Embracing the solace of quantum security

Ongoing advances in computing technology have always meant that risk managers need to stay abreast of their organisation’s digital security. Now, the advent of quantum computers – super-powered computers built on quantum mechanical principles – makes one area of risk to keep a close eye on.

Quantum computers are able to use subatomic particles to calculate huge amounts of information simultaneously, and while this represents an exciting stage in technological evolution, it also massively increases the risk of a data breach for organisations that are not properly prepared. This is because quantum computing is likely to render existing forms of computer encryption completely obsolete within the next ten to 20 years, with some estimates predicting common encryption standards might be defeated as soon as 2026.

From major manufacturers to nation states, there is an unprecedented amount of money being poured into researching and developing quantum computers. The reason for this is simple: those that achieve ‘quantum supremacy’ will find themselves at the very forefront of the digital age, with computing power that outstrips current technology by an order of magnitude. As this new era of computing approaches, the consequences for organisations which have not properly prepared their online security could be severe, and have been referred to by some experts as a latter-day Y2K.

The threat of quantum computing

Online data security relies on encryption for the safety of global information systems, payments and communications. Historically, the foundation for almost all types of encryption has been based on requiring an extremely large and complex mathematical problem to be solved, which standard computers find close to impossible. However, once quantum computers become sufficiently advanced, they will be capable of completing multiple mathematical calculations simultaneously, making it far easier to crack current encryption standards.

According to a recent report from Inside Quantum Technology, which provides analysis and forecasting of quantum technology markets, the market for post-quantum cryptography is likely to grow significantly over the next decade. As quantum computers become more viable, the search for better protection could lead to the post-quantum cryptography market growing from $145 million in 2014 to $3.8 billion by 2028.

For organisations that require any type of long-term data storage, the subject of ‘quantum-safe’ or ‘post-quantum’ cryptology is one that needs to be addressed now. According to a 2018 survey by the Cloud Security alliance, 86 per cent of IT managers were aware of quantum risks, with almost 20 per cent believing that post-quantum cryptology would be required within the next 12 months.

This is especially relevant not just to governments, military and intelligence services, but also to financial services, healthcare and telecommunications, as well as organisations implementing the Internet-of-Things. Cryptocurrencies such as Bitcoin are especially vulnerable, and there are already competing products on the market that are being promoted as quantum resistant.

While there are a number of different approaches to securing IT systems and software against quantum attack, one potential solution is IBM’s lattice cryptography. This encrypts data using a mathematical equation that requires two different unknown factors to be solved. It is believed by many in the industry to have achieved the closest to immunity to quantum attacks (although it has not been mathematically proven to be completely invulnerable).

Why crypto-agility is essential

The security community, governments and industry groups have not yet settled on which algorithms should be used as standard protection in the quantum computing age, which is why it’s important that organisations remain ‘crypto-agile.’

For risk managers, this begins with a risk assessment of critical data and its value over time. Anything that will need to be stored and protected for more than a decade could be considered viable for applying the new cryptographic standard. This will also require new training and technology, so it makes sense to prioritise the data and systems which demonstrate the greatest need for protection in the future.

Work should also be coordinated between IT security and incident response teams to conduct a complete inventory of information systems that use cryptography, in order to identify and evaluate the algorithms that are already in use. Incident response plans should be continually monitored and updated to include alternative algorithms and plans for updating existing encryption methods.

In addition, application development and procurement workflows should be adapted to reflect crypto-agility. This means buying or building IT systems and products with the ability to move from one type of cryptographic algorithm to another without having to rebuild everything from scratch. The easier and more automated the system’s migration, the more crypto-agile it is. In the development of applications, using Parasoft services could help to ensure that security breaches are mitigated and that its API is tested effectively.

Time to act

Quantum computing technology is still in its emerging phase, and so is our understanding of its potential to both disrupt and enhance the world of business. However, with experts from organisations ranging from Googleto the National Academies of Sciences, Engineering and Medicine in agreement that quantum security is something that needs to be addressed as a matter of urgency, it makes sense for risk managers to begin to take steps right away. Considering that web standards take more than a decade to implement, it’s a brave organisation indeed that gambles its online security on future unknowns.

  • About Enterprise Risk Magazine

    Enterprise Risk Magazine is the leading quarterly title for risk managers and enterprise risk, with a print circulation of over 5,500.

    Enterprise Risk is published on behalf of the Institute of Risk Management (IRM). The majority of IRM members receive their copy of Enterprise Risk at their home address, meaning the title... Read more
  • Categories

  • Tags