How Quantum Computer Technology Will Impact Cybersecurity and How IT Leaders Should Respond?

Author By Dr. Varin Khera

9 min readApr 25, 2022

Introduction

The massive advance in computer technology has introduced radical changes to our daily lives. Nowadays, most of our daily interactions depend on computing technology. On the other hand, public organizations and enterprises are doing most of their work with the help of computers. All modern aspects of life we see around us today have become a reality because of the advancement of computer technologies.

The rapid advancement of computer technology made it possible to decrease the size of a computer’s parts and increase its processing power. However, after decades of development, we can say humans have reached the maximum limits of developing small computer parts regarding their physical size. Quantum Computers were developed to continue the advancement of computer technology beyond the small physical limit.

The Importance of Quantum Computer Technology

IT giant companies, such as Facebook, Google, Apple, Microsoft, and government organizations worldwide, are investing heavily in quantum computing technology because it promises to solve complex problems that typical computers, and even supercomputers, cannot solve. The main areas quantum computing can help humanity are:

Improve online security by developing quantum encryption methods that surpass traditional encryption algorithms.
Enhance the performance of Artificial intelligence-powered machines by providing a fast and efficient way of analyzing large datasets needed for the proper functioning of devices/appliances that depends on AI and Machine learning to work.
Reduce the time needed to develop new medicines, such as vaccines, as quantum computers can perform a massive amount of simulations between many chemical ingredients to test how they work in combination, which conventional computers cannot do.
Weather forecasting can be improved significantly to give more accurate results than those delivered using typical computers.
Facilitate traffic controls on the ground and in the air by suggesting the best routes to take, which significantly reduce congestion and help optimize supply chain operations.

As we saw, quantum computers help us find solutions for complex problems that conventional computers cannot. However, when it comes to cybersecurity, leveraging quantum computing capabilities by threat actors can have devastating effects, as we will see next.

Cybersecurity Implications of Quantum Computing

Quantum Computing Can Make Today’s Encryption Algorithms Breakable

The most worrying aspect of using quantum computers for cybersecurity professionals is utilizing them by cyber attackers to break current cryptographic algorithms. For instance, modern encryption algorithms, such as RSA, AES, and Trible DES, are not breakable using today’s computers.

Current encryption algorithms work by using an encryption key; these algorithms use complex mathematical formulas to change a plaintext into ciphertext. This digital key is utilized to encrypt and decrypt the data. If an attacker wants to decode a secret message, they need to find the relevant encryption key. A typical attack is trying all possible passwords to guess the right one. The guessing attack is possible using conventional computers; however, according to Americanscientist, even the world’s fastest supercomputer would need trillions of years to find the right key, making traditional computers do not pose a threat to currently utilized encryption algorithms.

Advanced Threat Actors Are Now Collecting Encrypted Data to Crack It Later

As we already discussed, quantum computers can break modern cryptography; however, this may not be possible until a considerable amount of time. Despite this fact, public organizations and enterprises should begin to utilize quantum-prove solutions to protect their most precious information. Advanced threat actors, especially those backed by nation-states, are working to harvest encrypted data in bulk. For instance, anything that goes through internet wires can be intercepted in one way or another. after collecting the encrypted information, threat actors will wait until quantum computers become available to decrypt this data, which can seriously affect the national security of many countries.

Creating Advanced Malware

Cybercriminals are always looking to develop advanced malware that evades detection. Nowadays, organizations deploy advanced security solutions, such as Network Detection and Response (NDR), EDR, and SIEM, to fight unknown attacks. NDR’s protect organizations’ networks operating in hybrid environments (on-premise and in the cloud). In a nutshell, NDR solutions analyze all network packets flowing across the organization network to detect abnormal activities using Machine Learning and Artificial Intelligence (AI) techniques.

Quantum computers allow cybercriminals to analyze large datasets and decide how to create malware that evades various security solutions detection. By doing this, cybercriminals can launch broad attacks against many organizations’ networks and avoid detection, even by advanced security solutions such as NDRs.

Cybercriminals May Become Able to Rent A Quantum Computer

In the future, giant IT providers will offer quantum computers on a subscription basis. Like Infrastructure-as-a-service (IaaS) provided by cloud providers, we can expect to see quantum-as-a-service. Such service will make it possible for a limited-budget organization to enjoy the many benefits quantum computers offer; however, the threat comes if such services get utilized by cybercriminals for malicious purposes.

How Should Cybersecurity Leaders Respond To Threats Posed By Quantum Computers?

As we read in the first part of this article, quantum computers will introduce radical changes to today’s current digital systems when they become available. For instance, the massive ability of quantum computers to factor large numbers will make them able to break the current encryption algorithm, which most of our daily digital activities depend. Such as securing online communications, online banking, and buying products from online merchants, to name only a few.

IT security managers and decision-makers should understand the implications quantum computers impose on today’s digital systems and develop the right security strategies to counter future quantum computers risks before they become a reality.

Migration To Post-Quantum Cryptography

Post-quantum cryptography refers to using secure encryption algorithms against attacks executed by quantum computers. A major initiative to develop such algorithms is maintained by the National Institute for Standards and Technology (NIST), which aims to develop one or more quantum-resistant public-key cryptographic algorithms. Until now, no encryption algorithm is quantum-proof; however, business leaders should be aware of assessing the risks of quantum computers early in their organizations before such algorithms become available.

IT leaders should assess the security of sensitive data based on the answers to the following questions:

·Improve online security by developing quantum encryption methods that surpass traditional encryption algorithms.

How many years must this data be protected? For example, 30 or 40 years, or just five years? When the number of years is high, this means using security methods that can stand against quantum attacks becomes more significant.
The number of years needed to shift the current IT system into a quantum-safe solution.
How many years do the possible adversaries needs before they become able to attack current digital systems using a quantum computer?

NIST Roadmap For Migration To Post-Quantum Cryptography

The National Institute of Standards and Technology’s National Cybersecurity Center of Excellence (NCCOE) was a pioneer in creating a draft document to help organizations simplify their migration to post-quantum encryption algorithms. NIST suggests five implementation scenarios to identify quantum-vulnerable cryptographic code, prioritize replacing such code based on some criteria, such as the type of data, application, or process it currently protects, and finally discuss remediating deficiencies based on security controls’ dependence on quantum-vulnerable cryptography.

It is worth noting that the five scenarios are created to address the working environment of enterprises datacenters operating in hybrid environments, such as on-premises, and use both public and private cloud services from different third-party providers.

Scenario 1: FIPS-140 validated hardware and software modules that employ quantum-vulnerable public-key cryptography

This scenario begins by discovering the FIPS-140 validated hardware and software modules that existed in the enterprise IT environment that utilizes quantum-vulnerable public-key cryptography.
Now, we determine the uses of each module, such as symmetric key wrapping, key management, and digital signature.
We need to assess the type and criticality of the data and applications this module protects. For example, when a specific module is used to protect highly sensitive data, such as PII or PHI, it has a high priority for replacement.
Finally, we will get a list of modules that need to be replaced. Replacing all modules is not always feasible, so we should have a schedule to replace each component based on its sensitivity level; this allows our company to replace all problematic components within a specified time frame.

Scenario 2: Cryptographic libraries that include quantum-vulnerable public-key cryptography

The second scenario is concerned with the cryptographic libraries used in developing cryptographic applications. It suggests the following steps:

Identify all components or code libraries that use quantum-vulnerable public-key algorithms.
Each library will get reviewed to find if it includes any quantum-resistant algorithms that were selected for standardization by the NIST post-quantum cryptography standardization process.
Suppose the library does not contain quantum-resistant algorithms approved by the NIST. In that case, it will be marked and suggested to include one or more NIST-selected algorithms to fix the quantum-vulnerable routines that existed in the library.
If the library contains a NIST-selected algorithm, it will be re-evaluated to ensure it is implemented correctly according to the NIST recommendation.
This scenario allows identifying the most used code libraries and updating the non-quantum proof functions to become quantum-resistant

Scenario 3: Cryptographic applications and cryptographic support applications that include or are focused on quantum-vulnerable public-key cryptography

This scenario is concerned with identifying cryptographic applications and cryptographic support applications that utilize quantum-vulnerable public-key cryptography. Applications that support exchanging information, such as Transport Layer Security (TLS), and applications supporting infrastructure control systems, such as those used to manage the electricity grid, water supplies, and fuel pipelines, will be included.

All cryptographic functions supported by the quantum-vulnerable algorithm(s) in each cryptographic application and cryptographic support applications will be identified. This also includes identifying the processing and information exchange protocols.
Now, for each identified application or supporting application, an assessment should be made to measure its impact on the operational environment if it becomes unavailable. A list of compensating controls should be suggested to remain operational if any components become unavailable to sustain normal system operations.
A replacement from the NIST post-quantum algorithms should be advised for each cryptographic application and cryptographic support applications function which is supported by quantum-vulnerable public-key cryptography.
In the outcome of this scenario, for each application or supporting application, a list of NIST post-quantum algorithm candidates or compensations controls will be identified.

Scenario 4: Embedded quantum-vulnerable cryptographic code in computing platforms

This scenario aims to identify the operating system environment for which the quantum-vulnerable cryptography is utilized. For example, quantum-vulnerable cryptography code can be existed in:

1. Operating systems such as Windows, Linux, UNIX, macOS, iOS, and Android

2. Identity and access management solutions

3. Access controls that utilize logical or physical mechanisms to facilitate entities (systems, apps, users) digital authentication

4. A device or application that utilizes cryptographic code to support one or more of its functions

This scenario suggests these steps:

Identify the quantum-vulnerable cryptographic code in the operating system environment. Automated tools can be used to discover all functions and routines.
After identifying all instances of the quantum-vulnerable cryptographic code, we should measure its importance to system work. Can we remove that instance without affecting the regular operation of the system?
A NIST post-quantum candidate algorithm should be advised to replace the vulnerable code for each instance of the quantum-vulnerable cryptographic code.
In the outcome of this scenario, for each application or supporting application, a list of NIST post-quantum algorithm candidates or compensations controls will be identified.

Scenario 5: Communication protocols widely deployed in different industry sectors that leverage quantum-vulnerable cryptographic algorithms

This scenario is concerned with identifying quantum-vulnerable public-key algorithms that existed in communications and networking standards and protocols leveraged by external providers, such as:

1. Health providers

2. Telecommunications

3. Energy

4. Transportation

5. Banking and financial sector

The aim is to document all instances of communications protocols that utilize quantum-vulnerable public-key algorithms and to suggest a NIST post-quantum replacement candidate algorithm for each instance.

Closing Thoughts

As we saw, quantum computers will bring huge advancements to different science areas, profoundly impacting our daily lives. On the cybersecurity side, leveraging any modern technology by threat actors for malicious purposes should worry us. However, despite all the facts about quantum computers, I do not think evil things will happen soon. For instance, many studies show that quantum computers are still under development, and they suffer from many errors that make them unable to crack modern encryption algorithms. The primary motivation behind developing quantum computers is to use them in combination with conventional systems, not necessarily as a replacement.

Quantum computers will remain used by giant enterprises, research centers, and government organizations worldwide for a long time. Accessing such advanced technology will not be open as conventional computers are. Of course, I predict the usage of quantum computers will prevail even for personal use, but this needs a considerable amount of time, which lowers the impact of using quantum computers by threat actors, such as terrorist organizations and cybercriminals groups in a short-range.

Although we are still somehow far from facing quantum-based attacks, my advice is still to utilize quantum-prove solutions when protecting our most sensitive data assets. This should prepare us for any sudden change and prevent current threat actors from collecting our sensitive data and breaking it when this becomes feasible after quantum computers become accessible.