January 18, 2023 By Doug Bonderud 4 min read

On December 21, 2022, President Biden signed the Quantum Computing Cybersecurity Preparedness Act.

The risk of quantum-powered password decryption is increasing exponentially. The new legislation is designed to help federal agencies proactively shift to a post-quantum security posture. Agencies have until May 4, 2023, to submit an inventory of potentially vulnerable systems, and the Act directs the Office of Management and Budget (OMB) to prioritize the adoption of post-quantum cryptography standards.

For businesses, government efforts to address emerging quantum risks are canaries in digital coal mines. There’s a real risk on the horizon, and the time to act is now.

The quantifiable quantum impact

Despite ongoing investment, research and development, quantum computing advantages remain largely theoretical. As efforts close in on practical applications, however, companies must understand how quantum technology could help — and potentially harm — day-to-day operations.

Put simply, quantum computers go beyond the binary states of 1 and 0 to vastly improve processing power. Unlike traditional computers, which store bits of information as either 1 or 0, quantum bits (qubits) make it possible for particles to exist in multiple states at the same time. This means that a qubit isn’t 1 or 0 or both — it’s somewhere in the middle. It’s also more about probability and particle interaction than high-level descriptions convey. But for the purposes of quantum computing power, the shift away from binary is the critical component.

While initial research focused on creating and sustaining these qubit states, recent efforts have scaled up the number of qubits a computer contains. For example, IBM researchers recently unveiled a 433-qubit computer named Osprey, a significant step up from the 127-qubit Eagle processor in 2021.

The cryptography concern

Passwords aren’t exactly known for their ability to defend against committed attackers. With many users still opting for passwords such as “123456” and the ever-popular “password”, enterprise IT teams are constantly searching for new ways to reduce security risks. Quantum computing adds a new cryptography concern. The issue stems not from passwords themselves but from the process of cryptography, which describes how passwords are encrypted. Current methods use mathematical algorithms to generate keys that are easy to verify but difficult to break.

How difficult? Current asymmetrical algorithms, including RSA and ECDSA, would require billions or trillions of years to break using a traditional computer. Armed with a quantum device, however, this same process could take just 8 hours.

Symmetric solutions such as AES, meanwhile, may be more resistant to these quantum attacks given their key lengths. That’s because quantum computers rely on what’s known as Grover’s algorithm, which reduces the time to crack a symmetric password by its square root.

This means that if the average time required to crack a key using traditional methods is one trillion years, a quantum computer could do in the square root of that time or one million years — which is still too long to be of any use. As the number of available qubits increases, however, so too could the ability of quantum computers to break even the best symmetric encryption.

Worth noting? The risk here isn’t about a quantum computer “guessing” the right password. The concern is in their power to break encryption itself. Also known as a brute-force attack, it’s more worrisome than simply stumbling on the right answer to a password problem since it renders the underlying encryption useless for future endeavors.

What businesses need to do now

Quantum computers aren’t cracking encryption keys quite yet. But steady progress in both the volume of qubits and the stability of quantum devices means businesses should take action now rather than later.

Here are four things enterprises can do right now to reduce their quantum risk.

Inventory at-risk systems

The federal legislation offers a solid suggestion to get started with post-quantum security: Create an inventory of at-risk systems. By taking stock of current password-protected apps and services that aren’t up to quantum security standards, businesses can prepare for the next phase of digital protection.

Adopt symmetric defenses

As noted above, symmetric standards such as AES-256 offer better protection against quantum attacks. Longer bit lengths are likely just a temporary fix as quantum processing power increases. However, it’s a good way to defend current assets as quantum security tools evolve.

Look for quantum protection partners

Quantum protection isn’t something most companies have the time and expertise to implement themselves. As a result, it’s worth finding partners with expertise in this area to help make the security shift. For example, IBM’s Quantum Safe solution provides education, strategic guidance and custom program creation to help secure your digital assets.

Leverage quantum cryptography

Evolving quantum cryptography methods leverage the nature of quantum systems to help deliver improved protection. Put simply, the entangled nature of quantum particles means that even the act of observation creates a change in state. As a result, attackers attempting to eavesdrop on an exchange of quantum-encrypted photons would change the position of these photons. This, in turn, would alter security solutions to their presence.

Better security, Qubit by bit

Quantum concerns are no longer theoretical. As evidenced by new government legislation, there’s a real risk on the horizon for current cryptography methods.

With quantum computers still not up to the task of cracking best-of-breed encryption, the evolving state of security presents an opportunity for organizations. By taking steps before risk ramps up, it’s possible to establish proactive, protective perimeters that help companies build better security qubit by bit.

More from Government

Government cybersecurity in 2025: Former Principal Deputy National Cyber Director weighs in

4 min read - As 2024 comes to an end, it’s time to look ahead to the state of public cybersecurity in 2025.The good news is this: Cybersecurity will be an ongoing concern for the government regardless of the party in power, as many current cybersecurity initiatives are bipartisan. But what will government cybersecurity look like in 2025?Will the country be better off than they are today? What are the positive signs that could signal a good year for national cybersecurity? And what threats should…

CIRCIA feedback update: Critical infrastructure providers weigh in on NPRM

3 min read - In 2022, the Cyber Incident for Reporting Critical Infrastructure Act (CIRCIA) went into effect. According to Secretary of Homeland Security Alejandro N. Mayorkas, "CIRCIA enhances our ability to spot trends, render assistance to victims of cyber incidents and quickly share information with other potential victims, driving cyber risk reduction across all critical infrastructure sectors."While the law itself is on the books, the reporting requirements for covered entities won't come into force until CISA completes its rulemaking process. As part of…

Important details about CIRCIA ransomware reporting

4 min read - In March 2022, the Biden Administration signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This landmark legislation tasks the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments.The CIRCIA incident reports are meant to enable CISA to:Rapidly deploy resources and render assistance to victims suffering attacksAnalyze incoming reporting across sectors to spot trendsQuickly share information with network defenders to warn other…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today