July 06, 2023 - 254 views|
Quantum will impact every facet of the computing world – but its effects on security and privacy need immediate attention.
Quantum computing is coming: As we wrote recently, it will be a component of the mainstream corporate IT environment sooner than many realize. This momentum helps explain why, according to ratings agency Moody’s, business is “woefully unprepared” for quantum—in particular, its impact on security.
Much of the cryptography used today to secure passwords, internet communication and data storage is based on factoring large numbers. For example, if you multiply two prime numbers that are each 500 digits long, you get a truly enormous number, which can then be used as a public key to encrypt information. The only way to decrypt the encrypted information is to know what the two original numbers were.
Determining those original numbers via brute-force guessing would take years (or even longer, depending on the length of the number) using classical computer science techniques. But a quantum computer can solve such a problem in a matter of minutes.
The potential fallout could be disastrous in a way that’s hard to overstate. For example, one analysis of the global financial system suggests “a hack executed by a quantum computer on macroeconomic financial institutions could result in an indirect GDP loss between $2 trillion and $3.3 trillion.”
But wait. In the endless cops-and-robbers battle to lock down computer systems, it’s important to note that quantum computing also has positive implications. After all, it stands to reason that the computing power that can easily crack today’s encryption schemes can be used to create even more advanced encryption strategies. Advances on this front are being made almost daily, as evidenced by an IBM announcement of what it calls "end-to-end quantum-safe technology."
Aakash Shirodkar, a Senior Director in Cognizant’s AI & Analytics Practice, says that while quantum will impact virtually every area of human endeavor, “security and privacy are perhaps the most important use cases that need attention.”
He applauds the many organizations that are proactively considering quantum-safe cryptography. “Instead of waiting for quantum computers to become commercially viable,” he notes, “they want to start using more quantum-safe protocols to move data. This way, bad actors cannot harvest data now and decrypt it later.”
How should organizations prepare for post-quantum cryptography? It begins with “collaboration between the C-suite, boards and security leaders,” Aakash notes. These groups need to collaborate on developing a comprehensive understanding of the risks and opportunities involved. Next comes a cryptographic inventory—a full understanding of the organization's cryptographic assets.
Once a business actually begins developing post-quantum cryptographic algorithms, Aakash says, it’s crucial to test them in controlled lab environments. “Standards have yet to be finalized; everyone must understand both how to use new certificate types and what private certificate authority (CA) software looks like that is capable of using post-quantum algorithms.”
A detailed transition plan is necessary. During the transitional period, conventional and quantum-safe cryptography may need to be used simultaneously. “Pragmatic choices must be made with an eye toward the sensitivity of the data and operations involved,” he notes.
As always, organizations should work closely with vendors to implement these new solutions intelligently. “IT leaders should already be inquiring about how their vendors plan to support post-quantum cryptographic algorithms,” Aakash says. It’s also not too early to begin educating employees about the coming changes.
Aakash offers a fundamentally optimistic view of quantum’s potential. “Quantum computing can maintain the security of our data and communications, as well as solve drug discovery, large-scale logistics, materials discovery, climate change and simulation problems that classical computing cannot handle with high accuracy,” he says.