Experts estimate that within the next decade or so, adversaries will have the capacity to use quantum computing to break the encryption on virtually all existing digital databases. This is why it is highly significant that on July 5, 2022, the National Institute of Standards and Technologies (NIST) under the US Department of Commerce announced that it had selected four quantum-resistant cryptographic algorithms that can be used to protect encrypted databases from a quantum attack.
But the danger is not just ten years in the future, but now. Harvest Now, Decrypt Later (HNDL) attacks are already happening whereby adversaries with strong quantum computing development programs are targeting encrypted data to steal now and decrypt later, when quantum computing arrives. Countries around the world are beginning to recognize this, and some jurisdictions even consider theft of encrypted personal data to trigger mandatory breach reporting, likely for this reason.
Companies therefore should strongly consider preparing now for the post-quantum era by staying informed, understanding new regulatory standards and developing a risk-based approach to quantum transformation.
NIST’s Post-Quantum Cryptography (PQC) Standardization Project
NIST’s selection of four quantum-resistant cryptographic algorithms came six years after putting out a public call to the world’s cryptographers to develop quantum-resistant algorithms as part of the agency’s post-quantum cryptography (PQC) standardization project. The project’s new cryptographic algorithms will become part of a new NIST standard expected to be finalized in the next two years that can be used to protect data from attacks by quantum computers. Quantum computers are on the cusp of becoming viable and promise to deliver computing power that is potentially millions of times more powerful than current supercomputers. The extraordinary speed at which quantum computers can do complex calculations would render current encryption algorithms obsolete, thereby exposing data to harm if it is not encrypted with quantum-resistant cryptography.
The power of quantum computing
Classic computers today perform logical operations based on a combination of one of two physical states. These binary operations are positive or negative electrical charges and are usually represented as ones or zeros and are called “bits” (binary digits).
Quantum computers, on the other hand, work on the basis of the principles of quantum mechanics and process information using “qubits” (quantum bits), that enable them to leverage a third state called superposition, in which they are simultaneously ones and zeros. Qubits can therefore represent numerous possible combinations of ones and zeros at the same time. This allows operations to be performed at exponentially faster speeds than traditional computers.
As an example of the vast difference in computing power between classical computers and quantum computers, Google created a complex mathematical calculation, which its quantum machine called Sycamore, containing 53 qubits, solved in just 200 seconds in 2019. Google claims that the most powerful supercomputer at that time, the IBM Summit (aka OLCF-4) would have required 10,000 years to solve the same problem, thereby showing a 53-qubit quantum computer to be 158 million times more powerful than the leading supercomputer.[i] IBM contested the claim, asserting that Summit could have performed the operation in two and a half days, meaning that Sycamore is only 1,100 times faster than Summit. Even if we assume that IBM is correct, an increase in computing power by a factor of 1,100 is a significant increase using only 53 qubits. In 2021, the MIT/Harvard quantum startup QuEra Computing announced that they had successfully built a 256-qubit quantum system. IBM expects to complete a 1,000+ qubit system in 2023; these systems would be exponentially more powerful and quicker than Sycamore,[ii] and development is expected to accelerate.
Quantum computers could allow for great leaps forward in the fields of finance, pharmacology, technological research, weather forecasting, supply chain management, national defense and other fields that deal with highly complex calculations and projections. Companies are looking at using quantum computing to run programs that can accurately identify good stock picks, which some believe could be accomplished faster and more accurately by quantum computers than humans could do on their own.[iii]Pharmaceutical companies could use quantum computing to create complex molecular models to identify new chemicals to be used in drugs.[iv]The power it represents for economic growth and national defense has nations heavily investing in quantum computing. In a very real sense, the push to build a viable quantum computer is a technological arms race for global leadership.
Researchers are working to combine the power of quantum computing with machine learning and artificial intelligence. In 2020, Google released TensorFlow Quantum, an open-source library for protoyping quantum machine learning models, the idea being that quantum computers could be used to develop quantum algorithms that can analyze complex datasets and make decisions faster and more accurately than current artificial intelligence systems . In the simplest terms, artificial intelligence is about making automated decisions using vast data sets. The more factors that feed into the decision, the more complex the decisions become, which requires more processing power. Quantum computing could allow artificial intelligence to be used to solve increasingly complex problem sets.
Although there have been strides in quantum computer development, there are major obstacles to the creation of a viable quantum computer outside of a laboratory. Qubits are made of subatomic particles and are very sensitive. To keep a qubit in a superposition, the atom needs to be kept very quiet and isolated in a “still state” without any external disturbances (such as the influence of the Earth’s magnetic field) , at absolute zero (-459°F), and with hardly any atmospheric pressure. Overcoming these obstacles is technologically challenging, expensive and requires highly skilled experts, meaning that at least in the short term, quantum computers will remain in the realm of universities, technology companies, and governments.
Legal significance and risk
Quantum computing could present a threat to organizations with sensitive personal and business information, especially information related to intellectual property, financial systems or national security, if quantum computing were used to break the current encryption standards. This presents a major future risk, as valuable intellectual property, trade secrets, financial data, national security intelligence, and any other data of interest to an adversary with a quantum computer would be exposed unless it were encrypted with a quantum-resistant algorithm.
According to the US Intelligence Community, losing primacy in the field of quantum computing could result in America being eclipsed as the world’s leading superpower.[v] In 2021, the director of the US National Counterintelligence and Security Center identified quantum computing as one of the top five key technologies crucial to US world dominance.[vi] Predicting the impact that quantum computing could have on a number of sectors, in 2018, the US government passed the National Quantum Initiative Act “to ensure the continued leadership of the United States in quantum information science and its technology applications,” and established the Subcommittee on Quantum Information Science of the National Science and Technology Council. Chief among the goals of that Act is to provide for the “economic and national security of the United States.”[vii]
Harvest Now, Decrypt Later (HNDL) Attacks. The likelihood that quantum computing will become viable in the near future adds urgency to understanding how quantum computing poses a threat to digital information today. Data that is encrypted and unbreakable has value for adversaries that can steal it today and use quantum computing to decrypt it tomorrow. Foreign adversaries with strong national quantum computing development programs are targeting valuable-but-encrypted data to steal now and decrypt later. Data on quantum computing itself may be especially valuable.
Government response and legislation
Increased Investment in Quantum Computing. In early August, 2022, President Biden is expected to sign into law the CHIPS and Science Act of 2022, which will invest USD 280 billion into domestic semiconductor manufacturing and other sciences, including quantum computing and artificial intelligence. Specifically, the Act will require the Secretary of Energy to facilitate advances in quantum computing by supporting: (a) the Computational Science Graduate Fellowship, designed to augment the quantum computing workforce; (b) the Quantum User Expansion for Science and Technology Program, to facilitate access to “quantum computing hardware and quantum computing clouds for research purposes”; and (c) the Advanced Computing Program, which requires the Secretary to “maintain foundational research programs in mathematical, computational, and computer sciences focused on new and emerging computing needs within the mission of the Department,” including quantum computing, machine learning, and artificial intelligence. It will also require the Secretary to establish a research and development program into quantum network infrastructure. The Act highlights the government’s intent to keep America at the forefront of the quantum computing frontier.
Post-quantum cybersecurity regulation. The US government has been taking an active role in creating and enforcing standards and rules related to cybersecurity in the private sector over the past few years. Federal and state laws require regulated companies and their vendors in critical sectors to adopt reasonable cybersecurity safeguards. The US Department of Defense and other government entities require their agencies and contractors to comply with NIST cybersecurity standards. As we move toward viable quantum computers, national governments may begin to create specific cybersecurity standards related to quantum computing to which certain sectors must adhere. Organizations in the US and elsewhere likely will be required to implement new quantum-resistance encryption algorithms and other measures to defend against attacks by quantum computers, which could require organizations and their vendors to make investments in new hardware and software.
Today, jurisdictions around the world are starting to recognize the dangers of HNDL attacks and to consider theft of encrypted data as triggering mandatory breach reporting. For example, in India, a cybersecurity incident is reportable even if the data is encrypted and in Japan, leaks of secret telecommunications must be reported even where those communications are encrypted.
Getting ready for quantum
Regardless of whether we know the exact time of the arrival of the quantum computer era, experts agree we must begin now to prepare our leadership and our information security systems for a secure quantum economy. Taking an informed risk-based approach to the quantum transformation will begin with the question: How long will it take my organization to become quantum safe and agile? It will require investment of time and resources with the goal of having a coordinated post-quantum development plan and cybersecurity program. Enhancing awareness by keeping informed of technological and regulatory requirements will be a critical step toward meeting the goal of quantum resilience
[v] “Protecting Critical and Emerging US Technologies from Foreign Threats,” National Counterintelligence and Security Center, October 2021, last accessed August 4, 2022. https://www.dni.gov/files/NCSC/documents/SafeguardingOurFuture/FINAL_NCSC_Emerging%20Technologies_Factsheet_10_22_2021. pdf
[vii] National Quantum Initiative Act of 2018, HR 6227, 115th Cong. (2008).