Quantum computing is now real. While the technology is still in the early stages of development, researchers are making impressive progress in developing quantum devices and exploring early use cases in chemistry, finance and machine learning.

Besides research and development in the private sector and academia, big investments are also being made in the public sector. In the future, this could enable quantum computers with much greater computing power than they have today.

How Will We Protect Our Data From Quantum Attacks?

Quantum computers could potentially offer unprecedented capabilities to tackle problems that classical computers cannot solve today. These systems will also change the way we approach cybersecurity. In 1994, Peter Shor showed that a large-scale quantum computer would be able to break today’s most-used public key crypto algorithms, such as Rivest-Shamir-Adleman (RSA), Diffie-Hellman and Elliptic Curve Cryptography, by using Shor’s algorithm.

Since most of our communication (e.g., bank transactions, web traffic, remote connections, email, etc.) relies on such algorithms, in essence, all of it would be at risk. This extends to all data encrypted with secret cryptographic keys that are exchanged in one way or another using the aforementioned algorithms.

Not surprisingly, researchers have been working hard on alternative methods for protecting our data as quantum computing progresses.

One set of methods is quantum cryptography, which is mostly known for quantum key distribution (QKD) — e.g., the BB84 protocol. QKD is implemented by encoding the secret key in quantum states, which are sent in the form of photons (light particles) across optical fibers or free space. To protect against wiretapping by an eavesdropper, we exploit fundamental quantum mechanical properties such as Heisenberg’s Uncertainty Principle and the fact that, in the quantum world, it is impossible to observe something without impacting it (i.e., its quantum state). Even though distance limitations of QKD may be overcome today by launching satellites into space, we are currently constrained by low bit rates and the fact that initial authentication still requires a classically pre-shared secret.

Another method is quantum-safe cryptography, which involves a new set of classical encryption algorithms based on mathematical problems that are believed to be hard to solve on a quantum computer (as well as on a classical computer). Such algorithms are considered resistant to quantum attacks. The main advantage of quantum-safe cryptography is the possibility of implementing it on top of existing infrastructure (e.g., by updating the Transport Layer Security protocol), which is why it may be considered the most feasible way forward.

How to Prepare Your Organization for Quantum-Safe Cryptography

Multiple standardization efforts for quantum-safe cryptography are already ongoing. For example, the National Institute of Standards and Technology (NIST) is leading a quantum-safe cryptography standardization program and recently announced the candidates for the second round, including submissions from IBM that are based on lattice-based cryptography.

In parallel with standardization efforts for quantum-safe cryptography, there are plenty of things that companies should start doing today to avoid losing their competitive advantage when future standards of cryptography become widespread. Below are four of the most important steps to get started.

  1. Manage your data:
    • Identify and classify your most valuable data by defining your crown jewels.
    • Understand the security time value of your data, or how long you will need to keep your data protected.
    • Define data owners and a life cycle for your data.
    • Understand how cryptography protects your most valuable data.
    • Know where all your valuable data is stored, how it flows within your organization, and how it is transmitted to locations outside of your organization.
  1. Manage your crypto:
    • Create an inventory of your existing cryptography. Understand which protocols and algorithms are currently used in your organization.
    • Identify hardware and software components related to cryptography.
    • Understand how your applications use cryptography and to what degree cryptography is currently hardcoded.
    • Understand how cryptography protects your most valuable data.
    • Know how legacy components depend on cryptography.
  1. Improve your crypto-agility:
    • “Abstract out” cryptography to the extent possible.
    • Update your development life cycle to rapidly account for new cryptography standards.
  1. Upskill crypto and quantum resources:
    • Offer employees educational resources about cryptography and quantum computing.
    • Make use of external services that can keep your organization up to date on the latest technology trends in cryptography and quantum computing.

Even though quantum computers are still in development, the above activities can help prepare your organization for the long-term impacts these systems may have on cryptography. We strongly advise you to start this journey now to prepare for when new quantum attacks emerge, advanced crypto-threats arise and new crypto technology becomes available. Learn more about quantum risks and cryptographic agility — the key to successfully navigating the shifting landscape.

More from Advanced Threats

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today