What busy CISOs need to do about the quantum threat

What busy CISOs need to do about the quantum threat

As the quantum threat draws closer, Duncan Jones, Quantinuum’s Head of Cybersecurity, says CISOs need to act now. He discusses what it means to prepare your organisation to be quantum resilient in the face of the greatest cryptographic threat we’ve ever encountered.

The quantum threat is like climate change.

Politicians struggle to implement long-term policies for climate improvement because their tenure is so short. The same is true for CISOs and the quantum threat. It’s hard to plan for something hazy and distant when you’re in the job for two years and fighting fires every day.

But plan you must, because the threat is real and the work must start today.

How close is the quantum threat?

Whenever I speak at cyber events, I’m asked when quantum computers will break cryptography.

It’s a fair question, but a surprisingly difficult one. There are two factors that affect the timeline: how many quantum bits (qubits) will be needed to run the algorithm and how soon will we have that many qubits available.

The first factor keeps changing. Academia frequently publishes papers that will allow Shor’s Algorithm to run with fewer and fewer qubits. These papers bring the goal posts closer to us on a regular basis.

The second factor is equally variable. Quantum computers are getting significantly more powerful every year. At Quantinuum, for example, we have been increasing the power of our machines ten-fold every year since 2020 and expect to maintain this velocity. Alongside this rapid performance growth, scientists are also learning how to make quantum computers more resistant to errors. Each leap forward in that realm brings the quantum threat closer again.

Fortunately, this difficult question turns out to be the wrong question. The real question is: when should we start acting on this threat? And the answer to that is simple and widely held by industry experts and governments alike.

We should start now.

What does quantum resiliency look like?

To prepare your organisation to be quantum resilient, you must focus on three topics: algorithms, key generation and crypto agility.

Firstly, you must change your cryptographic algorithms to prevent quantum computers from unpicking all your secret data. Anything you protect today with vulnerable algorithms, such as RSA or ECDSA, is fair game to a quantum attacker in the future. In fact, some attackers may be stealing encrypted data today so they can attack it in the future.

NIST is globally acknowledged as the orchestrator of the algorithm selection process. And in 2024, we expect four new algorithms to be standardised and deployed into cyber systems. Early adopters are already exploring these algorithms and embedding them into products, even ahead of standardisation.

Unfortunately, changing algorithms is not the end of the story. We need to also consider the cryptographic keys themselves. Will our current methods of key generation be strong enough when powerful quantum computers emerge?

There is increasing concern that we need to strengthen key generation so we can be confident that present and future attackers cannot brute-force them. The answer to this problem is to use quantum technology itself to help generate hardened keys that will be future-proofed.

Finally, we need to give some thought to crypto agility. This refers to the ability to easily switch between cryptographic algorithms in the future. Most cyber systems are hard coded to use a specific set of algorithms, such as RSA. Now that we are being forced to make changes, we would be foolish not to add more flexibility.

We’ve already seen NIST candidate algorithms being broken. Perhaps most dramatically when SIKE was broken ‘in a weekend on a laptop’ by a researcher. We must be prepared to make many more changes in the future.

What should a CISO do today?

Hopefully, you are beginning to realise that action is needed on the quantum threat, even if you have many other fires raging right now.

But perhaps it’s not clear what to do. There are many conflicting stories in the news and it can be difficult to separate fact from fiction. I would recommend you take the following steps, as soon as practicable, to ready your organisation.

Start quantifying the risk to your organisation

Cyber is a game of risk and you need to speak this language to influence your organisation, and the board, towards action.

For your company, you need to start quantifying the risk that quantum represents. For instance, you might want to consider which of your data is long-term sensitive and what it would mean for the wider business if it was exposed.

Putting some concrete numbers around these risks will allow you to gather support for addressing the threat, even if it remains a few years away.

Assess your infrastructure and plan the migration

There is a lot of advice available on how to plan your migration to quantum resilience. The Department of Homeland Security has shared a roadmap that helps spell out the logical sequence of activities.

CISA implores that ‘organisations should start preparing for the transition now’.

The immediate first step is to build an understanding of your existing infrastructure. You need to understand where you use cryptography, where your sensitive data sits and how long it must remain secret.

You should also engage with your primary vendors and ask them to explain their own quantum resilient roadmaps. This is a good moment to test your vendors – if you find one of them doesn’t have a convincing answer for you, it may be time for a difficult conversation with them.

Experiment to reduce risk

While reading and planning have significant value, nothing beats experimentation for reducing risks.

Many organisations are conducting trials of quantum-safe algorithms and quantum technology. Concretely, this means exploring how your applications and services operate when using newer algorithms. And also, exploring how to integrate stronger quantum-enhanced key generation into your existing infrastructure.

CISA, and other organisations, are encouraging this testing process. They recognise that we learn the most by doing and that we can’t afford to sit and wait as the quantum threat draws closer.

As a CISO, you will have a thousand priorities and raging fires to tackle on a daily basis. However, you must find the time to consider how this threat will uniquely affect your organisation and make a deliberate decision on how to move forward.

One day, this will be in the rearview mirror. But for now, it’s the greatest cryptographic threat we’ve ever faced. There is no need to panic, but you must start taking action.

Browse our latest issue

Intelligent CISO

View Magazine Archive