Given the perpetual churn of technology, it’s critical for IT pros to keep their capabilities and skills current.
Quantum computing and security: 5 looming questions
Quantum computing inspires some alarmist headlines. What is it and what do enterprise IT leaders need to know about the implications for security?
I don’t know about you, but I get worried when I see headlines like “Quantum computing will BREAK the web!” Of course, it’s not going to – or at least not yet – but what actually is quantum computing, should we be worried, and why do enterprise IT leaders need to know about it? Read on to find out.
1. What is quantum computing?
As I discussed in a recent blog, quantum computing is a fundamentally different way of doing computing, which instead of using 1s and 0s - bits - uses quantum physics to manage data and decisions - qubits.
Here’s how MIT Technology Review described this complex idea in a recent article: “Unlike classical bits, which can represent either a 1 or a 0, qubits are particles such as atoms or electrons that can occupy a quantum state of both 1 and 0 at the same time, taking on a definite value only when they are measured. They can also influence one another via an almost mystical process known as entanglement.
These properties could one day enable a quantum machine to outperform even the most powerful classical supercomputer. But producing and managing qubits is still a massive engineering challenge.”
Quantum computing allows for certain types of algorithms to execute much, much faster (think seconds instead of days) than they could on our existing types of computers. The underlying technologies are quantum-related, and the ways in which quantum computers will be programmed will be based on different underlying properties to those we employ now.
2. What’s going to happen?
It turns out that most of our existing protocols for encryption security - think online banking, VPNs, database storage, digital signatures, blockchains, and disk encryption - are based on a set of problems which are difficult for our existing computers to solve.
The bad news is that it looks like quantum computers may be able to solve these problems - and therefore break our existing protocols - relatively simply, meaning that data stored or transmitted using the current standard protocols will be at risk.
3. When will it happen?
This is where there’s some good news. It looks like working quantum computers (with sufficient qubits to attack some of the security protocols we noted above), are still a few years off. Nor can anybody be sure quite how well they will work against the cryptography problems until they are really available.
With the exception of national security agencies, major financial institutions, and other organizations which need to be concerned about long-term storage of encrypted data, long-lived digital signatures and the like, there’s no immediate need for concern. Although that doesn’t mean that you should be doing nothing - see below.
4. What should I do now?
First of all, it’s worth checking now whether you have any projects where long-term encryption is likely to be an issue, or projects which you expect to be long-lived themselves, and which use encryption. Looking at what impact quantum computing may have on them is worthwhile.
And one thing you can consider for all projects - and ought to be thinking about anyway - is crypto-agility. This means designing products and applications in such a way that when you do need to be moving over to new protocols, they can take advantage of them without too much difficulty. This provides you with options if vulnerabilities are found in the design of existing protocols or if new mathematical approaches lead to new attacks, as well as covering the question of quantum computing attacks.
And this is another piece of good news: Researchers are working on protocols which are designed to be resistant to quantum-computing attacks (“quantum-resistant.”) What is vitally important for the cybersecurity community is that these should be open source, and unencumbered by intellectual property restrictions. We can all be involved with government, standards bodies and projects to ensure that when they select quantum-resistant protocols, they choose open source-friendly options.
5. Are there any upsides?
Yes, there are. Although the cybersecurity community tends to focus on the negatives, there are a number of areas where quantum-related technologies can help us. One of these is key distribution: Though not using quantum computers specifically, quantum physics provides some key distribution possibilities with very interesting security characteristics.
We can also expect new techniques to become available for searching (“quantum search,”) which is likely to have applicability within the security field, allowing faster searching and indexing across complex data sets of data gathered during a malicious attack, for instance. What further opportunities will arise it’s difficult to tell at this stage, and we’ll all have to keep an eye on the research community, but at least the web isn’t just going to break…any time soon.
[ What should top your security priorities? Read also: 7 security to-do's for CIOs in 2019. ]