Businesses and organizations need to start preparing now for the threat from quantum computers, experts say

There is no “plan B” for when quantum computers are able to break all cryptography systems now used to protect everything people do in an interconnected digitalized world.

Quantum computers will be able to hack into and decrypt the coded information that protects everything from software and data internet communications, to financial transactions and national security, experts told Quantum City’s qConnect quantum conference in Calgary.

“There’s no plan B if you lose your digital networks,” Martin Charbonneau (photo at right), head of quantum-safe networks for Nokia, said at a panel session titled “How are Global Enterprises Getting Ready to be Quantum Safe?”

“If you lose your trust in your digital assets, it’s your supply chain that’s gone, your value-ideation capacity, your value-creation capacity – even your value-selling capacity that is gone,” he said.

Every type of organization and every individual needs to take action to keep their data trusted and their organization’s operation going, Charbonneau said. “There’s no plan B. The analogue world is gone.”

Once fully functional quantum computers become available, everyone’s internet communications and other digital interactions will no longer be secure, said Lily Chen (photo at left), a mathematician and fellow at the U.S. National Institute of Standards and Technology.

This risk includes downloading software and applications that are now protected by mathematically-based cryptography from being malicious, she said.

Quantum attacks can pose a risk to asymmetric and symmetric cryptography encryption methods because quantum computers will be capable of performing calculations that can decrypt such methods at an alarming speed.

Encryption tools currently used to protect everything from banking and retail transactions to business data, documents and digital signatures can quickly be rendered ineffective.

While current cryptography tools will be vulnerable to quantum computers, the biggest vulnerability right now is the uneducated leaders in businesses and other organizations, said Alexander Rau (photo at right), partner in Canada’s technology risk consulting advisory practice at KPMG.

Business leaders are currently focused on artificial intelligence and becoming aware of the risks of AI, he said. “With quantum, they don’t see it [the risk] yet.

“We need, as a community, to continue the education of these business organizations to see this as a vulnerability threat coming in the future,” Rau said.

Charbonneau pointed out that “like it or not, explicitly or implicitly, we all believe that our data is secure today.”

That’s because we’re using cryptography methods invented four decades ago to give us an “unbreakable” set of tools and confidence that our data is integral, confidential and protected, he said.

With the increasing rate of digitalization in global society, to actually lose trust in the world’s digital structure – whether it’s applications or networks – would be catastrophic, Charbonneau said.

“The music stops. Ask yourself in your personal life [what would happen] if your identity is stolen, your money is stolen. In your corporate life, if your digital supply chain stops, do you have an ability to adjust and go back to an analogue world?”

The threat to existing cryptography from quantum computers is unique, because society hasn’t experienced this type of challenge, Chen said.

“We need to replace the existing public key cryptography systems in our infrastructure,” she said, likening it to replacing the battery in a car while driving.

Start risk assessments now on communications systems

Experiments have already shown that prototype quantum computers can break the codes being used in current cryptography-protected systems.

The risk is actually increasing, because of the increasing computational power and the way quantum computers work, Charbonneau said. “We’re trying to say: Look, cryptography needs to be retooled.”

Chen, as part of her work with the National Institute of Standards and Technology (NIST), has helped create the first set of post-quantum cryptography standards required to protect digital systems – including digital signatures – against decrypting by quantum computers.

Microchips, devices, software applications and cryptographic components in supply chains will all need to be post-quantum cryptography-compliant with the new framework of standards.

The standards will impact the cryptography deployed in every industry, affecting everything from machines transferring data across a network to online transactions, hardware infrastructure and military devices.

Chen said NIST also has established the National Cybersecurity Center of Excellence to work with industry collaborators on how to approach the post-quantum cryptography problem and find solutions.

Panelist Mark Adcock (photo at right), a systems architect consultant who has 30 years of experience working largely with General Dynamics in developing military communications systems, said every business and other organization needs to look at its entire communications system.

“I think we’ve all become kind of numb to the assumptions that we make, in terms of how everything is secure by this very easy-to-use [cryptography] technology,” he said.

But businesses and other organizations need to understand the flow of their communications, and build a system model that includes use and threat cases, Adcock said.

The model should include different layers of security and defence, based on considerations of “good enough security” (depending on the sensitivity of the data or communications), ease of use and cost, he added.

Charbonneau said companies and organizations “cannot wait to do that risk assessment. If you haven’t started, you should have started yesterday.”

He said he’s seeing what’s happening in Europe, Singapore, South Korea, China and the U.S., and advice coming from cybersecurity agencies, governments and the World Economic Forum.

“There are bells and whistles around the world that are all pointing in the same direction – saying different things, different words – but all converging towards: ‘We need to take action to have the shared trust in our digital assets that we create that are the lifeblood of the organization.’”

Rau said governments should consider providing funding to help companies and organizations understand the risks of quantum computers, and to drive demand for solutions in a post-quantum cryptography world.

Chen pointed out that even though most experts think fully functional quantum computers are still several years away, there’s a growing worry that bad actors will “capture [data] today, decrypt tomorrow” when quantum computers become available.

The U.S. government is advising companies and organizations to replace all vulnerable cryptography systems by 2035, she said. “Ten years is not a long time. We need to start this now.”

The qConnect conference was presented by Quantum City, a partnership of the University of Calgary, Government of Alberta and technology company Mphasis. Quantum City was established with more than $100 million in private and public investments.

R$