A quantum computer uses quantum mechanics to significantly boost its performance and could in the future discover, for example, new drug proteins, which is too much work for today's computers. At the same time, however, this computing technology, which uses cubits instead of bits, introduces new problems.
The quantum computer poses a particular threat to the encryption algorithms currently in use, which are based on the assumption that certain mathematical problems cannot be solved with the computing power of today’s computers. However, with more powerful quantum computers this is possible, challenging current security solutions. It is therefore important for organisations, especially those critical to security of supply, to start preparing for the risks posed by quantum computers.
Quantum-secure solutions in place by 2030
Why should businesses and other organisations be concerned about new computing technologies that may become available in the future? The reason lies in the fact that cybercriminals and spies can store encrypted sensitive information now then decrypt it later when quantum computer technology has matured enough. This can have significant consequences for a company's business.
For example, organisations that process health data need to protect their data for decades, so quantum computers are a risk factor that must be considered.
Existing symmetric encryption methods, updated to be more efficient, can protect data stored in databases. In the healthcare sector, however, sensitive information moves between the systems of different organisations. It’s precisely the encryption of this communication, now done using the public key method, that is vulnerable to quantum attack.
It’s both important and responsible to take quantum risk into account in time to respond to it in a methodical and prudent way. In a hurry, costly mistakes can be made. The general recommendation is to move to quantum-secure solutions by 2030.
Crypto-agile thinking and a roadmap to prepare for the future
Work on standardising new quantum-secure algorithms is now in its final stages. It’s likely that the use of both traditional and new algorithms as hybrid systems will be recommended for the transitional period. In the short term, old algorithms are good and proven against current threats, while some new methods may still have weaknesses. In the long term, traditional algorithms will become less relevant in the face of quantum computers; at the same time, new algorithms will mature as research on them advances.
It’s therefore worthwhile for security of supply operators to take upgradability and crypto-agility into account in all types of IT and production systems procurement. This means the ability to change the encryption algorithms in use without having to make major changes to the whole system.
To help you prepare, you may want to create a roadmap to promote a managed quantum transition. The roadmap should compile the encryption methods used by existing systems, identify databases containing critical data and provide a timeline for upgrading them to be quantum secure. This can mean either moving to fully quantum-secure encryption methods or hybrid solutions.
You also need to ensure that your organisation has a trained workforce and sufficient funding to implement the necessary changes.
A study on the awareness of quantum threats among security of supply operators
At VTT, we’re conducting a study on the quantum threat awareness among Finnish operators in security of supply. At the end of the study, we will publish a Post Quantum Cryptography roadmap to support such operators. A policy brief on the situation and research into quantum-secure cryptography in Finland has previously been published, which recommends, among other things, more education on the use of quantum technologies and preparedness.
Even if your company or organisation doesn't need to keep its data secure for decades, it's still a good idea to practise good cyber hygiene. For example, systems need to be kept up to date, employees primed against phishing messages and access rights properly sized for the job. It’s particularly important to keep personnel up to date about new security challenges and solutions.