With quantum computers likely to be cracking today’s data encryption within a few years, experts have urged all businesses to protect their ICT equipment with new post-quantum cryptography (PQC) standards, but many ANZ security executives, it seems, are still blasé about the risks.
While 62 per cent of respondents to security industry body ISACA’s recent Quantum Pulse Poll – conceded that cryptographically relevant quantum computers (CRQCs) could soon break current encryption, just 5 per cent said preventing this is a high priority in their organisation.
That survey, which involved 2,600 security and risk management professionals worldwide, also found that just 5 per cent have a defined quantum strategy in place, leaving most companies vulnerable to attacks that could soon expose all of their secure data and systems.
ANZ respondents were more concerned than overseas peers about the risks – which threaten the RSA and other encryption algorithms that for decades have protected everything from emails, e-commerce and Internet banking to power stations, government secrets, and cloud computing.
Fully 77 per cent of Oceania respondents said quantum computing will “increase or shift cybersecurity risks”, with 68 per cent agreeing that it will create new business risks and 62 per cent convinced that it will create new regulatory and compliance challenges.
That’s well above 63 per cent, 57 per cent and 50 per cent figures for global respondents, respectively – a win for an Australian business culture that is particularly well versed in corporate governance theory – but the fact that so few companies are doing anything about it is a concern.
Quantum decryption “is definitely on the horizon, and it’s going to fundamentally shift computational power,” ISACA board director Jamie Norton told Information Age, because CRQCs’ power “will be an order of magnitude greater – and that is going to change a lot of things.”
No longer a theoretical threat
Scientists and tech giants have talked about quantum computers in wistful tones for so long that many people still dismiss them as futuristic fantasy, with a long-running industry joke saying that quantum computers have been five years away every year for the past two decades.
Recent advancements, however, have pushed the state of the art forward so quickly that security experts are no longer laughing.
With workable quantum computers now installed in New York, South Korea, Poland, Finland and even Perth, Australian organisations like Quantum Brilliance, QuintessenceLabs, PsiQuantum are joining the likes of Google and Microsoft in the race to build reliable, large-scale CRQCs.
The immediacy of the threat has experts concerned about so-called HNDL (harvest now decrypt later) programs – in which cybercriminals are feared to be stockpiling any encrypted data they can find on the assumption that they’ll be able to decrypt it when CRQCs emerge in a few years.
“The sheer computational power of quantum will mean that today’s cryptography will be able to be broken in seconds,” Norton said, “and there’s a treasure trove of data on just about all of us probably sitting there, waiting to be decrypted.”
Such a significant risk should be setting off alarm bells in the heads of any security professional or corporate risk management specialist – but as the ISACA survey has painted in stark relief, there’s a wide gap between knowing something is a threat and doing anything about it.
Fully 30 per cent of respondents admit they really don’t have a good understanding of quantum computing’s capabilities – highlighting the importance of broad education on the evolving threat – and 55 per cent said their businesses have not taken any steps to prepare for quantum computing.
Oceania respondents were, to their credit, slightly ahead of the curve – with 34 per cent saying they don’t plan to address quantum computing now (compared with 41 per cent globally) and 67 per cent concerned about HNDL’s risks, compared with 56 per cent globally.
Concrete steps, not concrete boots
Significantly, the latest ISACA results are the first since the August release of finalised PQC standards, which had been under development by the US National Institute of Standards and Technology (NIST) for nearly a decade and are industry’s best bet to protect data from CRQCs.
The three initial standards – which were complemented by a fourth alternative, called HQC, in March – are being integrated into everything from operating systems to web browsers and proprietary encryption libraries, with nearly all software in use today needing an update.
Anticipating the scope of the challenge, former US President Joe Biden in January ordered government departments to start adopting PQC this year for completion by January 2, 2030 – months before experts are currently forecasting the arrival of Q-Day and its mass decryption.
Yet just 10 per cent of Oceania respondents said they have a strong understanding of the PQC technologies (still ahead of the 7 per cent global figure) and 35 per cent said they had never even heard of the standards (ahead of 44 per cent globally).
With the standards real and migration specialists ramping up their capabilities, such unawareness and inaction are no longer tenable for businesses – who should fight to implement PQC sooner rather than later on the assumption that cybercriminals are already stockpiling data today.
“The key,” Norton said, “is to get educated and start planning [upgrades] of the more critical cryptographic assets within your environment – where it’s not negotiable that things can’t be revealed.”
“You should then work on a plan about how to address that before quantum becomes too much of a reality.”
