• The impact of quantum computing on internet security will be so great we must start planning now.
• Its exponentially higher processing power will render widely used cryptography obsolete.
• ‘Security agility’ – crypto agility – is a key concept in being quantum-ready.
Strategic thinking has enabled many of mankind’s greatest successes. But when some leaps are just too big for a single bound, or seem too far into the future, strategic acting – incremental, consistent decision-making consistent with a long-term vision – can serve as an enabler for future success.
While an operationally viable quantum computer seems beyond the horizon to most, the steps needed to prepare for its inevitability are indeed within sight. We need more advanced planning in cyberspace to prepare for the impact of quantum computing, where, without some changes, it will undercut all internet integrity and confidentiality – an economic and social disaster. This is where strategic acting can come into its own.
A quantum computer is radically disruptive; it will use a different method to represent and compute information, allowing much, much faster speeds. It’s not just evolutionary, but revolutionary. Quantum computers will be as revolutionary in this century as computers were to last century’s mechanical calculators. They’ll be built by, essentially, leveraging the properties of atoms we studied in physics class. They can be millions of times faster.
A quick primer on internet security foundations might help us understand this disruptive potential.
Confidentiality, Integrity and Authentication – of people, machines, software and data – underpin all internet security (and undermines it when poorly implemented); cryptography – the use of mathematical equations to protect information – is at their foundation:
• Confidentiality (e.g. scrambling data to render it private)
• Integrity (e.g. preventing attempts to falsely change “deposited $100” to “deposited $10,000”)
• Authentication (e.g. verifying the identity of the person you’re communicating with)
How does something as important as cryptography work? A good analogy is a combination lock on a high-school locker. (In this analogy, the padlock is the cryptographic “algorithm”, and its secret numbers are the cryptographic “key”.) Combination locks have two security functions: lock – a simple mechanism that requires you to do nothing more than push it together to close/secure; unlock – a relatively complex mechanism that relies on secret numbers provided to the lock through a clockwise/counter-clockwise motion. That’s what well-designed and implemented cryptography is: a mechanism to easily apply the security, but completely impractical to guess unless you know the key to unlock it.
But once an operationally viable quantum computer is produced, it can guess the possibilities at a substantially faster rate: exponentially so.
If you tried to read a cryptographically scrambled message by guessing the cryptographic key with today’s fastest computers – even working together – it is not practical. The mathematics of cryptography triumph over computer science. Cryptanalysts may try to use supercomputers (combined with mathematical insights), but it’s completely impractical to brute-force a modern crypto algorithm’s key, which is why cryptography serves as the foundation of security.
For decades, engineers made computers with more computational power by either speeding up the time it takes a processor to evaluate each individual binary possibility, or adding multiple processors that look in parallel at different possibilities. In theory, with enough speed and parallel processing, you could test all possible lock combinations (the cryptographic key).
But manufacturing complexities create a practical limit to the first approach. And the second technique, parallel processing, becomes prohibitive due to processor costs and the expense to power and cool them (they melt or otherwise malfunction when running fast and in close proximity).
Therefore, well-designed and implemented cryptography is far beyond the reach of fast/parallel processor supercomputers’ ability to guess each possibility.
But quantum computers can make many more guesses at once. Sometimes resulting in exponential (the doubling, of a doubling of an amount, etc.) increase in processing power, rather than the incremental increases possible with traditional computers. Importantly, certain kinds of mathematical problems are well-suited for a quantum computer.
Most believe an operationally viable quantum computer – one that is both reliable and has a useful number of qubits (the data units of quantum computers) – is five to 15 years away and that a handful of countries are pursuing that goal.
We need to prepare now. This is how:
1. Make “security agility” part of your operational security doctrine. When purchasing cybersecurity in the next two to five years, tell your providers you want “crypto agility”, i.e. the seamless ability to swap to “quantum-resistant asymmetric cryptographic algorithms” when available.
2. Adopt quantum-resistance cryptographic algorithms when available. Ideally, use a standard quantum-resistant algorithm several years before a quantum computer is thought to be available, because:
• Uncertainty: Quantum computer availability is unknown (the most advanced research on them is classified).
• Interoperability: There needs to be a seamless transition to this new class of cryptography. There will be a time where crypto agility – the ability to securely and agilely choose and use different types of cryptography – will enable communication with both those who use quantum-resistant cryptography and those who don’t yet.
3. Inventory your data assets to see which ones need to be re-encrypted with quantum-resistance cryptographic algorithms. Some data is so valuable that it has a long shelflife (decades) and must be protected from those adversaries who would steal your encrypted data now and “break” it with quantum computers available in the future.
4. Awareness and education. Tell your colleagues what it’s all about and why they should care, making a distinction between three main topics: quantum computing (much faster computers);quantum-resistant cryptography (algorithms that need to be developed and adopted to prepare for the eventual computers); and quantum key exchange (a means to privately share information while detecting when it has been compromised).
The World Economic Forum’s Centre for Cybersecurity is leading the global response to address systemic cybersecurity challenges and improve digital trust. We are an independent and impartial global platform committed to fostering international dialogues and collaboration on cybersecurity in the public and private sectors. We bridge the gap between cybersecurity experts and decision makers at the highest levels to reinforce the importance of cybersecurity as a key strategic priority.
Our community has three key priorities:
Strengthening Global Cooperation – to increase global cooperation between public and private stakeholders to foster a collective response to cybercrime and address key security challenges posed by barriers to cooperation.
Understanding Future Networks and Technology – to identify cybersecurity challenges and opportunities posed by new technologies, and accelerate forward-looking solutions.
Building Cyber Resilience – to develop and amplify scalable solutions to accelerate the adoption of best practices and increase cyber resilience.
Initiatives include building a partnership to address the global cyber enforcement gap through improving the efficiency and effectiveness of public-private collaboration in cybercrime investigations; equipping business decision makers and cybersecurity leaders with the tools necessary to govern cyber risks, protect business assets and investments from the impact of cyber-attacks; and enhancing cyber resilience across key industry sectors such as electricity, aviation and oil & gas. We also promote mission aligned initiatives championed by our partner organizations.
The Forum is also a signatory of the Paris Call for Trust and Security in Cyberspace which aims to ensure digital peace and security which encourages signatories to protect individuals and infrastructure, to protect intellectual property, to cooperate in defense, and refrain from doing harm.
For more information, please contact us.
Quantum computers will be revolutionary in their speeds, so much so that they can undermine the foundation of the internet’s security. They are not simply a technical curiosity to marvel at, but a revolution that requires us to plan for their arrival ahead of time, since they can undermine internet security. We should adopt agile, integrated cybersecurity strategies now – including agile cryptography – to ensure we’re prepared for the age quantum computers will usher in.