Author: John Farley
In our continuing efforts to keep our clients abreast of emerging cyber risks, we're raising awareness about a significant development in a new and powerful technology that bears watching.
Quantum computing is the next formidable challenge to those tasked with defending their networks from threat actors. Some experts believe that quantum computers will eventually be able to defeat encryption. While we don't see quantum computers posing an immediate threat today, it may become the tool of choice for cyber criminals.
What is quantum computing?
Most computers today can perform only one task at a time. A task that requires more computing power and time than today's computers can accommodate is called an "intractable problem," and these are the problems that quantum computers are predicted to solve.
While our traditional computers rely on binary bits for data processing, quantum computers leverage quantum bits, or "qubits," to solve complex calculations at speeds that far exceed the capabilities of most computers today. They'll be able to absorb and process vast data sets to perform a wide variety of tasks simultaneously.
However, this new technology comes with the potential to do harm and may advance cyber risk to a whole new level.
The threats of quantum computing
We expect threat actors to try to exploit the very powerful abilities that quantum computers will provide. The most concerning is encryption vulnerability. Our traditional encryption methods use complex mathematical equations to make the data unreadable to all but the sender and recipient, making it safe to send and stored data across public computer networks.
Some believe that this common defense strategy may be susceptible to the immense power of quantum computers. Their concerns extend to a known hacker strategy of "harvest now, decrypt later" where hackers hold onto stolen but encrypted data, intending to decrypt it later when they can leverage the power of quantum computers.
Losses to organizations may manifest in a variety of ways, including:
- Privacy liability: Without adequate encryption, web-based communications and our most sensitive personally identifiable information may become exposed.
- Legal liability and regulatory risk: Organizations may become subject to legal liability and regulatory risk due to non-compliance with data protection standards.
- Threats to trade secrets: Highly sensitive intellectual property could be stolen.
- National security concerns: Nation states could leverage quantum computing to defeat cybersecurity controls that protect our critical infrastructure and allow access to highly classified government secrets, providing a powerful new weapon in geopolitical conflicts.
What can be done now
The National Institute of Standards and Technology (NIST) has already taken steps to provide guidance on quantum-safe practices. Their Post-Quantum Cryptography (PQC) project has set standards designed to help organizations withstand a quantum attack. The NIST advisory provides several ways to prevent and mitigate the effects of a quantum attack, including the following:
|
Post-quantum cryptography |
Fend off quantum attacks by developing and implementing cryptographic algorithms that are secure against both traditional and quantum computers. |
|
Quantum key distribution (QKD) |
Leverage QKD to securely distribute encryption keys to ensure that any attempt to intercept the keys is detectable. |
|
Hybrid cryptographic systems |
Use systems that use both traditional and quantum-resistant algorithms to provide an additional layer of security. |
|
Cryptographic security audits |
Audit current cryptographic systems to ensure they're consistent with the latest security standards. |
|
Employee training |
Continually educate key stakeholders to the potential risks of quantum computing and the importance of transitioning to quantum-resistant solutions in a timely manner. |
|
Collaboration and research |
Leverage industry, academia and government resources to research the latest quantum-safe technologies and strategies. |
|
Incremental transition |
Create a plan for transitioning to quantum-resistant cryptographic systems to ensure an efficient and secure shift as quantum computing evolves. |
By proactively addressing these risks and implementing robust strategies, organizations can better protect their data and maintain security in the face of advancing quantum computing capabilities.
Leveraging Cyber insurance
Cyber liability insurance and other insurance policies may help organizations transfer risks associated with losses stemming from the latest emerging cyber threats, including quantum attacks.
Many policies provide access to crisis services, including breach coaches, IT forensics investigators and other breach response experts. Those with cyber insurance should be mindful of claim reporting obligations, requirements to use insurance panel breach response vendors, evidence preservation and issues that may impact attorney-client privilege.
As quantum computing develops, we expect the associated threats of quantum attacks to become a focus of Cyber insurance underwriters. Cyber insurance applicants should be prepared to implement NIST defense strategies provided and other generally accepted controls as they become available.
