Welcome to the quantum readiness era. Is your company prepared?
If you’re like the 79% of IT executives who expect quantum computing to have a moderate to high impact on their business in the next three years or the 72% who have a moderate to high intent to invest in quantum technology at some point,1 there’s definitely work to do.
“Q-Day”—the day when quantum computers will be reliable enough to crack current cryptography—is fast approaching.2 Once it arrives, a technology with seemingly limitless promise when used judiciously will pose serious security threats if applied for corrupt purposes.3
Today’s cybersecurity safeguards will offer little protection. In fact, quantum computers will eventually be able to break all current forms of modern cryptography, including public key encryption, in minutes or hours rather than the decades or even centuries it would take today.
Your company’s best defense against the cyber threats of the present and malicious uses of quantum computing in the future is to make your organization quantum safe today.
It’s time to get started.
Your company’s best defense against the cyber threats of the present and malicious uses of quantum computing in the future is to make your organization quantum safe today.
Making the case for quantum safe
Broadly speaking, any public or private organization that has or relies upon critical data, trade secrets, or other sensitive information should be thinking about quantum security. After all, no one really knows when exactly Q-Day—or Y2Q, as it’s also known in cybersecurity circles—will arrive.
Some analysts argue that Q-Day is 10 to 20 years away, while others predict several thousand quantum machines could be operational and able to break current encryption by 2030.4 Scientists in China say they’ve already been able to crack the Rivest-Shamir-Adleman (RSA) algorithm used for secure data transmission, although many experts dispute the claim.5
Chances are better that the technology will improve over time, making it nearly impossible to pinpoint an exact date by which organizations must be quantum secure. This uncertainty increases the urgency for developing a quantum-safe strategy sooner than later.
Once quantum computing matures, bad actors who gain access to the technology will be able to use it to break encryption codes to bank accounts, medical records, personal information, and a trove of other confidential information. Cyber thieves will then be free to use, sell, or exploit that content however they choose.
Making matters worse, quantum computers will have the power to decrypt any data that’s ever been collected. This power, in turn, will likely give rise to more harvest now, decrypt later attacks.6
The basic premise of harvest now, decrypt later is that cybercriminals will capture all the data they can from cyberattacks in the past and moving forward—even if they can’t break the encryption—and store it until quantum computers are able to crack the codes.
That’s a staggering thought, given that 83% of organizations worldwide experienced more than one data breach during 2023 and the global average cost of a single breach is $4.45 million.7
Keeping things in perspective
Quantum computing, in and of itself, isn’t a threat. It’s how and by whom the technology is eventually used that may create order or chaos.
In fact, the same principles that will enable quantum computers to decrypt current encryption so easily will help produce unbreakable encryption and algorithms in years to come.
Simply put, the problem also holds the solution. Future protections will include:
- Post-quantum cryptography. The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) recently selected four encryption algorithms to be part of its post-quantum cryptographic standard.8 These protocols should be finalized in 2024, several years before even the most aggressive timetables for Q-Day.
- Quantum key distribution. This communication method uses properties of quantum physics to create and distribute random secret keys between network nodes.9 While it’s possible for data encrypted with quantum key distribution to be intercepted by a third party, not even a quantum computer can break the key securing that data.
- Zero trust and cyber resiliency. Zero-trust architectures and cyber resiliency plans won’t prevent quantum computers from breaking data encryption. However, these strategies are cornerstones of a strong cybersecurity posture and, combined with quantum-safe standards, should help to reduce threats from quantum computing.
Underpinning these and other quantum-safe protocols on the horizon is the concept of cryptographic agility.10 In short, crypto agility enables an organization to adopt new algorithms or encryption methods across its security systems, firewalls, and other safety features without having to update application software.
The same principles that will enable quantum computers to decrypt current encryption so easily will help produce unbreakable encryption and algorithms in years to come.
How to plan for quantum safe
If you haven’t already started, here are three steps you should take now to begin building a quantum-resilient organization:
Step 1: Assess your overall security posture
Before you can develop a quantum-safe security plan, you need to understand your company’s current risks associated with cyberattacks, data breaches, and other threats. Internal and external assessments, IT budget reviews, and technology testing and implementation can identify areas of strength and weakness, laying the foundation for a quantum-safe strategy.
Bear in mind that your enterprise security protocols will need to evolve, so embed quantum risk into existing governance and cybersecurity operating models and risk assessments. You’ll also need to understand the regulatory, financial, and reputational impact that decryption of critical data would have on your business.
Step 2: Raise organizational awareness
Quantum security should be a priority at all levels of your organization. You’ll need to educate your workforce about the positive and negative aspects of quantum computing and underscore the importance of being quantum safe.
Start by raising awareness among colleagues about the pros and cons of quantum computing. At the same time, begin identifying key stakeholders within your company who can sponsor the actions to become quantum safe.
Then, develop and share quantum-safe practices and regularly update employees on emerging quantum technologies, all while encouraging them do their part in protecting the organization as the quantum landscape evolves.
Step 3: Define a quantum-safe strategy and transition plan
Once you have a better understanding of your current security posture, you can identify and prioritize where and in what manner to invest across your organization. Your plan should identify security processes, technology and infrastructure, cryptographic systems, and third-party suppliers that can help you achieve quantum safety.
Once your quantum security roadmap is in place, you can start transitioning your organization’s systems to the new cryptographic standard. This process includes:
- Performing an interdependence analysis to identify issues that could impact the transition
- Decommissioning old technology that won’t be supported in the future
- Validating and testing products that will incorporate the new standard
Becoming a quantum-safe organization is an iterative journey involving business and technology. Throughout the process, you’ll have to continually reprioritize quantum threats and existing organizational risks to ensure a smooth transition.
A new mantra for a new era
The age of quantum computing is drawing near. Although the technology holds great potential in numerous fields, it will prove destructive if used unscrupulously.
You can protect your organization from these threats, but the time to act is now. Start planning your quantum-safe journey and make “get quantum safe” your mantra for a new era.
Bill Genovese is CIO Advisory-Kyndryl Consult Partner and Global Quantum Services and Consulting Leader, Guy Siviour is a Senior Global Lead, and Vasilis Katopodis is a Delivery Partner on the Quantum Tiger Team.
1 Voice of the Enterprise Digital Pulse: Emerging Technologies 2023, S&P Global Market Intelligence, 2023
2 What CISOs need to know to mitigate quantum computing risks, Security, June 2023
3 Quantum’s promise, Global Finance, January 2023
4 What is quantum computing?, McKinsey & Company, May 2023
5 Did China break the quantum barrier?, Forbes, January 2023
6 Harvest now, decrypt later, Inside Quantum News, November 2022
7 Cost of a data breach report 2023, IBM, 2023
8 Post-quantum cryptography standardization, NIST, July 2022
9 Moving forward with the security of quantum key distribution, Forbes, May 2023
10 Cyber insights 2023: Quantum computing and the coming cryptopocalypse, Security Week, February 2023