How quantum computing will transform cybersecurity – and how to stay protected
.jpg)
For the last decade, encrypting data has been a sure-fire way of protecting it from cybercriminals – even if it falls into their hands, they can’t understand or utilise it. But all that is set to change, leaving businesses more vulnerable than ever.
While it’s not quite mainstream yet, we’re poised for a new quantum computing era. And that means the rules of the game are changing fast when it comes to keeping valuable digital assets – intellectual property, private and sensitive data, authentication systems, and communication channels – safe and protected.
Representing a paradigm shift in computing power, quantum computers harness the principles of quantum mechanics to process information. Unlike traditional computers that use binary ‘zeros’ and ‘ones’, quantum computers use quantum bits (qubits) which can exist in multiple states. This means they can solve massive and highly complex problems at speed – in a matter of minutes or seconds.
The big worry is that cybercriminals will harness all this computational power to crack public key encryption algorithms, like RSA and ECC (elliptic curve cryptography), that are used today to protect digital communications and transactions.
While experts think it will be another five to 10 years before quantum computers become commonplace, the potential risk that quantum poses should not be ignored. Cybercriminals are already adopting a ‘harvest now, decrypt later’ mindset and stealing encrypted data in anticipation of decrypting it in the not-too-distant future. So, even if your data is encrypted right now, it may not stay that way for much longer.
With that in mind, organisations need to act fast and start future-proofing the encryption measures that secure their critical infrastructure and sensitive data.
Preparing for a quantum-safe future: Post-quantum cryptography (PQC)
The good news is that last year the National Institute of Standards and Technology (NIST) published its first set of standardised post-quantum cryptographic algorithms.
Designed to withstand the attack of both traditional and quantum computers, these post-quantum encryption algorithms advance the protection of encrypted data against future threats from quantum computers. In March this year, NIST added a further PQC algorithm to its standards specification and is now encouraging computer system administrators to start applying the standards as soon as possible.
Providing a blueprint for governments and industries to begin their adoption of post-quantum cryptography cybersecurity measures, the new NIST PQC standards represent an important stepping stone on the journey to a quantum-secure future.
While post-quantum cryptography is all about updating the mathematical-based algorithmic standards that underpin and protect the public-key infrastructure, it’s not the only game in town.
Quantum security, also known as quantum cryptography, utilises the inherent properties of quantum mechanics to detect eavesdropping attempts and create secure communication channels using techniques such as quantum key distribution (QKD) and something called ‘quantum coin-flipping’.
Theoretically ‘unhackable’, quantum cryptography offers significant promise when it comes to securing sensitive information in a variety of applications. However, the implementation practicalities will prove a barrier for many as it requires specialist hardware – such as quantum communication networks and satellites – which are not yet widely available.
Next steps: Getting started on your post-quantum transition journey
The UK’s National Cyber Security Centre (NCSC) is currently urging organisations to start moving away from current encryption methods and adopt quantum-resistant algorithms. In terms of timelines, it recommends that organisations should aim to complete the migration of all systems, services, and products by 2035 at the latest.
However, changing cryptography in complex IT environments isn’t something that can be done overnight. Indeed, a major cryptographic transition can typically take 5-10 years to complete.
Therefore, organisations will need to start planning their migration journey now. To streamline this process, the following key considerations should help you define an effective migration strategy:
- Undertake a cryptographic inventory
A comprehensive record of all cryptographic assets within the organisation’s infrastructure will be essential. You’ll need to know what keys and algorithms you have, where they are stored, and how they are managed. This inventory should include sensitive data, applications, networks, identity systems, and all third-party connections. - Prioritise risk
Rather than trying to protect everything all at once, evaluate your data in terms of its sensitivity and longevity. For example, information that needs to stay confidential for over five years should receive immediate attention. For less sensitive data, standard encryption methods should suffice for the short term. - Get crypto-agile
The ability to switch between different cryptographic algorithms in response to new threats will be essential in the post-quantum era. You’ll need to develop frameworks that make it easy to replace cryptographic algorithms without the need for an extensive system redesign and invest in employee training to support this capability. - Develop a migration timeline
Ideally you should start with your most sensitive systems and data, prioritising any that protect IP or personally identifiable information (PII). - Engage with suppliers
Cryptographic migration is a complex undertaking that has significant implications for the software supply chain. You’ll need to proactively assess your cryptographic dependencies, plan for a transition period, and engage with suppliers to ensure they are aligned with emerging standards.
The sooner you start your post-quantum transition, the better. Because the longer you delay, the greater the risk that your sensitive data will fall victim to ‘store now, decrypt later’ attacks. Attacks that could result in considerable – and avoidable – financial, operational, and reputational damage.
.jpg)
.jpg)
.png)