On December 21, 2022, President Biden signed the Quantum Computing Cybersecurity Preparedness Act.
The risk of quantum-powered password decryption is increasing exponentially. The new legislation is designed to help federal agencies proactively shift to a post-quantum security posture. Agencies have until May 4, 2023, to submit an inventory of potentially vulnerable systems, and the Act directs the Office of Management and Budget (OMB) to prioritize the adoption of post-quantum cryptography standards.
For businesses, government efforts to address emerging quantum risks are canaries in digital coal mines. There’s a real risk on the horizon, and the time to act is now.
The Quantifiable Quantum Impact
Despite ongoing investment, research and development, quantum computing advantages remain largely theoretical. As efforts close in on practical applications, however, companies must understand how quantum technology could help — and potentially harm — day-to-day operations.
Put simply, quantum computers go beyond the binary states of 1 and 0 to vastly improve processing power. Unlike traditional computers, which store bits of information as either 1 or 0, quantum bits (qubits) make it possible for particles to exist in multiple states at the same time. This means that a qubit isn’t 1 or 0 or both — it’s somewhere in the middle. It’s also more about probability and particle interaction than high-level descriptions convey. But for the purposes of quantum computing power, the shift away from binary is the critical component.
While initial research focused on creating and sustaining these qubit states, recent efforts have scaled up the number of qubits a computer contains. For example, IBM researchers recently unveiled a 433-qubit computer named Osprey, a significant step up from the 127-qubit Eagle processor in 2021.
The Cryptography Concern
Passwords aren’t exactly known for their ability to defend against committed attackers. With many users still opting for passwords such as “123456” and the ever-popular “password”, enterprise IT teams are constantly searching for new ways to reduce security risks. Quantum computing adds a new cryptography concern. The issue stems not from passwords themselves but from the process of cryptography, which describes how passwords are encrypted. Current methods use mathematical algorithms to generate keys that are easy to verify but difficult to break.
How difficult? Current asymmetrical algorithms, including RSA and ECDSA, would require billions or trillions of years to break using a traditional computer. Armed with a quantum device, however, this same process could take just 8 hours.
Symmetric solutions such as AES, meanwhile, may be more resistant to these quantum attacks given their key lengths. That’s because quantum computers rely on what’s known as Grover’s algorithm, which reduces the time to crack a symmetric password by its square root.
This means that if the average time required to crack a key using traditional methods is one trillion years, a quantum computer could do in the square root of that time or one million years — which is still too long to be of any use. As the number of available qubits increases, however, so too could the ability of quantum computers to break even the best symmetric encryption.
Worth noting? The risk here isn’t about a quantum computer “guessing” the right password. The concern is in their power to break encryption itself. Also known as a brute-force attack, it’s more worrisome than simply stumbling on the right answer to a password problem since it renders the underlying encryption useless for future endeavors.
What Businesses Need to do Now
Quantum computers aren’t cracking encryption keys quite yet. But steady progress in both the volume of qubits and the stability of quantum devices means businesses should take action now rather than later.
Here are four things enterprises can do right now to reduce their quantum risk.
Inventory At-Risk Systems
The federal legislation offers a solid suggestion to get started with post-quantum security: Create an inventory of at-risk systems. By taking stock of current password-protected apps and services that aren’t up to quantum security standards, businesses can prepare for the next phase of digital protection.
Adopt Symmetric Defenses
As noted above, symmetric standards such as AES-256 offer better protection against quantum attacks. Longer bit lengths are likely just a temporary fix as quantum processing power increases. However, it’s a good way to defend current assets as quantum security tools evolve.
Look for Quantum Protection Partners
Quantum protection isn’t something most companies have the time and expertise to implement themselves. As a result, it’s worth finding partners with expertise in this area to help make the security shift. For example, IBM’s Quantum Safe solution provides education, strategic guidance and custom program creation to help secure your digital assets.
Leverage Quantum Cryptography
Evolving quantum cryptography methods leverage the nature of quantum systems to help deliver improved protection. Put simply, the entangled nature of quantum particles means that even the act of observation creates a change in state. As a result, attackers attempting to eavesdrop on an exchange of quantum-encrypted photons would change the position of these photons. This, in turn, would alter security solutions to their presence.
Better Security, Qubit by Bit
Quantum concerns are no longer theoretical. As evidenced by new government legislation, there’s a real risk on the horizon for current cryptography methods.
With quantum computers still not up to the task of cracking best-of-breed encryption, the evolving state of security presents an opportunity for organizations. By taking steps before risk ramps up, it’s possible to establish proactive, protective perimeters that help companies build better security qubit by bit.
Doug Bonderud is a contributor for SecurityIntelligence.