When quantum computing finally becomes marketable and viable, cybercriminals will be among the earliest exploiters. Should we all be worried?
Quantum computing has the potential for mind-blowing advancements, but it also brings some serious risks to the security of our online world.
Governments around the world are already preparing regulations to address the post-quantum computing threat.
Meanwhile, with governments and technology giants mapping the path towards quantum cryptography and quantum-resistant cybersecurity, what can organizations worldwide do today to quantum-proof their data before cybercriminals (which are notably also part of state-sponsored cyber war strategies) render all pre-quantum encryptions worthless?
Armando Dacal, Group Vice President (APJ), DigiCert, shared some insights with CybersecAsia.net on the matter.
CybersecAsia: How do you anticipate malicious actors will be exploiting early quantum decryption capabilities?
Armando Dacal (AD): The most significant threat today is that advanced attackers could conduct “harvest now, decrypt later” attacks. This means that malicious actors are collecting and storing encrypted data now, with the goal of decrypting the data when quantum technologies makes it easy in the future. When that happens, attackers will also be able to break other redundant encryption algorithms in use.
To mitigate this risk, a new specialty of cryptography is underway: post-quantum cryptography, or quantum-safe cryptography.
CybersecAsia: In your view, how prepared are organizations (private, public and government sectors) for the negative cyber-implications of the approaching quantum era?
AD: There is a notable sense of unease among IT leaders regarding their readiness within the required timeframes. Areas of concern include: not having enough time (less than five years) to prepare for the cybersecurity landscape shaped by quantum advancements.to prepare for quantum-powered attacks, and having a sufficient strategy to address quantum computing security implications.
Additionally, budget constraints and lack of executive support are cited as significant challenges that IT teams in private, public and government sectors are facing. Polls have even indicated that organizations’ leaders were only “somewhat aware” or “not aware” about the security implications of quantum computing.
While awareness will be growing, there is a palpable need for organizations to accelerate their efforts in developing comprehensive strategies, allocating resources, and garnering executive support to effectively navigate the cybersecurity landscape of the approaching quantum era.
CybersecAsia: Based on this current level of quantum preparedness, how can CIOs and CSOs start initiatives to safeguard the future of their organizations NOW?
AD: As governments map a path toward next-generation cryptography, CIOs and CSOs must take steps today to ensure the integrity of their most important data before quantum decryption opens the door to all of today’s secrets.
Implementing a robust strategy, backed up by senior leadership and incorporating cryptographic agility, is crucial. This includes:
- maintaining visibility into cryptographic keys and assets
- adopting centralized cryptographic-management strategies consistently across the enterprise with accountability and ownership
- prioritizing the development of quantum-resistant encryption methods, to ensure data protection remains effective in a world increasingly vulnerable to quantum threats.
Cryptographic agility not only addresses long-term issues like post-quantum computing, but also helps to reduce outages, operational costs, and with strategic changes like mergers and acquisitions.
Forward-thinking organizations that have invested in cryptographic agility will be better positioned to manage the transition to quantum-safe algorithms when the final standards are released in 2024.
CybersecAsia: As the adage goes, “no one is safe until everyone is safe”. Envisioning a potential “quantum defense lag” in which, say, only 20% of the world is fully equipped to ward off quantum-level threats, how are government bodies racing to preempt this defense lag?
AD: Governments and industry bodies have initiated measures to address the post-quantum cryptography risks. In the US, President Biden has signed a National Security Memorandum to mitigate the risks of quantum computing to national security.
Additionally, over the past seven years, the National Institute of Standards and Technology has led efforts to standardize resilient encryption algorithms, reaching a milestone last August with draft standards for quantum-safe algorithms.
In the Asia Pacific region, there has also been a welcome acceleration in government planning for a post-quantum world. In June 2023, Singapore launched Southeast Asia’s first quantum-safe network infrastructure to help businesses tap on quantum-safe technologies.
Australia has launched the National Quantum Strategy, which clearly states the three key categories of quantum technology as it impacts our future: quantum sensing, quantum computers, and quantum communications.
As an industry, we need to continue to build our understanding of the change that is to come and to know what it means to be as prepared as possible.
CybersecAsia thanks Armando Dacal for sharing his insights on quantum challenges with readers.
