Denis Mandich, CTO of Qrypt, a quantum cybersecurity company, founding member of the Quantum Economic Development Consortium and CQT.
getty
Quantum computers make headlines for their ability to break essentially all modern encryption used in commercial data networks. While the Silicon Valley Bank fiasco exposed the financial sector, rarely has a new computing tool revealed the true extent of the hyper-concentration of risk in cybersecurity. Calculating the danger is often erroneously based on the chances of a Y2Q or Q-day moment when a cryptographically relevant quantum computer comes online. The consensus is it will happen, but the timing to transition to quantum-safe systems spans the spectrum from two to 10 years. The problem with this thought process is there are no historical parallels to draw upon to make a rationally justifiable decision.
Although zero-days exploited specific product lines and similar attacks were done on widely used infrastructure, like Heartbleed on OpenSSL, there are no past systemic and pervasive risks on this scale in cybersecurity. SolarWinds, Log4j and Petya/NotPetya don’t come close to exposing vulnerabilities of this magnitude. The interoperability of the internet itself is built on these two algorithms that were developed to solve a very different, pre-internet problem in the 1970s—securing a single copper wire and a few switches connecting two users. Digital networks rely on a set of standards and software to guarantee both the availability and security of communications. It is not hyperbole to say they are in ubiquitous use today and cannot simply be switched to a new encryption system all at once. This process could take more than a decade, if not two.
While the partial answer is to begin transitioning to post-quantum cryptography (PQC) now, the concentration of risk is simply shifted from one algorithm to a new one, not eliminated. The problem of “harvest now, decrypt later” hasn’t been addressed because there is no mathematical proof any variant of PQC will endure. The basic tenet is to be “crypto-agile”—meaning, be prepared to swap out the encryption libraries at any time in the future if flaws are discovered.
However, history has proven this is a losing strategy because already collected data is decrypted and operationalized. Endemic nexuses in cybersecurity have been eradicated before. For example, important applications are protected by strong MFA today, not just a password. It is essential to evolve from the current and near-future dependency on a single algorithm, and a perfectly executed chain of software events, to safeguard data on which so much of the global economy depends.
Quantum has been characterized as a Black Swan Event, which is accurate in the sense that we began wide use of a cryptosystem before a fundamental weakness was discovered. It can be further argued the world could be surprised one day to discover foreign intelligence agencies have secretly been using a covertly developed quantum computer for years before a public revelation. In either case, the real point is the disproportionate impact it would have. The potential cost is extremely high relative to the price of preventative measures. It is also difficult to quantify the cost beyond commerce and geopolitics.
The sudden availability of previously private and secret communications data can be quickly exploited by the growing power of AI. Breaking PKI encryption happens everywhere all at once and cannot be contained to a single enterprise or industry sector. This is uncharted territory but a solvable problem if we innovate now and evolve toward a resilient future.
Durable solutions shouldn’t be a hopefully improved version of the past but rather must take into account the technologies of today. They must be decentralized, distributed and redundant with no single point of failure or attack while leveraging quantum hardware.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
