Treasury teams could be forgiven for placing the cyber threat posed by quantum computers slightly further down their list of priorities than more common threats like deepfake or malware. Yet quantum computers, the new generation of super-fast machines that will one day be able to crack the encryption that begins the start of any secure session on the internet, will put the relatively contained operational risk of today’s cybercrime firmly in the shade. They call it Q-day, and it’s time to get ready.
For the uninitiated, quantum computers are a high-powered type of computing able to manipulate data points a billion times faster than what today’s computers chug through. Quantum computers will be able to test billions of different alternatives or combinations all at the same time to find solutions to the world’s knottiest problems from debilitating diseases to the climate emergency, solving problems we used to think unsolvable in months, weeks or even days.
There is much to celebrate but the risk of quantum computing may emerge quicker than the opportunities. These computers will also be able to decipher the RSA encryption and elliptic curve cryptography which is responsible for around 90% of today’s crypto base. It’s used all over the internet and keeps the digital world safe; is found in web browsers, keeps emails secure, enables banking transactions and controls our power grid and government communications.
“Both will be toast,” warns Bill Munson, a research associate at the Institute of Quantum Computing at the University of Waterloo, Ontario, Canada. “These codes are based on multiplying very long numbers and then factoring it. It would take today’s computers thousands of years to crack it, but when you have a computer that can do it in minutes or hours, you’re in trouble.” The quantum community estimates it is only eight to 15 years until a quantum computer exists that in the hands of a hostile government, “bad actors” or organised crime spells Armageddon for safely using the internet.
It’s easy to see why treasury is worried. Data security is fundamental to handling payments; companies with long supply chains involving multiple partners and constituent parts are vulnerable while the collapse of modern-day smart infrastructure that runs factories, transport networks and cities holds unimaginable consequences. “Unless banks move to quantum resistant cryptography, it is possible that one day we could wake up and there won’t be a dollar in any bank account in the world, but the bigger risk is that we will wake up and there will be no lights, power or transportation,” says Catherine Johnston, a strategist and consultant at Chieftain Consulting. And even if the cryptography isn’t broken, online systems will default to ‘off’ in an unsecure environment meaning systems may still be rendered inoperable, even if they haven’t been hacked.
The sense of urgency grows given that threatening entities including organised crime are already recording encrypted data and storing it to decrypt later. Companies should act now because it is possible to steal data today ahead of the ability to crack it tomorrow, explains Jonathan Legh-Smith, Executive Director for UKQuantum, the voice of the UK’s quantum industry. Corporate data is either data in transit, flowing between partners and internal systems, or stored data where it sits within a company’s own servers or data centre and both are at risk, he explains. “Companies need to assess how valuable their data is and over what timeframe. If there is an overlap between a quantum computer breaking into your data centres or tapping into your communications at some point in the future when your data is still valuable, you are at risk.” He says strategy should focus on the lifetime data is valuable rather than trying to second guess or time the arrival of a quantum computer. “We don’t know exactly when they will come into play, but quantum computers are inevitable.”
The solutions
Happily, it is possible to prepare for this daunting new world by changing the encryption that keeps the internet safe. “We know what the fix is: change your crypto,” says Munson.
Over the last five year, an international effort led by the US’s National Institute for Standards and Technology, NIST, has identified a suite of cryptography algorithms that are deemed quantum safe. Still under development they will, at some point, be available to update into corporate and government systems. “We are close to having the products available – but they don’t just crawl into our systems themselves,” says Munson. Every company will have to replace its crypto in a time-consuming process that involves new levels of expertise.
Legh-Smith estimates the essential adoption of new post-quantum cryptography will take businesses “a number of years” to deploy once the new NIST standards are commercialised. However, he warns these standards are still drafts and it may take some time to iron out any issues or bugs in their implementation so there is a residual risk to businesses even after they are installed. He also points UK businesses towards National Cyber Security Centre guidance on migrating to post quantum cryptography, PQC.
Away from NIST’s standards, a complementary solution to post quantum security is also coming on stream. Quantum key distribution (QKD) is a new way of sharing ultra secure symmetric keys, an existing form of encryption that can resist quantum computers. “Businesses can already use QKD as a way of enabling safe encryption now. In the future businesses will be able to deploy both PQC and QKD in their defence against quantum computers,” says Legh-Smith.
Witness how HSBC is pioneering quantum protection in FX trading using QKD technology. The bank hopes its HSBC AI Markets platform powered by BT, Toshiba and Amazon Web Services (AWS) technology will mature into a commercially accessible and globally scalable solution to safeguard trades of any value from quantum attacks.
Still, in an added complication, current UK guidance focuses on PQC and advises against the use of QKD. Legh-Smith notes that this guidance is a number of years old and is at odds with many other countries that are actively deploying QKD witnessed in Europe (the EuroQCI project), the Republic of Korea (South Korean Telecom), Singapore (National Quantum Safe-Network), and of course China which is spending more than any other country on quantum research. McKinsey estimated that Beijing had announced a cumulative US$15.3bn in funding for quantum research, more than quadruple the equivalent US figure of US$3.7bn.
First steps to getting quantum ready
Even though businesses can’t deploy new cryptographic models until the NIST process develops there is still much to do. Companies should begin by first identifying what crypto they use; assessing if it’s vulnerable and what it is protecting. Next, they should list their most valuable assets or corporate crown jewels. This could be intellectual property or data; for an IT company it could be large language models, for financial services, personal data and financial records. For many corporates it is trade secrets like their manufacturing process, design or materials and what makes their business unique.
Companies’ IT security teams will already know the cost of upgrading encryption, have chosen partners and consultants; understand their data and be keen to trial QKD. But getting quantum-ready also involves buy-in from the entire corporate function and C suite. This means easier approval of the required investment in people able to put together an inventory and assess the company’s risk tolerance.
Re-tooling infrastructure could also be timed around necessary and routine upgrades in hardware and software and with an eye on the time-consuming nature of getting ready. “If the time it takes to install the new technology is greater than time you think it will be until we have a quantum computer, you should worry now,” says Tim Spiller, Director of the Quantum Communications Hub at the Engineering and Physical Sciences Research Council.
“Companies and governments need to be prepared to spend money,” adds Johnston. “There are relatively few people who are quantum trained so train your existing staff.” She also suggests that treasury accept quantum readiness as a cost of doing business. “If your business is a target and you are not ready, you will be out of business if you are hit.”
Companies can also use their influence to encourage their tech suppliers to get quantum ready. Corporations need to assess to what extent their suppliers can deliver quantum safe products and services, says Johnston. “If you are buying something that is not currently quantum resistant, ask the supplier if it will be upgradeable and when. Also, does the supplier have a cryptography migration plan that they are prepared to report against?”
Building awareness is one of the biggest challenges, but this is growing. In the UK over the last ten years, academic institutions, industry and government have invested around £1bn in a national quantum technology programme with government commitments to invest a further £2.5bn over the next ten years in line with the publication of its Quantum Strategy. Some of the world’s biggest tech companies, including Google, IBM, Microsoft and Honeywell, are investing in quantum with an ecosystem of start-ups following in their wake. McKinsey estimates investors poured a record US$2.35bn into quantum start-ups last year.
Spiller concludes with a nod to the risk that these new quantum algorithms could be broken in the future in a cycle of repetition. “It is difficult to prove that someone won’t develop new quantum algorithms that could break in the future – it’s difficult to prove a negative.” But he says this shouldn’t be a cause for inaction now. “We have a route forward technologically that we know is robust. Now is the time for people to start to move towards this and make these changes.”