This post was originally published on Forbes.
Today, our most sensitive information is generally encrypted — from your personal messages, banking and health information to things like classified military documents and companies' trade secrets.
But there’s a growing threat looming over our collective privacy and security — and that’s quantum computing. Currently being developed by the largest tech companies, startups and governments alike, quantum computers use the principles of quantum mechanics to perform calculations faster than today’s computers.
Instead of using ones and zeros to process information, these new computers will use quantum bits (qubits) that allow them to do a lot of mathematical calculations at once. Like Schrodinger's cat, qubits can be both ones and zeros at once, a property known as superposition. Superposition allows quantum computers to very efficiently solve problems that are very complex and time-consuming for classic computers, allowing these systems to potentially solve some of humanity's biggest problems.
While still in the early stages of development, big advancements in quantum computing are expected in the next decade or two. One calculation that a quantum computer can solve instantly is factoring the product of two prime numbers. Because this calculation is incredibly resource-intensive for classic computers, it forms the basis of very widely used public key cryptographic algorithms. This means the traditional encryption and digital signature methods we use to protect data and information today won’t stop these machines.
More urgently, some bad actors are already harvesting encrypted data now to store it in hopes that they can decrypt it down the line when quantum computers become more powerful. That’s why we need to protect our sensitive information today for the future. Athletes train for months and years before a big marathon, not the day before the race. Preparing for a post-quantum world is like training — it needs to start in advance.
There are a lot of potential risks that could happen if quantum computers effectively decrypt all sensitive information — especially if this technology gets into the wrong hands. Think mass surveillance from bad actors who would have access to communications and data, the possible compromise of financial systems, exposure of intellectual property or even national security threats. Some even predict personal privacy could be finished — with all sensitive information available to anyone with a quantum computer where all transactions would effectively be "in the clear."
That's why so many organizations, companies and governments are working together to begin building protections now. Since there are no quantum computers that can be used to implement quantum encryption schemes, the industry needs to develop new encryption algorithms that can be implemented on classic computers but that are resilient to both classic and quantum threats. The answer lies in post-quantum cryptography or PQC.
Preparing Now Before Quantum Threats Emerge
After nearly eight years of work with partners from around the world, the U.S. National Institute of Standards and Technology (NIST) recently released new post-quantum cryptographic algorithm standards. This is just the first set of standards that intend to help organizations and enterprises become quantum-ready now.
If your company has sensitive information you wouldn’t want in the hands of bad actors or made publicly available in a few years, then it’s time to start thinking about your encryption. Here are my recommendations for getting started:
• Understand your exposure. Run a cryptographic inventory to understand your organization's quantum readiness for each part of your network. Review all devices, systems, platforms and vendors to assess data sensitivity, asset lifetime and attack susceptibility. This will help you understand your exposure to potential data loss risks.
• Upgrade your encryption. Start protecting sensitive information by adopting the new NIST standardized methods for encryption, and note that it will take time to get this fully integrated. By following these standards, you will ensure your data is interoperable, working seamlessly across multiple technology providers. If you don’t have the skills in-house to do this, I recommend working with a reputable cybersecurity technology company that can do all of this for you. Doing this today protects data from being harvested for future encryption.
• Remain flexible. It’s just the beginning. More iterations are being developed as more research and science uncover better and more effective methods to protect sensitive data. I recommend all technologists embrace the principle of cryptographic agility. This way, when the research and standards around cryptographic algorithms change, your product development team is ready to shift along with it. The key here is that your architecture must remain flexible, so avoid getting stuck in proprietary solutions that might not evolve with the standards.
• Learn more. Get quantum ready and better understand the risks to your company and customers. There are a lot of great explainers out there, such as this CISO’s Guide to Quantum Security video series. Sign up and follow your nation’s post-quantum security programs to ensure your post-quantum migration follows best practices and adheres to your government’s regulations.
Preparing and Securing Our Data for the Future
The new PQC algorithm standards are a significant milestone in creating strong encryption that the advanced computers of the future won’t be able to crack. Through this growing ecosystem of partners driven by NIST, we are collectively working hard to protect important information from being stolen or misused — even when computing technology advances.
We work on it now so our future is protected. While this technology seems far away, the potential impact it can have on communities, companies and countries requires us to take them seriously. As the saying goes, a pound of prevention is worth an ounce of cure, in this case, the best prevention is prior preparation.