Quantum computing is driven by applications that process massive computations for big data. This includes developing new pharmaceutical products, running financial models, developing next-generation communications capabilities for terrestrial and extraterrestrial applications, optimizing logistics, and performing finite element analysis, as well as everyday applications in healthcare, manufacturing and critical infrastructure sectors.
But when the promise of quantum computing is finally realized, it won’t just bring changes to simple high-performance computing systems (HPCS); it will completely turn classic cybersecurity upside down. Today’s unbreakable, hardware-based encryption systems will be child’s play for quantum computing algorithms, warn cybersecurity experts, who warn that the level of computing power of quantum computers will dwarf that of today.
Here are some of the things business leaders and board members need to consider when prepare for the upcoming migration to the new IT environment.
What is the threat of quantum computing?
Jérémie Guillaud, head of theory at French quantum computer maker Alice & Bob, says companies should identify which systems and data could possibly be vulnerable to an attack. He suggests planning to defend against an attacking machine with 1 million qubits. This provides a starting point: set a goal of migrating vulnerable systems to a quantum computer with more than 1 million qubits.
To put this in perspective, in December, IBM’s Condor quantum computer it had 1,121 qubits. This baseline gives organizations a place to start planning. Despite the progress made over the past 15 years in the development of quantum computing, the threat to businesses is probably still a decade away, Guillaud estimates.
While qubits, like classical bits, are positive or negative, superimposed qubits, called qubits for cats, can be both positive and negative, existing in two quantum states simultaneously. Today, there are no defenses against a cat qubit attack, although several organizations are experimenting new approaches.
“The things we don’t do today can have a huge impact on the future, particularly on the concept of organizations collecting data today, data that is in transit, with our idea that it can be decrypted at a later stage,” says Trevor Horwitz, founder and CISO of TrustNet, a managed security, consulting and compliance services provider. “It’s not just about the risk of things happening today; it’s about being able to predict what risks we will face.”
The effort, commonly called “collect now, decipher later,” makes currently highly secure data not as secure in the long term as the company thinks. Boards of directors need to do this begin their efforts now to protect data for a future that is in fact still unknown.
The role of the board of directors with quantum computing
If boards wait until quantum computers are in commercial production, it will be too late to start planning network and system upgrades, which could take up to a decade to fully implement, says Lisa Edwards, executive chair of the Diligent Institute, the governance think tank and global research arm of Diligent Corp.
“The way I think about it is that this has gone from being a physics problem to be an engineering problem, and it’s quickly becoming an operational problem,” he notes. “I think it’s an opportune time for boards to start becoming more knowledgeable about it, to become familiar with it. The council’s role is not to tell the CISO which lattice-based encryption he should use. The board’s role is to ask the question, “What are we doing?” Are we prepared if this were announced tomorrow? What would happen?'”
Tom Patterson, managing director of emerging technology security at Accenture, agrees. Corporate boards should recognize that while the threats are real, they don’t need to be quantum physicists to develop defenses, although to be successful they will need to listen to those who are, he says.
Even if boards have other cybersecurity concerns, they need to start planning for the future, Patterson adds. For example, boards may require that newly purchased infrastructure devices, such as routers and firewalls, have quantum-resistant or upgradeable firmware. Since these purchases are often already scheduled as part of network maintenance, unexpected purchases do not occur.
As Patterson notes, a major vulnerability in classical computing is that the firmware is hard-coded. This means that the hardware needs to be replaced rather than updated, as the firmware is permanent. As attackers find new ways to breach systems, new approaches to improving firmware are needed.
One approach, called cryptographic agility, allows organizations to update and rewrite firmware by automatically rotating algorithms with the push of a button. Such a system was demonstrated on low Earth orbit satellites in 2023. Cryptographic agility could eliminate the need for hardware replacements when firmware is compromised, which would make a card seem really smart.