Quantum risks demand more immediate attention from CISOs and CSOs

The looming threat posed by quantum computing to current encryption methods has long been spoken about, but recent developments in the space point to the need to convert that discussion to preventative action.

Australian authorities are keeping close tabs on the space, with the Australian Signals Directorate (ASD) monitoring “alternate methods of securing communications” in the event that a cryptographically relevant quantum computer – one that can break current public key encryption – is developed.

But the ASD advice is unequivocally specific: plan now for a post-quantum cryptography (PQC) world.

This urgency is supported by other observers.

A recent survey by CSIRO found strong awareness in the cybersecurity sector about the risks posed by quantum attacks “on current cryptographic solutions”, but varying skills and domain knowledge among participants to address the threat. The research notes that “most participants believed the impact of quantum computing will be seen on cybersecurity within the next five years” – a truncated timeframe it believes should trigger “urgent … action” and dialogue “across and within sectors”.

EY is also advocating for action to start today. It cites statistics from Forrester that point to a “50% to 70% chance” of current cryptographic security being broken within five years, and to its own research suggesting action in this area in many organisations is likely to kickstart within the next two years.

Add to that ExtraHop CEO Patrick Dennis, who believes the pace of quantum development that is in the public domain should be viewed as a driver to accelerate planning: “Not to be alarmist, but I suggest public key encryption may fall before most people expect. I’m not the only one who believes the end of traditional encryption may be coming sooner rather than later. In recent months, I’ve observed leading organisations in critical infrastructure and related industries starting to hire cryptography experts, signalling a real and urgent concern about quantum computing.”

The fact that so many observers are saying much the same thing – that imminent planning and action by CSOs, CISOs and cybersecurity teams around quantum computing is necessary – is noteworthy.

Rolling out quantum-resistant computing needs to be on every security leader’s agenda. Leaders need to consider the scope of the problem for their organisations and ask themselves some key questions: is there a means to identify the organisation’s most critical assets, is there a plan in place to do so, and if not, when will we have a plan?

Rapid pace of change

A large part of what is driving the fast-tracking of the PQC discussion and planning at an enterprise and government level is the rapid advancement of quantum technology.

Quantum breakthroughs are now happening regularly, with IBM rolling out the 433-qubit Osprey in November 2022, which was three times more powerful than its predecessor from a year earlier.

This may be only the tip of the iceberg in terms of current quantum capability. As the US Cybersecurity & Infrastructure Security Agency (CISA) says, “Nation-states and private companies are actively pursuing the capabilities of quantum computers.”

Not everyone has something to gain from making their breakthroughs public domain. It should be assumed that quantum development is happening in other countries without huge public announcements, and that the risks of quantum technology – in particular, its ability to break public key encryption that is used to protect most valuable data today – are closer to being material than they may otherwise appear.

Much like generative AI, quantum computing represents another technological advancement with huge promise and also significant potential to dismantle systems and institutions we trust and take for granted.

While public key encryption has been the foundation of integrity for both digital data and internet communications for decades, even before the commercial internet became a thing, it’s likely to become unreliable very soon.

The next generation of encryption needs to be something very different.

For a few years now, security researchers have been working on new “quantum-resistant” encryption methods that would supposedly protect data better than current tools. The use of the word, “resistant,” is purposeful, because we don’t really know how robust the new encryption methods will actually be when they’re up against powerful quantum computers.

The US Government has set a target to adopt quantum-resistant encryption by 2035 and for agencies to move their high-value assets to the new encryption systems by then. Taking into account the current pace of development, and the time that will be required for testing, the real deadline for action is probably closer to 2025 than 2035. That aligns with the broader call-to-action being made by most stakeholders today.

With quantum computing, we don’t know when traditional public key encryption will become obsolete – but all public signals point to it happening much sooner than expected. While it would be easy to keep kicking preparations down the road, the reality is that organisations need to start now if they are to defend against those pushing the boundaries of quantum computing.

Rohan Langdon, ANZ Country Manager at ExtraHop
Rohan Langdon
Rohan Langdon is Vice President, Australia and New Zealand at ExtraHop.