The journey towards Quantum-Safe Security

Quantum technologies will have a profound effect on the global economy, allowing you to solve complex problems quicker than ever before. But why should this matter as much to executives and cybersecurity experts as it does to scientists?

While news of quantum tech used to be reserved for the scientific community, today we see it hit the headlines of many media outlets as the wider world realises that the ‘post-quantum era’ – a time in which quantum computers and technologies are mainstream – is not that far away.

Alongside the countless benefits quantum will bring, like all new technologies it can also pose risks. Indeed, the main risk a quantum computer can cause is to cybersecurity. So what does this risk look like, and what can business leaders do to make sure their organisation isn’t caught unprepared?

The evolution of quantum technologies

The concept of quantum computing in fact dates back to the 1980s, when physicist Richard Feynman understood that a computing machine following quantum rules could perform some computations faster than a classical computer. Theory turned into practice in the late 1990s and for many years progress was best described as ‘steady’. Recently it’s picked up pace, driven by a number of factors:

Investment in R&D from tech giants including IBM, Google, Microsoft and Amazon as they look to commercialise the technology
Over $13bn investment from countries and regions including the EU, USA, UK, Russia and China
A host of quantum startups looking to capitalise on this growing market
An exponential growth in development and production (the quantum equivalent of Moore’s Law, so to speak)

A significant milestone in quantum’s history came in October 2019, when Google announced that it had indeed achieved quantum supremacy; the point at which a quantum computer can solve problems that classical computers can’t. Although this claim has been disputed by other contenders like IBM, it is clear that the power of quantum computer is now reaching a stage where useful computations can be performed.

The post-quantum era is just around the corner.

5 years
The time in which IBM predicts quantum computing will be mainstream.

What does this mean for industries and organisations?

You’d be forgiven for thinking that computing is the only element of quantum tech, but in fact there are three main branches:

Quantum computing, which will allow us to perform complex calculations in the fraction of the time it takes today’s ‘classical’ computers thanks to its immense computing power
Quantum communication, which allows data to be transferred securely over optical fibre networks or free space
Quantum sensing, which improves measurement accuracies across a number of industrial applications

These technologies will be transformative across areas including cybersecurity, big data & AI, critical infrastructure, scientific and medical research, economic analysis and IoT to name but a few.

Cybersecurity, big data & AI, critical infrastructure, scientific & medical research, economic analysis, IoT
Just some of the areas quantum technologies will improve.

Indeed, some quantum technologies are already doing this today. Companies including IBM and Microsoft are offering quantum computing ‘as a service’, while providers such as SK Telecom and BT are investing in quantum communication infrastructure.

Such developments are leading to a growing awareness among business leaders, alongside IT departments and cybersecurity professionals, as they look at what impact quantum could have on their own organisations.

The role of quantum in cybersecurity

While quantum tech will transform the world we live in for the better, it can be harmful in the wrong hands.

8 hours
The time in which a quantum computer could break today’s encryption.
MIT Technology Review

We’ve known about this threat since 1994, when MIT professor Peter Shor developed an algorithm that, if run on a powerful enough quantum computer, could render much of today’s encryption standards useless.

Shor’s algorithm implies that such computers would break public key encryption – used to secure everything from financial transactions to personal information – in as little as eight hours.

It’s no wonder that, with recent progress, people are starting to realise the risk. Indeed, a report from Thales found that 72% of organisations believe quantum computing will affect them within five years.

Moreover, no industry will be safeguarded from these risks, making it an issue every executive must address. Thankfully, there are steps you can take today to ensure you remain secure.

72%
of organisations believe quantum computing will affect them within five years.
Thales 2020 Data Threat Report

Introducing Quantum-Safe Security

In order to counter the threat of the quantum computer to cybersecurity, new devices and methods must be applied. This is the field of Quantum-Safe Security. Aptly, some of the technologies that can safeguard you against attacks from quantum computers derive from quantum technologies themselves.

These quantum-safe technologies are currently broken down into four main groups:

Quantum Random Number Generation (QRNG), which ensures encryption keys aren’t vulnerable to prediction or bias
Quantum-Ready Network Encryption, which enables encryption systems to incorporate quantum-safe solutions
Quantum Key Distribution (QKD), which uses photons (particles of light) to transmit keys, ensuring proven secrecy of encryption keys and maximising trust
Quantum Resistant Algorithms (QRAs), which mitigate risk as they are specifically designed to resist known quantum attacks

By deploying these in the right way, at the right time, you can safeguard your data in the quantum world.

The quantum roadmap

Although nobody can say for certain when the post-quantum era will begin, it’s likely that the technology will be mainstream in 5-10 years. However, this should not lure us into a false sense of security.

Data shared today over the Internet, for example, is already harvested in large datacentres. It may be deciphered later, when a quantum computer is available. Any data with extended confidentiality requirement is already at risk.

In addition, with the average security systems upgrade cycle also lasting this period, now is the time to begin your journey to Quantum-Safe Security.

Many organisations have already done so. This proactiveness not only ensures staff, customers and assets are protected, it also delivers a host of benefits from mitigating the risk of cybersecurity incidents to increasing customer loyalty and trust through forward-thinking innovations.

What must executives do to prepare for the post-quantum era?

To help you navigate the path, there are five main steps you must take to ensure your organisation is ready for the quantum age, and that it remains protected throughout it:

1: Apply QRNG

Ensure your keys are not vulnerable to prediction or bias using a Quantum Random Number Generator. According to NIST “the larger the amount of entropy, the greater the uncertainty in predicting the value of an observation”. In short, this means the more random your numbers, the more protected your data will be.

2: Be proactive

Undertake a quantum risk assessment to understand how your organisation could be affected in the post-quantum era. In an ideal world this will incorporate all your infrastructure and endpoints, though realistically this is a difficult task to undertake all at once.

Instead, you should focus on your business-critical systems first. Identify the ones you use every day, where work would stop if you were without them, and see what would happen if they came under quantum attack. Don’t worry if this isn’t something your equipped to do yourself, there are companies who offer these audits as a service.

3: Ensure agility

Make sure your current encryption solution is crypto-agile and can be easily adapted in the changing cybersecurity landscape. There are already encryption solutions available on the market that are compatible with external sources of entropy (like QRNG), come quantum-ready (compatible with QKD) and support custom algorithms.

4: Add QKD wherever possible

QKD is a technology which uses a fundamental property of quantum physics: observation causes perturbation. Essentially, this means that if your encryption keys are intercepted ‘in motion’, you’re alerted to this fact and can decide not to use them.

QKD is commercially available on medium-length optical links (up to about 100 km). This range can be extended by using so-called Trusted Nodes, and possibly satellites. High-valued data exchanged over these links can and should be protected today.

5: Implement QRAs

Continue your journey and push quantum security to the network edge by implementing Quantum Resistant Algorithms. Currently, NIST is evaluating 26 of these algorithms and draft standards are expected as soon as 2022.

The ideal outcome will be that several algorithms emerge as ‘good choices’, but at the same time we expect there to be complexities as NIST, alongside other standards bodies, balance security with performance. It’s likely that work on such algorithms will continue for years to come.

6: Attain Quantum-Safe security

A combination of all the above will enable your organisation to be ready for the quantum era. Secure data exchange is of paramount importance in today’s economy. You can be an actor in the transition to quantum-safe.

Discover more about the journey to Quantum-Safe Security in our infographic, or download our Executive’s Guide to Quantum-Safe Security.

Cookie	Duration	Description
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
li_gc	5 months 27 days	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
CLID	1 year	Microsoft Clarity set this cookie to store information about how visitors interact with the website. The cookie helps to provide an analysis report. The data collection includes the number of visitors, where they visit the website, and the pages visited.
CONSENT	2 years	YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data.
ln_or	1 day	Linkedin sets this cookie to registers statistical data on users' behaviour on the website for internal analytics.
MR	7 days	This cookie, set by Bing, is used to collect user information for analytics purposes.
SM	session	Microsoft Clarity cookie set this cookie for synchronizing the MUID across Microsoft domains.
_clck	1 year	Microsoft Clarity sets this cookie to retain the browser's Clarity User ID and settings exclusive to that website. This guarantees that actions taken during subsequent visits to the same website will be linked to the same user ID.
_clsk	1 day	Microsoft Clarity sets this cookie to store and consolidate a user's pageviews into a single session recording.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_gat_UA-*	1 minute	Google Analytics sets this cookie for user behaviour tracking.n
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gcl_au	3 months	Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
ANONCHK	10 minutes	The ANONCHK cookie, set by Bing, is used to store a user's session ID and verify ads' clicks on the Bing search engine. The cookie helps in reporting and personalization as well.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
IDE	1 year 24 days	Google DoubleClick IDE cookies store information about how the user uses the website to present them with relevant ads according to the user profile.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
MUID	1 year 24 days	Bing sets this cookie to recognise unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.
test_cookie	15 minutes	doubleclick.net sets this cookie to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
datatranscw-woocommerce-context-id	session	Description is currently not available.
datatranscw-woocommerce-context-key	session	Description is currently not available.
VISITOR_PRIVACY_METADATA	5 months 27 days	Description is currently not available.
wp11868	1 year	Marketing automation. Automatically sets cookie tracking when visitors engage through form submissions, clickthrough’s in email messages, and web pages containing the Act-On Beacon Tracker.