Decryption And The Quantum Apocalypse: Steps To Securing Business Secrets
What takes classical computers trillions of years could soon be done in seconds by quantum processors, which is why urgent action is needed now
This article covers:
- Why leaders must take urgent action to mitigate the quantum threat
- Steps for businesses to solve the ‘harvest now, decrypt later’ challenge
- How to be more crypto agile and improve longer-term planning
Crowe Global’s Art of Smart content is designed to inform, inspire and influence business leaders so they can make better decisions. Assessing the opportunities and threats around quantum computing is a prime example of where it adds value.
Previously, the Art of Smart offered expert tips to help improve ‘quantum readiness’ and take advantage of the nascent technology’s incredible potential. While the immense processing power promised by quantum computing is heralded as the next technology frontier, that capability could, in theory, break encryption codes in a blink, exposing sensitive data vulnerable to cyberattacks.
In 1994, Peter Shor, professor of applied mathematics at Massachusetts Institute of Technology, invented an algorithm, now known as Shor's Algorithm, to enable quantum computers to determine the prime factors of numbers. This discovery increased interest in quantum computing. In 2022, investment in quantum initiatives reached US$35.5 billion across multiple continents, found World Economic Forum research.
Business leaders must be bold and innovative—two of the Art of Smart’s pillars of success—and proactive to address the security concerns presented by quantum computing, ensuring that they are well-equipped to mitigate risks and protect their organizations.
Indeed, today’s ‘classic’ computers would require roughly 300 trillion years to crack communications protected typically by RSA encryption algorithm, which has a 2,048-bit digital key. However, a quantum computer powered by 4,099 qubits (a basic unit of quantum information) could effectively “guess” keys and would need just 10 seconds, according to cybersecurity experts. Some are calling this scenario “the quantum apocalypse.”
Currently, the most powerful quantum processor is IBM’s 433-qubit Osprey, which took flight at the end of 2022. IBM’s development roadmap shows the Condor, with 1,121 cubits, should land soon.
Harvest now decrypt later
Business leaders must prioritize cybersecurity in the face of this new technology. Stanford-Clark urges organizations to guard against their digital assets today, as hackers are likely to be stealing and storing encrypted data knowing that they will soon have the tools to access the raw data. “Harvest now, decrypt later is a genuine risk.”
Stanford-Clark asserts that single bad actors and even people hacking for nation-states “have got taps into data centers, switching hubs, and telco towers” to capture data. “They will crack the codes as soon as they can, by any means possible.” But, he stresses: “This is a here-and-now problem—not a project to put off until it’s a huge issue. The stable door is already wide open.”
Amsterdam-based Jaya Baloo, CSO at Rapid7 and Vice Chair of the Quantum Flagship initiative, a €1 billion European Union-funded research project, develops this theme. “Hackers can capture a whole bunch of interest traffic, and what they do is hold on to that to wait for a viable quantum computer capable of using Shor’s Algorithm to break that encrypted material and turn it into plain text.”
The reason for harvesting encrypted data is simple, says Baloo. “Old secrets are as good as new secrets. We need to start because the clock is ticking, so prioritize important things before they become urgent.”
Stanford-Clark says longer-term planning is critically important to cope with evolving threats posed by technological developments. “We call it crypto agility,” he adds. “Being crypto agile is a new skill, a new role that the organization has to take on—and it’s not a one-off task but an ongoing process.”
The ability to break today’s encryption might not happen for 20 or 30 years, but this threat can’t be dismissed now. This is a here-and-now problem—not a project to put off until it’s a huge issue. The stable door is already wide open. Being crypto agile is a new skill, a new role that the organization has to take on—and it’s not a one-off task but an ongoing process.
Planning to improve crypto agility
Baloo echoes this advice. “Every business on the planet needs cryptographic agility.” But where to begin? She references Wendy Nather, Cisco’s Head of Advisory CISOs, who discusses “the information security poverty line.” Baloo says: “A lot of organizations cannot get the basics right, and there is a bunch of stuff that needs to be done well before organizations talk about quantum risk appetite.”
Leadership support and funding are vital for CISOs to improve crypto agility and map out a clearer picture of cyber risk that reaches third parties and even beyond, continues Baloo. “‘Know thy self’ remains the most difficult thing for any organization to do regarding asset understanding,” she adds. “Determining employee use of data, the extended vendor landscape, and so on, is super difficult, but it’s where everything must begin.”
Hackers can capture a whole bunch of interest traffic, and what they do is hold on to that to wait for a viable quantum computer that’s capable of using Shor’s algorithm to break that encrypted material and turn it into plain text. The reasoning being: old secrets are as good as new secrets.
Lanre Ogungbe, Co-Founder and CEO of Prembly, one of Africa’s largest security and compliance companies, provides a compelling analogy. “If you leave your child in a crib and meet him outside in the morning, you don’t just build a bigger or stronger crib; you first try to figure out how the child is escaping.”
There are some regions more at risk than others. For example, 90 percent of all businesses in Africa operate without a basic digital security structure, according to Interpol. Thankfully, Prembly and similar security companies are working hard to protect the African data ecosystem in the face of the quantum threat.
“Most of our research and development—especially in-house—is to figure out exactly how quantum technology is going to break encryption and then see how we can develop even more secure systems than that,” says Ogungbe, a member of the Nigeria National Assembly Business Environment Roundtable.
For a continent with limited resources like Africa, Ogungbe argues that it’s essential to approach the issue systemically and not throw a colossal amount of resources that will, in turn, build expensive and inaccessible solutions. It’s a lesson that leaders in other regions and operating in different industries should heed.
Threats and opportunities
According to a 2022 report by the Africa Data Centers Association, Africa’s data hosting and processing capacity doubles every three years. Experts have expressed concern that the continent’s digital speed needs to be met with much-needed security measures. “It’s not just businesses that are going to need to adapt. Even our national identity processors, hundreds of millions of registered identities, are in danger,” says Ogungbe. “But it’s also an opportunity.”
Ogungbe argues that quantum innovation can be used to protect as much as it can be used to attack. Most importantly, though, collaboration and partnership with domain experts are crucial. “It is important for stakeholders to come together and collectively figure out better shields. That’s why this is an opportunity, because we’re looking at what we’ve settled for as the most advanced security system in the world,” adds Ogungbe. “But there can be new standards, and quantum computers will probably be part of reaching them.”
Key takeaway questions
- Do you have a good understanding of your network and associated vendor elements especially related to data?
- Do you have strong security and privacy programs that focus on vulnerability management and defense in depth approach?
- Do you understand where and how you are using cryptography to protect your data and infrastructure? How long does that data need to be protected with cryptography?
- What is its risk appetite for quantum computing?
- Where is your organization compared to the information security poverty line?
- Have you offered enough leadership support and funding to your CISO and cybersecurity team?
- Should you partner more with domain experts to take advantage of nascent technologies and accelerate innovation?
