Quantum computing may sound like science fiction, but it's coming down the pike faster than you might expect. And if security practitioners don't start taking this impending advancement seriously now, they could be facing the wholesale obscelesence of their corporate cryptographic protections within a decade.
Unfortunately, most security leaders are so worried about yesterday's and today's risk that they aren't making time for quantum computing's very real risk to them tomorrow.
Designed to harness the power of quantum mechanics, quantum computing has the potential to completely upend the world of data crunching. It'll all be owed to a phenomenon known as 'superposition.' Whereas classical computers depend on the storage of information within bits in binary--either an 'off' or 'on' position--quantum computers can store information in a 'qubit' that registers a variety of states simultaneously.
“You can have heads, you can have tails, but you can also have any weighted superposition. You can have 70-30 heads-tails,” Christopher Monroe, a University of Maryland physicist and founder of a start-up that's trying to build a quantum computer with trapped icons, told Scientific American last summer in an excellent explainer piece on quantum computing advances.
The fundamental of superposition is what will eventually make quantum processors capable of making calculations on a scale and at a speed that even today's most impressive supercomputers can't match. And researchers at some of the world's biggest technology companies are currently in a race to establish this kind of dominance, which is collectively referred to as quantum supremacy.
The last few months has seen a dizzying parade of news from researchers making headway in this race. In October, Google reported that it is within months of finishing development of a 49-quibit computer capable of quantum supremacy. In November, IBM said it had developed a 50-qubit system. And just this last week, Microsoft told Financial Times that it's working on a super qubit built off of a fragmented electron that's more fault tolerant and could perform at 10x to 100x the level of other kinds of qubits. How much of this is hand-waving still remains to be seen. Bottom line is that many academics and corporate researchers today believe that we're within 10 to 15 years of seeing practical applications of quantum computing hit the market.
So, what the heck does this have to do with cybersecurity?
According to the experts, once quantum supremacy is established you can kiss public key encryption as we know it now goodbye.
Way back in 1994 when quantum computing was just a gleam in some physicists' eyes, mathematician Peter Shor developed an algorithm that a quantum computer would be able to use to find prime factors of very large numbers. His research offered a proof-of-concept for how quantum computing could break modern cryptography. With it, Shor essentially dreamed up quantum computing's first ''killer app,' explained Wired's Clive Thompson ten years later:
Cryptography, the science of making and breaking codes, relies on a quirk of math, which is that if you multiply two large prime numbers together, it’s devilishly hard to break the answer back down into its constituent parts. You need huge amounts of processing power and lots of time. But if you had a quantum computer and Shor’s algorithm, you could cheat that math—and destroy all existing cryptography.
Now in 2018, that destruction is a whole lot closer to reality. But while most security pros are at least a little aware of this risk barreling toward them, for the most part they're still happy to keep their head in the sand about it. A study out last week from Cloud Security Alliance showed that while only about 86% of IT security pros realize quantum computing could have an impact on data security, only about 40% are doing anything to future-proof their data for the threat.
On the good news front, there exists cryptographic standards today that are already quantum safe and more work is being done as we speak to refine this technology. The problem is getting enterprises to deploy it before that quantum race passes them by.
As any veteran in security will tell you, transitioning to new cryptographic technology within a large organization is about as slow a process as herding sloths. According to CSA, it took the last three years for about half of organizations to go from no encryption at all to at least a little bit of encryption--bringing the total proportion finally up to 93% this year. For as tall of a task as implementing quantum-safe encryption will be, it's going to take a whole lot more ramp-in to accomplish.
"A transition from current cryptography to quantum-resistant cryptography, even in the most optimistic of estimates, would take a decade or more," says the CSA report.
So that puts us at a somewhat inexact inflection point. We're about a decade out until quantum supremacy breaks traditional enterprise cryptography. And it'll take at least a decade for the enterprise to fully implement quantum-safe cryptography. Sounds like there's work to be done.