Quantum technology is the always just-out-of-reach next chapter of technology. But every week, it gets closer.
With never-seen-before computation skills and mathematical potential, scientists predict quantum computing will finally crack “impossible” problems in astrobiology, physics, and mathematics, let alone impact our daily lives.
Pharmaceutical and medical organizations hope to use quantum computing to discover new drugs, cure ‘uncurable’ diseases, and design new treatments while engineers seek to develop materials and concepts. Meanwhile, machine learning developers look to achieve artificial superintelligence.
Additionally, industries such as the global financial industry — where fast math makes the difference between gains and losses — anxiously await for quantum computing to become the norm.
However, despite the dazzling future that quantum technology promises, it also casts a sinister shadow — Q-Day.
Q-Day 101: The Beginning of the End?
Numerous experts and organizations have already given estimates — some conservative and others for the next five to ten years — for the day quantum computing will reach performance levels that allow it to break the encryption algorithms used in our digital world.
From phone calls to emails, passwords, financial account credentials, administrative access, and even top-secret confidential documents and data… if and when Q-Day hits us, there is nothing that a quantum computer in the wrong hands would not be able to decrypt.
Q-Day may sound like something out of a science fiction movie, but it is something analysts say is a likely reality. Governments, organizations, academia, regulators, security experts, and cryptographers worldwide are already working in quantum resilient encryption and quantum security.
They believe it’s not a matter of when Q-Day arrives but whether the world will be ready when it knocks on the door.
NSA, CISA, and Intelligence Agencies Send A Flare Message
In 2022, the NSA called on organizations of all sizes to move to quantum-safe encryption by 2035. Adding to the call for security, in 2023, CISA, NSA, and NIST published a new resource with guidelines for migrating to post-quantum cryptography.
“It is imperative for all organizations, especially critical infrastructure, to begin preparing now for migration to post-quantum cryptography,” CISA director Jen Easterly said back then and recognized transition difficulties.
“The transition to a secured quantum computing era is a long-term intensive community effort that will require extensive collaboration between government and industry. The key is to be on this journey today and not wait until the last minute.”
“This includes things like firmware signing, signatures that need to be trusted for years, and stored data and network transmissions that need to be secret for a decade or more.”
Sanzeri said that the old-fashioned public-key encryption algorithms used for nearly half a century to protect government secrets and intellectual property are no longer practical.
Sanzeri added that the White House executive order “Memorandum on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems” outlines several near-term security directives, making room for quantum-resilient cryptography and post-quantum communications.
“If the United States wants to protect itself from quantum computing attacks, it must switch to post-quantum cryptography protocols. This is a pressing matter of national security, and the government has already begun to act on this issue.”
Howling Wolf: Has the Quantum Threat Been Oversold?
Quantum computers are not new, and the hype about the tech and the concerns for the potential damage it might cause have been around for some time. These warnings of dangerous events have yet to materialize — and the question follows: “Is Q-Day a myth or a future reality?”
Or, more specifically: “Should leaders take Q-day seriously, and why now?”
“This problem (Q-Day) necessitates immediate attention on both the national and international scales. Although quantum technologies offer many potential benefits to humankind, they could have a much more significant negative impact if this risk comes to fruition.”
Sanzeri added that if current encryption methods become obsolete, enterprises, digital infrastructures, and economies — that rely on this type of security — will be significantly impacted.
“Data stolen now will be decrypted once Q-Day is here. Because we have yet to determine when Q-Day will happen, it’s tough to decide when the best time is to act. This usually leads to de-prioritization in favor of more pressing issues; however, this may be just kicking the quantum can down the road.”
At Clarksdale Crossroads: Google, Microsoft, IBM, and Amazon’s Cloud Quantum Computing
Global leading cloud vendors like IBM, Microsoft, Google, Amazon, and others already offer their customers access to quantum cloud computing resources. Cloud quantum computing is expected to be the main channel for the world to access these incredibly hard-to-engineer and super-expensive machines.
Have these cloud quantum machines reached performance levels linked to Q-Day, and can they break global encryptions?
Hollebeek gave insight into these early quantum computer cloud systems offering services to users.
“Not all quantum computers can threaten traditional encryption. A quantum computer powerful enough to threaten RSA and ECC is known as a cryptographically relevant quantum computer (CRQC), and those don’t exist yet.”
Going into technical details, Hollebeek explained that today’s quantum computers only have hundreds to one thousand noisy qubits being used to create a handful of stable, error-corrected ones.
“A CRQC needs to have thousands of stable qubits, which probably requires millions of noisy ones to implement. So while the capabilities of quantum computers are rapidly advancing, they aren’t quite to the point where they threaten classical encryption, but probably will get there in the next 5-10 years or possibly sooner.”
Patrick Scully, director at Ciena, is currently leading the company’s work to develop optical encryption for the quantum age told Tecopedia that leaders should be aware of “harvest now, decrypt later” — a new cybercriminal technique in which bad actors are stealing encrypted data and storing it to decrypt it in the future.
“Organizations with data that retains its value over time should be considering mitigation measures quite seriously.”
Scully is working on Post-Quantum Cryptography (PQC) and Quantum Key Distribution (QKD), But PQC algorithms are currently undergoing standardization proof and do not guarantee full security.
However, the route they are working towards follows the lines of:
“QKD systems are considered to provide unconditional security, as the security of the key is not based on the computational complexity of mathematical problems, but rather on the laws of physics.”
A Quantum Time Travel Security Game: Build Now To Secure 2030
“Even if the odds were the same as a coin toss, I would not advise clients to leave their most prized secrets to mere chance.”
From Forrester’s end, last year, they stated:
“Forrester estimates that within five to 15 years quantum computing will render existing mainstay asymmetrical cryptographic algorithms wholly or at least partially unusable for protecting sensitive information.”
Dr. Gilkes explained that quantum security is about how fast quantum computing advances and how long it will take businesses to “completely overhaul their security infrastructure”.
Taming The Wild West of Quantum Computing
Cloud brands like Google, Microsoft, IBM, Amazon, and others are the only companies with the budget, resources, and skills needed to develop, build, and operate advanced quantum computers. This raises numerous legal, compliance, and ethical questions.
“Most cloud providers are not yet offering quantum resilient encryption,” Sanzeri said. “However, we expect this to change over time. Large infrastructure providers must move quickly to begin installing post-quantum cybersecurity to protect their customers.
“Even if cloud providers deploy quantum resilient encryption, the enterprise still needs to protect their internal communications networks and their customer and partner networks.”
Businesses and governments are already taking steps to protect themselves against the threat of quantum computing. “One way they are doing this is by implementing post-quantum cryptography,” Sanzeri said.
“The great news is that you don’t need a quantum computer to fight against a quantum computer; we can use classical math and software.”
Criminals in the Underground “Harvest Now, Decrypt Later”
We asked cybersecurity sources basic questions on the criminal trend “harvest now, decrypt later” and wanted to know what cyber gangs or nation-state-supported cybercriminal groups were active in quantum computing attacks.
DigiCert’s global study: “Preparing for a Safe Post-Quantum Computer Future,” reveals that more than half (61%) of IT leaders are concerned that their organization will not be prepared for quantum computing cyberattacks.
Even more organizations, 74% of them, say they are worried about “harvest now, decrypt later” attacks. Despite these evident pain points, the companies seem to be at a loss on what to do next.
“Many organizations are in the dark about the characteristics and locations of their cryptographic keys.”
According to the study, IT leaders believe time is against them, and 41% say the Q-Day countdown is set for just five years.
Budget, skills, lack of leadership, and awareness of the real risks of quantum computing security implications are the main challenges they mention in the study.
Dr. Gilkes said that replacing the traditional RSA encryption with new cryptographic algorithms based on quantum computing is broadly considered the far more secure option in the threat of a quantum-based cyberattack.
The bad news? This involves a large (and expensive) replacement of the existing security infrastructure.
For those looking for technical guidelines, they can also check the upcoming National Institute of Science and Technology (NIST) Post-Quantum Cryptography standards, expected sometime in 2024.
Dr. Gilkes added that Quantum Key Distribution — leveraging unique properties of quantum mechanical systems to generate and distribute cryptographic keying material — can be done over the cloud. This is an easier option for those who want to implement quantum security on top of existing IT infrastructure. However, these systems have risks as they can open doors to attack vectors.
For those who think their organization is not a target, Sanzeri said that quantum security affects all types of organizations, from federal governments to critical infrastructure facilities, satellites, financial services, enterprises, and more.
We don’t think this one is an overblown threat. Q-Day looks to be a tentative entry in the calendar, we just don’t know when the clock will strike midnight. Acknowledging that potential is the first step to securing the future.
We exercise caution in giving the final word to companies that offer to be part of the solution.
Still, on this occasion, we’ll let Sanzeri paint his predicted scenario and let you decide how much weight you want to assign to the warning:
“Make no mistake, if public-key cryptography starts breaking, this will prove to be an existential threat to our nation, allies, and the free world.”
- How to elevate your defenses against growing cyber security threats in the quantum era (Ciena)
- Ciena Officlal Webslite (Ciena)
- What will it take to bring quantum cryptography to the masses? (Ciena)
- Skip Sanzeri (LinkedIn)
- QuSecure Official Website (QuSecure)
- Kristin M. Gilkes, Ph.D. (LinkedIn)
- EY Official Website (EY)
- IBM Quantum Summit 2023 (IBM)
- Azure Quantum cloud service (Microsoft)
- Google Quantum Computing Service (Google)
- Quantum Technologies at AWS (Amazon)
- Timothy Hollebeek (LinkedIn)
- DigiCert Official Website (DigiCert)
- DigiCert Global Study: Preparing for a Safe Post-Quantum Computing Future (DigiCert)
- NSA Releases Future Quantum-Resistant (QR) Algorithm Requirements for National Security Systems (NSA)
- CISA, NSA and NIST Publish New Resource for Migrating to Post-Quantum Cryptography (CISA)
- Memorandum on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems (The White House)
- Comments Requested on Three Draft FIPS for Post-Quantum Cryptography (NIST)