Steps You Should Be Taking Now To Keep Your Business Quantum-Safe
While the progress of quantum computers brings opportunities, they could also pose a threat to today’s encryption standards.
Just this year, scientists at IBM and the University of California, Berkeley achieved “quantum utility,” a point at which we believe that quantum computers could serve as scientific tools to explore a new scale of problems that classical systems may never be able to solve. And many industries and governments — including India’s — have announced commitments, investments, and roadmaps for how and when they will adopt quantum computing.
While the prospect of future breakthroughs in materials science, healthcare and finance are exciting, we must also take into account the classical data and systems that could be at risk when quantum computing reaches cryptographic relevance.
Aligned with these developments, several countries like the U.S. have already made strides in developing standards and a national policy for quantum-safe algorithms, and infrastructure migration. While we have the National Quantum Mission in India, we are yet to develop and articulate a national policy to deal with future quantum threats.
Why Should Your Business Be Quantum-Safe?
Shor’s algorithm, developed in 1994 by MIT professor Dr. Peter Shor, demonstrated, mathematically, how a quantum computer could break the widely adopted factorisation and discrete log-based encryption algorithms like RSA, ECDH and ECDSA. Thirty years ago, quantum computers of any kind were still theoretical. Now, with the real possibility of cryptographically relevant quantum computers being developed over the next decade or so, organisations must take “harvest now, decrypt later” attacks seriously, now. These attacks describe when a bad actor collects encrypted, sensitive data — from bank records to healthcare data — with the aim of later decryption given the opportunity to access such future quantum computers.
In 2022, the National Institute of Standards and Technology, a division of the U.S. Department of Commerce, after a multi-year, multi-round evaluation of a diverse set of algorithms for quantum-safe encryption, selected four algorithms — three of which were developed by IBM cryptography researchers — as the basis for standardising quantum-safe encryption in 2024. A number of countries, in addition to the U.S., are already preparing to adopt these standards.
Some industries have also begun planning for the switch to quantum-safe protocols. Telecommunications industry organisation GSMA formed a Post-Quantum Telco Network Taskforce with the aim to help define policy, regulations and operator business processes to protect telcos from future quantum threats.
While there’s a lot of chatter about businesses being urged to “go quantum-safe,” for a typical company, those words may raise more questions than answers. That’s why IBM developed a quantum-safe roadmap to help organisations plan and execute their quantum-safe migration in three stages: Discover. Observe. Transform.
How To “Discover” Your Current Cryptography
The needs of quantum-safe migration vary across organisations depending on the nature of their business, IT and application infrastructure, and partner ecosystem. For example, for software and services vendors, adopting quantum-safe protocols will be necessary in order to continue selling products and services. For healthcare providers, it is about mitigating the risk of a patient data breach.
But the first and most important step now is to understand where and how current algorithms are used and begin to catalogue cryptographic artefacts, producing a knowledge base that is recorded in a Cryptography Bill of Materials. Think of a CBOM as an extension of the well-known Software Bill of Materials concept from software supply chains, which allows systems and software to be described using a standardised list of components, libraries and dependencies.
How To “Observe” Your Organisation’s Cryptography
The second step is for organisations to analyse their cryptographic state of compliance and determine their biggest risks. Using the information gathered in the CBOM, organisations can begin to formulate a plan to transition to quantum-resistant cryptography, prioritising the biggest risks and vulnerabilities.
How To “Transform” Your Cryptography
The final step in the journey to quantum-safe security is the transformation of cryptographic infrastructure to incorporate quantum-resistant cryptography. Using the plan developed in the previous step, organisations should begin by transitioning their most at-risk and critical data first. Some estimates suggest that the transition to quantum-resistant cryptography could take 6–8 years, so the important thing is that organisations begin soon.
We don’t know when a cryptographically relevant quantum computer will be developed, but with quantum computing advancing rapidly over the last several years, it could be just around the corner. However long it may take, quantum-safe cryptography that protects against this future is here today, along with tools and technologies to streamline the transition. Starting this journey now will ensure organisations are protected from current and future threats related to cryptographically relevant quantum computers.
It is imperative for India’s technology ecosystem from academia, technology developers, service providers, enterprises and policy bodies to come together and help the nation to establish a coherent quantum-safe strategy as part of national cybersecurity strategy to deal with the future quantum threat to the modern digital economy.
Dr Amith Singhee is director, IBM Research India and CTO, IBM India South Asia. Vinayaka Pandit is senior manager, security, IBM Research India.
The views expressed here are those of the author and do not necessarily represent the views of BQ Prime or its editorial team.
