PREDICTIVE

INTELLIGENCE

As the quantum threat draws closer , Duncan Jones , Quantinuum ’ s Head of Cybersecurity , says CISOs need to act now . He discusses what it means to prepare your organisation to be quantum resilient in the face of the greatest cryptographic threat we ’ ve ever encountered . he quantum threat is

Politicians struggle to implement long-term policies for climate improvement because their tenure is so short . The same is true for CISOs and the quantum threat . It ’ s hard to plan for something hazy and distant when you ’ re in the job for two years and fighting fires every day .

But plan you must , because the threat is real and the work must start today .

How close is the quantum threat ?

Whenever I speak at cyber events , I ’ m asked when quantum computers will break cryptography .

It ’ s a fair question , but a surprisingly difficult one . There are two factors that affect the timeline : how many quantum bits ( qubits ) will be needed to run the algorithm and how soon will we have that many qubits available .

The first factor keeps changing . Academia frequently publishes papers that will allow Shor ’ s Algorithm to run with fewer and fewer qubits . These papers bring the goal posts closer to us on a regular basis .

The second factor is equally variable . Quantum computers are getting significantly more powerful every year . At Quantinuum , for example , we have been increasing the power of our machines ten-fold every year since 2020 and expect to maintain this velocity . Alongside this rapid performance growth , scientists are also learning how to make quantum computers more resistant to errors . Each leap forward in that realm brings the quantum threat closer again .

Fortunately , this difficult question turns out to be the wrong question . The real question is : when should we start acting on this threat ? And the answer to that is simple and widely held by industry experts and governments alike .

We should start now .

What does quantum resiliency look like ?

To prepare your organisation to be quantum resilient , you must focus on three topics : algorithms , key generation and crypto agility .

Firstly , you must change your cryptographic algorithms to prevent quantum computers from unpicking all your secret data . Anything you protect today with vulnerable algorithms , such as RSA or ECDSA , is fair game to a quantum attacker in the future . In fact , some attackers may be stealing encrypted data today so they can attack it in the future .

NIST is globally acknowledged as the orchestrator of the algorithm selection process . And in 2024 , we expect four new algorithms to be standardised and deployed into cyber systems . Early adopters are already exploring these algorithms and embedding them into products , even ahead of standardisation .

Unfortunately , changing algorithms is not the end of the story . We need to also consider the cryptographic keys themselves . Will our current methods of key generation be strong enough when powerful quantum computers emerge ?

There is increasing concern that we need to strengthen key generation so we can be confident that present and future attackers cannot brute-force them . The answer to this problem is to use quantum technology itself to help generate hardened keys that will be future-proofed .

Finally , we need to give some thought to crypto agility . This refers to the ability

Duncan Jones , Quantinuum ’ s Head of Cybersecurity www . intelligentciso . com

33