Quantum Risk : Benchmarking the Discussion

By Dr. Eduardo Solana, University of Geneva

Quantum computing is one of those horizon scanning topics that almost always comes when chief information security officers (CISO) and other cybersecurity leaders get the chance to look to the future. These conversations tend to focus on understanding when, practically, computer scientists will have developed the capacity to build a quantum computer able to knock out the current levels of encryption that are so widely relied upon today.

It’s a question that has been asked for quite a long time: I first heard it over 20 years ago, when I started my own research into the subject. Today, there are a fair few who speculate that it will be a matter of years not decades, maybe even months. Of this I am not so sure. I am clear, however, that the time has come for a dedicated discussion on the impact of Quantum Computing on Cybersecurity—including the influence it may or should already be having today. I am pleased therefore to have the opportunity of staging it at CISO 360 Congress 2019, alongside my industry colleague Dr. Gregoire Ribourdy, CEO, ID Quantique. Our aim is to focus on the developing technology and inherent risks, not necessarily the often explored ethics concerns, within an interactive debate on Quantum Proofing IT Infrastructure, and there are plenty of questions to consider.

For cybersecurity quantum technology is developing as a double-edged sword. Advances in Quantum technologies have already been made to allow the generation of high-quality random numbers based on quantum entropy, for example for encryption key generation. Quantum physics is also already being applied to future-proof key distribution for symmetric encryption solutions, with deployments happening today. Such technical advances offer the opportunity to strengthen our capacity for security. Alongside these developments, however significant levels of investment continue to be poured into the research-driven development of that quantum computer, most of it by large global companies that treat it as an R&D prize. The question of when it will arrive is likely to remain a difficult to predict, closely guarded secret, but few doubt its inevitability.

It’s fair to say that anticipation of this arrival is already having an impact today. It is for example increasingly believed that traditionally encrypted data is already being hoovered up by those with an interest in it, whether that be potentially legitimate or otherwise, for when the quantum computer will be available to crack the encryption. I am also hearing rising levels of concern about industry sleep walking into the quantum era, creating a gaping window of opportunity for significant levels of attack before the quantum solutions needed to thwart them are more widely deployed.

There is a public as well as business interest with the potential to impact economies, supply chains and other electronic ecosystems, not just individual organisations. It may be unrealistic or even unfair to expect individual businesses and industry to add to their armouries at this stage. Even whether adding to the arms race is likely to afford the desired levels of protection is a question worth exploring. Most senior Information security leaders appreciate that a technology solution, however advanced or sophisticated, is only part of the risk mitigation mix: It will not provide a panacea for such a wide-reaching concern.

The challenges we currently grapple with every day to genuinely understand and govern cyber risks, increase visibility of the vulnerabilities, stay on top of developing tactics, and future-proof defences could become more acute in the quantum era. Legacy systems remain at the heart of this struggle today. Perhaps, the quantum debate required today is quite likely to be less about the capabilities of the technology itself and more about the need to assure agility to withstand a significant change in any technology over which we have a widespread reliance. There are tactical and strategic issues to consider, including taking stock of the encrypted estate, the lifecycle of data and information, the applicability of standards that guide our management, compliance risk and more which are all relevant discussion points.

There will be companies that are already looking in contextual detail at these issues for their organisations. I look forward to gaining the benefit of their and other’ perspectives on the day.