Innovations in quantum computing mean enterprise and manufacturing organizations need to start planning now to defend against new types of cybersecurity threats.

Tim Hollebeek, Industry and Standards Technical Strategist at DigiCert

February 26, 2021

5 Min Read

We've been hearing a great deal about advances in quantum computing for a few years, but 2020 was definitely groundbreaking. Innovation is continuing to gain momentum, and new advances are pushing this revolutionary technology closer to commercial adoption. Some of the most recent milestones include:

  • IBM partnered with leading Japanese universities and corporations in July to bring quantum computers to the workplace through applications for business, finance, and materials development.

  • In August, University of Chicago students announced they had discovered a technique that would enable quantum states to last 10,000 times longer.

  • Google achieved a chemistry milestone for quantum computing in September, stimulating a chemical reaction with its quantum computer and opening a path toward more possible discoveries and inventions.

Although quantum technology will not reach maturity for years, standards bodies and other industry leaders are already considering its impact on cybersecurity and today's widely used encryption algorithms. ETSI recently released new strategies and recommendations for migrating to quantum-safe schemes. The Accredited Standards Committee (ASC X9) issued a new standard for public key cryptography use of digital signatures.

Big Strides in Quantum, and More to Come
It's clear that 2020 was a watershed year in realizing large-scale, practical quantum computing, and the innovation will only accelerate. It won't be long before a major technology company announces it has applied quantum computing to successfully solve a problem that could not be tackled by traditional supercomputers.

We are not yet at the point where algorithms such as ECC or RSA are at risk, because breaking these advanced protections requires large-scale quantum computing power. However, the ability to solve practical problems will be a significant milestone that will spark additional investment in quantum technology — and create a virtuous feedback loop to drive further, faster advances.

What do these advances mean for enterprise and original equipment manufacturing (OEM) organizations? The past year's progress moves us much closer to a quantum reality. According to a recent survey, 71% of IT professionals believe that quantum computing will present a major security threat in the near future.

Transforming cybersecurity strategies can take a considerable amount of time — sometimes even decades. That means organizations will have to start preparing now if they want to be ready when sufficiently large numbers of quantum computers exist. Enterprises and manufacturers that fail to move forward on their journey now risk being left behind in the years ahead.

Planning a Four-Year Strategy
Although 2020 has been packed with quantum computing advances, it is still impossible to predict a precise date when quantum computing will arrive. Still, to get in front of the curve, it's advisable to plan to have cybersecurity preparations fully in place by 2025. For some critical systems, it's important to have defenses in place even earlier.

Why is 2025 an important time frame? The National Institute for Standards and Technology (NIST) recently launched an evaluation process for choosing quantum-safe algorithms, and this process is expected to be completed by 2024. This is an important time frame for OEMs and organizations responsible for embedded security in products, solutions, and processes to keep in view.

Organizations securing long-life valuable data such as financial records, military secrets, healthcare records, and other assets are vulnerable to "harvest and decrypt" attacks. Information organizations need to be preparing now to ensure they secure data at risk today.

Also, devices that are shipping today may still be around when quantum computers arrive and will need to have a plan in place, such as for secure remote updates, to update them to quantum-safe methods. Since those methods are not standardized yet, some products will need two updates to be secure: one to prepare them to securely receive post-quantum updates and another one once post-quantum technologies are more mature.

In addition, organizations securing products and solutions that have significant development timelines, long life cycles, and high cost to repair or recall should take proactive steps. They should begin testing, proof of concept, and infrastructure-upgrade planning to ensure they are ready, before the risk of large-scale, cryptographically relevant quantum computers becomes a reality. Full transition for these types of products should be completed by 2025. Without standards, these organizations will need to deploy hybridized and crypto-agile solutions that maintain NIST Federal Information Processing Standards (FIPS) compliance.

It's Time to Get Started
Organizations can begin taking initial steps now to prepare for a post-quantum world. Some initial planning considerations for safeguarding devices could include:

  • Does the device require strong security, such as:

    • Public key infrastructure (PKI) and digital certificates?

    • Hardware security modules (HSMs)?

    • Physically embedded roots of trust?

  • How many years does a device need to be secured for? If the answer is seven or more years, you need to start preparing today.

  • How long does the information need to remain confidential? Again, if the answer is seven or more years, it's time to start preparing now.

As you prepare for your technology transition, take the time to understand the problem, and find out what technologies are available to mitigate it. Find all the cryptography in your organization and start working on a plan to replace it. 

As you become more crypto-agile and prepare for deployment, ask your third-party vendors about their transition plans, and consider replacing any products and services that cannot be upgraded. Take steps to test your transition plans and mechanisms to make sure they work. Then, move aggressively to put a quantum-safe PKI solution in place to support future upgrades, and continue to deploy quantum-safe technologies as they become available.

While quantum computing might easily take a decade or more to go mainstream, this is not a race that an organization can afford to lose. The stakes are higher than ever for maintaining security and compliance. Fortunately, by putting planning into motion soon, you'll assure your ability to stay several steps ahead of the coming revolution in quantum computing.

About the Author(s)

Tim Hollebeek

Industry and Standards Technical Strategist at DigiCert

Timothy Hollebeek has 19 years of computer science experience, including eight years working on innovative security research funded by the Defense Advanced Research Projects Agency. He then moved on to architecting payment security systems, with an emphasis on encryption and key management, and wrote the first implementation of AES DUKPT, which is used to derive keys to protect credit card and PIN debit transactions. He remains heavily involved as DigiCert's primary representative in multiple industry standards bodies, including the CA/Browser Forum, IETF, and ANSI X9 striving for improved information security practices that work with real-world implementations. A mathematician by trade, Tim spends a lot of time considering the coming transition to post-quantum cryptography.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights