewards of this transformative technology.
