2022 was a big year for quantum computing. Over the summer, the National Institute of Standards and Technology (NIST) unveiled four quantum computing algorithms that eventually will be turned into a final quantum computing standard, and governments around the world boosted investments in quantum computing. 2023 may be the year when quantum finally steps into the limelight, with organizations preparing to begin the process of implementing quantum computing technologies into existing systems. It will also be the year to start paying attention to quantum computing-based attacks.
"In 2023, we'll see both the private and public sector's increased awareness around the challenges associated with quantum resilience, and we'll see efforts begin to take hold more significantly to prepare for quantum computing," says CISO (ISC)2 Jon France.
McKinsey recently noted the amount of money different countries have allocated for quantum computing to date. China leads the pack with $15.3 billion in public funds in quantum computing investments. The European Union governments combined have invested $7.2 billion, which dwarfs the US with $1.9 billion.
That doesn't mean the US has been standing still. A key effort — the list of four NIST-approved algorithms (CRYSTALS-Kyber, CRYSTALS-Dilithium, FALCON, and SPHINCS+) — will help organizations future-proof current data security measures against harvest-now/decrypt-later (HNDL) attacks. These attacks refer to adversaries hanging on to encrypted items until a time when quantum computing technology that can decrypt them become available. And last month, US president Joe Biden signed the Quantum Computing Cybersecurity Preparedness Act (HR 7535) into law to give the Office of Management and Budget authority to begin implementing NIST-approved quantum algorithms throughout the executive branch.
The new law highlights the importance of implementing quantum computing technologies into existing systems now, but it doesn't address the necessity of monitoring for threats, says Yudong Cao, co-founder and CTO of Zapata Computing. "We should be actively monitoring the threat by sponsoring cybersecurity research activities into various methods, exact or heuristic, for compromising the current encryption schemes," Cao says.
There is also a lot of investment activity in the private sector, with startups focused on quantum technologies collecting $1.4 billion in funding in 2021 alone, according to McKinsey. Nearly half (49%) of those private investments are in companies in the United States, compared to just 6% in China, the analysts noted.
"Building cyber resilience in preparation for quantum technology should have been an effort started a decade ago ... but now is the second best time," France says. However, for both private and public-sector organizations, the process of making infrastructure "quantum-resilient" will be a difficult and slow one.
"Much of the encryption infrastructure in communication networks that keeps information safe now is deeply embedded, i.e., certificates, and will take years to transition to quantum resilient algorithms, posing a timeline issue for changeover before the general availability of quantum computing," France says.
In a recent survey by Deloitte, enterprises said that without external pressure — such as regulatory and compliance requirements — they won't be prioritizing quantum security initiatives.