We probably have as much as a decade before quantum computers pose a threat to the encryption systems that sit at the foundation of contemporary cybersecurity. But we'd better start strengthening that foundation now if we hope to protect it down the road, experts say.
Why it matters: Encryption is critical for economic and national security, protecting trade secrets, communications, and classified information.
The big picture: Quantum computers, which take advantage of the spooky weirdness of quantum mechanics, can solve certain types of complex problems in fewer steps than a traditional microprocessor (or, for that matter, a human). One of those problems is reading data that's been protected by any of several common encryption algorithms.
The catch: Ask most of the rank and file working in cybersecurity, and they'll tell you that quantum computing is more a topic for barroom conversation than an imminent threat.
- For the most part, people who work in cybersecurity are concerned with how people can steal data today or tomorrow.
- Quantum computing, which is still in the early stages of development, could take 10 years to be a real threat to systems — and may never get to that point.
- People in the field have a sense that there's still time before this has to be a front-of-mind concern.
But, but, but: While it could take a decade to develop a quantum system that attackers could use to crack our codes, it could take nearly as long for defenders to migrate from vulnerable algorithms to new systems based on quantum-safe encryption.
- Changing encryption algorithms takes an incredible amount of effort. Brian LaMacchia, who works on post-quantum cryptography at Microsoft, notes that the last time an industry-wide change took place, when Microsoft included the new algorithm in Vista, the 2006 edition of Windows — and the industry still hasn't fully completed that transition.
- Software relies on layers of code dependent on other code, and the more layers there are, the more complex it is to update those systems. There are many more layers stacked on top of encryption than ever before, making this migration the most complicated one yet, LaMacchia said.
- While some encryption algorithms can be made quantum-safe with only minor changes, any software using any type of encryption will need to updated.
The timing: Complicating matters further, while quantum computers may be a decade away, data encrypted today may need to be secret for more than a decade. So while we may not go toe to toe with quantum computers until much later, we need to start using post-quantum encryption now.
- "We still have information about the John F. Kennedy assassination kept classified," said Steve Grobman, CTO of McAfee. "Some secrets have a long shelf life."
- And systems will likely be at risk before we're told they are at risk. "If a government develops quantum computing well in advance of its peers, it will keep it a secret, just like the allies did when they cracked Enigma," said LaMacchia.
Next steps: Lawmakers, including Rep. Will Hurd (R-Texas), are pushing for greater U.S. investment in quantum research.
- "Quantum capabilities will likely define hegemony in this century's increasingly digital, interconnected economy, and the U.S. cannot abdicate our leadership in this crucial field," said Hurd.