CISO Guide for Quantum Computing: Risks and Opportunities (Part I)

For Chief Information Security Officers (CISOs) in charge of cybersecurity, quantum computing brings its paradox. It is both an opportunity to improve security and a massive vulnerability that could soon cause security as we know it to be subject to catastrophic failure. This primer will explore quantum computing’s dual nature. It offers insights and signals for CISOs to shape their emerging cybersecurity strategies.

Understanding Quantum Computing

The main difference between classical and quantum computing is the unit of data in computing. In a classical computer, that data unit is a single bit, represented as 0 or 1. In quantum computers, that unit is known as a quantum bit, or a qubit, that nondestructively encodes information as 0 and 1 and leverages the quantum mechanical principles of superposition and entanglement to take on unique combinations of different states. These very combinations of states enable quantum computers to process information in ways that classical computers cannot, exponentially faster than ever before.

This larger pool of processing power opens the door to important breakthroughs in cryptography as it does in material science. It will also mean that encryption algorithms that are seen as secure today will eventually fall. CISOs must understand these nuances to secure their organizations in a quantum reality. 

The Risks of Quantum Computing

Broken encryption is perhaps the most immediate risk to CISOs, as many of today’s commonplace encryption algorithms could be susceptible to being broken by quantum computers. The ‘encryption cliff’ is looming. CISOs should identify sensitive data requiring long-term protection and assess the trade-offs in migrating to a quantum-safe standard. Through dialogue with technology partners, they should develop an understanding of their quantum cryptography roadmaps and absorb these into their security planning. 

Its novelty and complexity increase the risks that are inevitably present. For each new quantum computer, CISOs must be clear on whether third-party risk management guidance, designed for classical software and hardware, is adequate for use in quantum cloud environments. CISOs will need to develop plans for communicating with and briefing stakeholders so that they, too, can expect and ease the internal transformation ahead. CISOs will need to work with technical and ethics experts to extend AI ethics policies to cover the new challenges of quantum computing.

One example is the sheer number-crunching power of quantum computing, especially when it comes to matching huge datasets against each other in parallel. This has many uses and especially benefits fraud detection, allowing an organization to compare for anomalies in real-time, thereby preventing loss of money and repute. Another is compliance monitoring, e.g., matching complicated regulatory regimens against compliance management and maintaining and minimizing violations.

While QC could spell the death of classical encryption, it could also be used to create far more secure encryption algorithms. Security leaders could study quantum-ready encryption and strengthen data security and privacy, especially in cases where leaked data can have significant financial or ethical consequences, such as in the healthcare or finance industries. We can, for instance, get ahead of Quantum threats. 

The ability of QC to rapidly simulate many factors simultaneously can be instrumental in developing resilient contingency planning. Testing risk variables simultaneously enables an organization to understand what risk scenarios it faces, giving it time to plan mitigation based on those effective strategies. This risk hedging would allow organizations to respond with much more sophistication to emerging threats.

Next, CISOs must be mindful of the effect that quantum computers can have on the public key infrastructure (PKI) that secures myriad common web interactions. Malicious actors could steal a database of sensitive information today and then wait until quantum computers reach a stage where they can easily break today’s encryption technologies. This ‘collect now, decrypt later’ technique means the time to transition to quantum-safe cryptography is now, irrespective of the fact that fault-tolerant quantum computers could be many years later.

Additionally, the danger of a state-sponsored attacker using quantum computing technology to carry out cyber-warfare and espionage activities is not to be ignored; quantum-computing-based systems might, for instance, be used by nations investing in such systems to ‘turn’ internet hackers and pose a threat to their national and organizational security. To combat such quantum-computing cybersecurity threats, new cryptography standards and quantum-safe cryptographic solutions, where these have been established, must be developed and implemented.

We can summarize the risks associated with QC as follows;

1. Breaking Current Cryptographic Protocols: Among the most pressing concerns of CISOs is that a quantum computer could render useless a variety of common and widely employed cryptographic protocols ( algorithms such as RSA, ECC, or DSA, the basic wire protocols of the modern internet, are thus at risk to a quantum attack). Factoring large integers is possible in general but extensively harder for humans than small integers: it is the most computationally challenging aspect of attempting to cryptanalytically break RSA encryption, for example. However, Shor’s algorithm can efficiently accomplish integer factoring on a quantum computer exponentially faster than the best classical algorithm.

The timescale is less clear-cut. Experts predict that practical quantum computers could offer to convincingly break today’s encryption schemes in the space of the next decade or so. If media reports are to be believed, we are nearing that point of no return. For CISOs, the challenge is to keep track of developments in the quantum world to anticipate these threats’ emergence and prepare for them when they do. 

2. Data Harvesting: While we might not have quantum computers yet that can crack encryption, the ‘harvest now, decrypt later’ problem is real: adversaries could gather encrypted data now, with the intent of decrypting it later, once quantum computing can be staffed and scaled up. Data that has long-term value – including personal information, intellectual property, and state secrets – are especially promising targets for adversaries, causing CISOs to consider the longevity of their data and the sensitivity of the data they are protecting. We have many of the tools we need to protect these data stores.
3. Supply Chain Vulnerabilities: Quantum technology can easily introduce risks. Quantum components and software could come from multiple supply chains, from different providers using different security standards. Securing the supply chain is particularly challenging for quantum technology products. CISOs must introduce rigorous vendor vetting and demand stringent security guarantees from suppliers.
4. Encryption Cliff: By mimicking the principles of quantum physics, a quantum computer could break most encryption algorithms that provide security around financial transactions, emails, credit card payments, voice conversations, and other sensitive data exchanged daily. This threat, sometimes called the ‘encryption cliff,’ gives quantic even more urgency: CISOs should look for post-quantum cryptographic solutions to protect their data or risk its breach. In the coming months, companies that want to protect sensitive information must shift from classical encryption using techniques such as RSA and ECC – cornerstones of modern data security – to quantum-resistant encryption protocols. With fewer traditional options to secure information, CISOs must understand more about quantum-safe cryptography to keep their organization’s data safe from the encroaching quantum menace.
5. Complexity and Novelty Risks: The complexity and novelty risks became prominent with the advent of quantum computing. With quantum technology based on different principles and new operational paradigms compared with classical computing, bringing an order of magnitude different capabilities than classical computing, a steep learning curve and considerable investment in new competencies are required. The complexity effects radiate through to third-party risk management as well: many policies covering third-party risk management must be updated to include the requirement for quantum components in the supply chain. In addition, with the growing interface between quantum computing and artificial intelligence, CISOs have to review their policies on AI ethics and how quantum-enhanced AI systems may be ethically acceptable or not. The quantumness of quantum computing then requires lifelong learning, constant policy updates, and proactive evolution.
6. PKI Vulnerability: The remaining PSI of thinkers, especially those responsible for network-based security, is that the fundamental infrastructure underpinning nearly all modern online communications is perilously exposed to the impending threat of quantum computing. The bane of formidable adversaries in a war without end, public key infrastructure (or PKI) is a system of digital certificates and encrypted keys that essentially authenticate every secure interaction over the web. Committed to encryption algorithms that quantum computers can readily break,” researchers warn, the essential foundation of PKI is the key that safeguards every one of our digital identities while ensuring the integrity and confidentiality of our web transactions and communications. In other words, that root key is highly vulnerable in an environment dominated by quantum computing. Unfortunately, though some partial quantum-resistant solutions may exist for customers, vendors, and service providers, there are no genuine measures to ensure digital trust in the Q era. That’s on you CISOs! By now, you should be feverishly hunting for the candles that can light up the path forward, swiftly developing and implementing quantum-safe cryptographic algorithms into your PKI.
7. State-Sponsored Attacks: With many nations’ steady investment in quantum computing, the looming possibility for state-sponsored attacks emerges. Nations with early quantum pre-eminence may leverage these systems via cyber-warfare and espionage. This, in turn, makes critical infrastructure, governmental organizations, and private enterprises extremely vulnerable to breaches. It risks undermining national security, economic stability, and intellectual property. CISOs should begin considering the quantum geopolitical landscape to develop defensive postures and threat intelligence strategies adeptly withstanding state-sponsored quantum cyber attacks. CISOs must be more involved in international cyber cooperation and invest in vigorous threat intelligence to counter state-sponsored quantum attacks.

The quantum computing challenge also includes unprecedented opportunities for cybersecurity. Although real and demanding, the quantum computing risks – encryption cliff risk, complexity and novelty risk, PKI vulnerability, and state-sponsored risk – can spur an era of research and innovation, including forward-looking security planning. By learning and adjusting to the natural dual nature of quantum computing, CISOs can prepare themselves to capture the disruptive synergy of QC and gain ground against malicious actors. This thinking and action will help CISOs create lasting and resilient quantum-safe security practices and enhance their organization’s standing in the future threat landscape.