Let's just kick that Quantum Computing can down the road
Quantum Computing has been a hot topic for 15 years now, every summer around the time SXSW is on, the world goes into a flutter around the amazing achievements that will come about, and the cyber security implications of this new technology. I've heard from Directors that their IT execs have been bringing the topic up at the board level, talking about the risk to the business and getting people all worried.
While not suited to general computing tasks, quantum computing does have applicability in the fields of drug discovery, material science, logistics, finance, insurance, cybersecurity and encryption. It's that last one, encryption, that we are interested in, and it is expected that Quantum computing will be able to compromise or render ineffective many of the cryptographic systems currently in use.
Now, in order to decrypt information an attacker must first gain access to it. This might occur at the nation-state level through the tapping of undersea cables (Tempora) or compromising network devices (Salt Typhoon). Both these scenarios are unlikely to occur for most organisations. The more likely situation is that the attacker has compromised your internal user directory, or web application and gained access to encrypted passwords.
The risk we are supposing is that in order to decrypt that sensitive information at pace, requires access to a Quantum Computer (regardless of the fact we can do AD passwords pretty quickly with a few household GPU's). There are some cloud-based Quantum Computing systems available via the major players - AWS Braket (provides access to IonQ, Rigetti and OQC backends) IBM, and Azure Quantum. Using these platforms is costly however, and the fault tolerance isn't there yet for cracking passwords reliably. Conservative estimates believe it will be another 5-10 years before they are useful, Nation states will likely get there sooner.
I was speaking to a friend who builds and runs PKI infrastructure, he has actually implemented some of the quantum-safe algorithms in his product (though the NZ Government doesn't currently have a list of approved algorithms), whether it’s just for nerd-points is beside the point. While modern browsers are starting to provide experimental support for the popular Quantum-safe algorithms, most of his clients aren't running the bleeding edge web servers necessary to integrate the new algorithms (TLS 1.3, OpenSSL 3.x).
The NCSC (UK) has some actual practical timelines for migration to Quantum-safe algorithms:
Recommended by LinkedIn
- To 2028 – identify cryptographic services needing upgrades and build a migration plan.
- From 2028 to 2031 – execute high-priority upgrades and refine plans as Post-quantum cryptography (PQC) evolves.
- From 2031 to 2035 – complete migration to PQC for all systems, services and products.
The general guidance around preparation is also just sound security practice, keep on top of the latest news and maintain an inventory of sensitive and critical datasets. If the system protects sensitive information (e.g., key stores, passwords, root keys, signing keys, personal information, and classified information) then it’s probably a good candidate for additional security controls and monitoring anyway.
I think for now we can kick the Quantum Computing can down the road (for the next 5 years at least), and focus on more immediate issues, like ensuring all your internet-facing assets have two-factor authentication configured, and that you can reliably detect and respond to an attack.
If you would like me to come and chat to your board about real cyber security risks facing businesses, or you need a hand with your detection & response capabilities, flick me a message. Or maybe you have some thoughts and feels on Quantum computing you'd like to share below :)
Thanks for sharing your insights on such a critical topic. It's fascinating to see how quantum computing is evolving and the conversations around its impact on cybersecurity. Your perspective adds valuable clarity to an often complex discussion.
I'd just treat it like TLS cipher config, if you're touching it anyway update to the right "post quantum" algo but otherwise don't fuss.
I agree that we cannot kick the can down the road completely. Yes, it will be close to 10 years before Quantum Computing becomes relatively mainstream but we need to start planning on what needs replacement. Given the challenges organisations have with implementing multi factor authentication, implementing Quantum safe encryption will take time since all players in the ecosystem will need to make changes. Hence, the planning not only for organisations but up and down the supply chain will need to be planned and executed. What are your thoughts Simon?
Great article Simon Howard but I’m going to call you out on the “kicking the can down the road for 5 years” quip. As the NCSC UK points out, and as are many other authorities are now starting pointing out - the next 5 years should be spent by Boards and C-Suite coming to terms that this will be on their radar within the next 5Y forward projection. So they’d be well served to even start the process of grappling with their vision and execution plans - sometime over these next 5 years - just so that they’ll be ready to start organisational and technological change from 2028 onwards. If everyone just kicks the can down the road - we have another rushed fiscal expenditure situation, like the Y2K (needlessly) was. Too much money was spent on Y2K because “we’ll do it later”.
I was at a presentation by Bradley Busch GAICD last week where he talked through some pragmatic things to start doing in this space. I think we are finally moving from the (over) hype cycle to actuall sensible actions now and it should really be highlighted to senior execs for future controls.