Quantum risk is something cybersecurity professionals should assess or risk a repeat of the AI shock.

Angus ChenEvery time you check, quantum computing seems to be around 10 years away from realization. It’s been like this for at least 30 years and it’s tempting for busy cybersecurity professionals to assume it might continue to be frustratingly too far away going forward.

At ISC2 Security Congress 2024 in Las Vegas, Virginia Department of Behavioral Health and Development Services CISO Glendon Schmitz, CISSP, along with Binary Defense director of cybersecurity data science Angus Chen, CISSP, CCSP, made the opposing case. Far from being science fiction, quantum is not only inevitable but is already upon us and cybersecurity professionals need to react now to its disruptive effects.

One of the first surprises, explained Chen in the session Quantum: What's the Big Deal?, is that quantum computers are already being used to solve real-world problems. The second is that this usually happens in what is termed the “hybrid quantum computing” model in which the power of a quantum computer is combined with classical computers.

Today’s Technology for Tomorrow’s Needs

Far from standing apart in a parallel realm, today’s quantum systems need classical computers to perform the measurement and control, as well as to compile programs so that quantum computers can run them. The key is to apply these hybrid systems to the correct set of problems.

One example is the famous traveling salesman problem of finding the optimal route between multiple points. It sounds like a theoretical exercise but it’s something the transportation and supply chain delivery sector has pondered for decades as the multi-vehicle routing problem, a notorious mathematical challenge. Chen showed delegates a demonstration video of how a quantum computer from D-Wave solved this problem for 60 routes when pitted against a classical system running an AI clustering algorithm.

The result: the AI system calculated a route with a total distance of 43 km while quantum rival pared this to only 31.5km. “You’re looking at a difference of 11 km which doesn’t mean a lot. But when you scale this for a major metro area, this shows how quantum computing will revolutionize how we run our businesses,” said Schmitz.

Disruptive Technology

Today, nation states are investing heavily in quantum computing with commercial investment not far behind. Nobody wants to be left out. This is good for quantum but holds a warning for cybersecurity, argued Schmitz. The challenge of quantum is that as with AI chatbots, it has the potential to arrive suddenly in a highly disruptive way.

“In 2019, IBM’s System One had 23 qubits. Today it has 1,000 qubits,” observed Schmitz. “This doesn’t necessarily mean you have more computing power. What we don’t have is error correction.”

The industry has entered a cycle not dissimilar to the way classical microprocessors are developed, he said. Right now, companies such as IBM are developing better error correction for their qubits, after which they would then ramp the number of qubits on a new generation of quantum processors. This cycle of error correction followed by increased qubit numbers would continue for the foreseeable future.

Harvest Now, Decrypt Later Attacks

“Q Day” is the day that a general quantum computer will have the processing power to run Shor’s algorithm, said Schmitz. This would allow a quantum computer to factorize large prime numbers, undermining public key encryption.

Countries don’t even have to build their own systems to do this and can use quantum-as-a-service platforms to make such a breakthrough possible. More sinister still, today’s ransomware actors could utilize the same power to store encrypted data they steal today to hold it to ransom years down the line.

This danger now looms over the whole cybersecurity industry. Compounding this, when this happens (assuming it hasn’t already) we won’t be told. It will be used by a nation state strategically and secretly. Almost certainly, countries today are storing huge volumes of encrypted data from their enemies in the expectation that they will be able to decrypt it in future when a general quantum computer running Shorr’s algorithm becomes possible. Schmitz warned that professionals need to react to this threat now.

Post-Quantum Cryptography

This brought Chen to the difference between quantum cryptography (quantum resistant cryptography via a quantum computer) and post-quantum cryptography (PQC, implementing quantum-resistant algorithms using classical or quantum computers). Earlier this year, NIST released three candidates able to provide the latter, PQC, which large providers such as Apple and Google are starting to implement in their software. This is another example of the ways in which quantum computing is already affecting the profession.

What should organizations now do to minimize their quantum risk? Schmitz and Chen offered three starting points:

  • Conduct a crypto inventory –Organizations don’t know which crypto they are using or where, for example certificates and VPNs. They need to find this out, urgently. This is an asset management problem. Prioritizing which assets to mitigate first made was a matter of risk management
  • Ensure crypto agility – Many applications use hardcoded crypto. However, because quantum computers could undermine even the most secure algorithms periodically, this architecture needs to become more modular in DevSecOps so they can be easily swapped out
  • Engage with vendors – Organizations need to understand the way their suppliers intend to become quantum safe. This is where crypto becomes a third-party risk problem. Organizations need to build this into their contract discussions

In the meantime, Schmitz recommended that cybersecurity departments look to increase key size. This is not a complete fix, but it might buy some time should the worst happen.

“We do not want to be the person on the railway line with the train coming at us,” concluded Schmitz. We do not want a repeat of AI. We want to get ahead of this.”