January 18, 2023 By Doug Bonderud 4 min read

On December 21, 2022, President Biden signed the Quantum Computing Cybersecurity Preparedness Act.

The risk of quantum-powered password decryption is increasing exponentially. The new legislation is designed to help federal agencies proactively shift to a post-quantum security posture. Agencies have until May 4, 2023, to submit an inventory of potentially vulnerable systems, and the Act directs the Office of Management and Budget (OMB) to prioritize the adoption of post-quantum cryptography standards.

For businesses, government efforts to address emerging quantum risks are canaries in digital coal mines. There’s a real risk on the horizon, and the time to act is now.

The quantifiable quantum impact

Despite ongoing investment, research and development, quantum computing advantages remain largely theoretical. As efforts close in on practical applications, however, companies must understand how quantum technology could help — and potentially harm — day-to-day operations.

Put simply, quantum computers go beyond the binary states of 1 and 0 to vastly improve processing power. Unlike traditional computers, which store bits of information as either 1 or 0, quantum bits (qubits) make it possible for particles to exist in multiple states at the same time. This means that a qubit isn’t 1 or 0 or both — it’s somewhere in the middle. It’s also more about probability and particle interaction than high-level descriptions convey. But for the purposes of quantum computing power, the shift away from binary is the critical component.

While initial research focused on creating and sustaining these qubit states, recent efforts have scaled up the number of qubits a computer contains. For example, IBM researchers recently unveiled a 433-qubit computer named Osprey, a significant step up from the 127-qubit Eagle processor in 2021.

The cryptography concern

Passwords aren’t exactly known for their ability to defend against committed attackers. With many users still opting for passwords such as “123456” and the ever-popular “password”, enterprise IT teams are constantly searching for new ways to reduce security risks. Quantum computing adds a new cryptography concern. The issue stems not from passwords themselves but from the process of cryptography, which describes how passwords are encrypted. Current methods use mathematical algorithms to generate keys that are easy to verify but difficult to break.

How difficult? Current asymmetrical algorithms, including RSA and ECDSA, would require billions or trillions of years to break using a traditional computer. Armed with a quantum device, however, this same process could take just 8 hours.

Symmetric solutions such as AES, meanwhile, may be more resistant to these quantum attacks given their key lengths. That’s because quantum computers rely on what’s known as Grover’s algorithm, which reduces the time to crack a symmetric password by its square root.

This means that if the average time required to crack a key using traditional methods is one trillion years, a quantum computer could do in the square root of that time or one million years — which is still too long to be of any use. As the number of available qubits increases, however, so too could the ability of quantum computers to break even the best symmetric encryption.

Worth noting? The risk here isn’t about a quantum computer “guessing” the right password. The concern is in their power to break encryption itself. Also known as a brute-force attack, it’s more worrisome than simply stumbling on the right answer to a password problem since it renders the underlying encryption useless for future endeavors.

What businesses need to do now

Quantum computers aren’t cracking encryption keys quite yet. But steady progress in both the volume of qubits and the stability of quantum devices means businesses should take action now rather than later.

Here are four things enterprises can do right now to reduce their quantum risk.

Inventory at-risk systems

The federal legislation offers a solid suggestion to get started with post-quantum security: Create an inventory of at-risk systems. By taking stock of current password-protected apps and services that aren’t up to quantum security standards, businesses can prepare for the next phase of digital protection.

Adopt symmetric defenses

As noted above, symmetric standards such as AES-256 offer better protection against quantum attacks. Longer bit lengths are likely just a temporary fix as quantum processing power increases. However, it’s a good way to defend current assets as quantum security tools evolve.

Look for quantum protection partners

Quantum protection isn’t something most companies have the time and expertise to implement themselves. As a result, it’s worth finding partners with expertise in this area to help make the security shift. For example, IBM’s Quantum Safe solution provides education, strategic guidance and custom program creation to help secure your digital assets.

Leverage quantum cryptography

Evolving quantum cryptography methods leverage the nature of quantum systems to help deliver improved protection. Put simply, the entangled nature of quantum particles means that even the act of observation creates a change in state. As a result, attackers attempting to eavesdrop on an exchange of quantum-encrypted photons would change the position of these photons. This, in turn, would alter security solutions to their presence.

Better security, Qubit by bit

Quantum concerns are no longer theoretical. As evidenced by new government legislation, there’s a real risk on the horizon for current cryptography methods.

With quantum computers still not up to the task of cracking best-of-breed encryption, the evolving state of security presents an opportunity for organizations. By taking steps before risk ramps up, it’s possible to establish proactive, protective perimeters that help companies build better security qubit by bit.

More from Government

Important details about CIRCIA ransomware reporting

4 min read - In March 2022, the Biden Administration signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This landmark legislation tasks the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments.The CIRCIA incident reports are meant to enable CISA to:Rapidly deploy resources and render assistance to victims suffering attacksAnalyze incoming reporting across sectors to spot trendsQuickly share information with network defenders to warn other…

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

Updated SBOM guidance: A new era for software transparency?

3 min read - The cost of cyberattacks on software supply chains is a growing problem, with the average data breach costing $4.45 million in 2023. Since President Biden’s 2021 executive order, software bills of materials (SBOMs) have become a cornerstone in protecting supply chains.In December 2023, the National Security Agency (NSA) published new guidance to help organizations incorporate SBOMs and combat the threat of supply chain attacks.Let’s look at how things have developed since Biden’s 2021 order and what these updates mean for…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today