An emerging technology harnesses the laws of quantum mechanics to solve problems too complex for classical computers. Quantum computing is expected to shatter barriers and turbocharge processes, from drug discovery to financial portfolio management. But this revolutionary new approach may also give hackers the ability to crack open just about any kind of digital “safe,” giving them access to trade secrets, sensitive communications and other mission-critical data. Last year, the threat prompted President Joe Biden to sign a national security memorandum, “Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems,” directing federal agencies to migrate vulnerable cryptographic systems to quantum-resistant cryptography. We spoke with some cybersecurity experts to find out what’s ahead.
According to David Bader, a distinguished professor at New Jersey Institute of Technology and a founder of its Institute of Data Science, the quantum hacking threat isn’t so much about getting into systems and extracting data — “cyber hackers are already doing a lot of that with current devices,” he noted. Instead, it will enhance their ability to unlock encrypted data after it’s lifted.
“Right now, when sensitive financial or other information is sent online, the data is typically automatically encrypted, or coded with the RSA [Rivest-Shamir-Adleman] public-private key algorithm,” Bader explained. “Basically, as the data is transmitted, the sender devices will use the recipient’s ‘public key’ – which may be safely shared among multiple parties – to encrypt it using high-level math problems that are pretty opaque to even the fastest conventional computers. The recipient device’s ‘private’ key, which is generally not shared, is then used to decode it, so anyone intercepting the message will only have access to meaningless symbols that could take decades or longer to decode. But a quantum computer may enable a hacker to decrypt it within minutes at the most.”
All of this takes place “under the hood,” without any action on the part of the sender or receiver. For the most part, the data encryption approaches currently used were thought to be safe against all but the most sophisticated nation-state hackers, since it could take typical computers thousands of years, if not more, to crack. But that’s because traditional computers are generally limited to using bits and bytes, or 0 and 1 symbols, to solve problems.
In contrast, quantum computers – which are still being developed and refined – use multiple probability states to attack a problem, which can result in exponentially faster processing ability. In 2019, for example, Google reported that its quantum processor took just over three minutes to solve a problem that the equivalent “state-of-the-art classical supercomputer would take approximately 10,000 years” to crack.
There is some good news for the “good actors,” noted Bader. “Since 2016, NIST [the federal National Institute of Standards and Technology] has been soliciting encryption algorithms (instructions for solving a problem or performing a computation) that will be resistant to quantum computers. In 2022, NIST announced that four encryption algorithms were selected and will be incorporated in the agency’s post-quantum cryptographic standard, which is expected to be finalized around 2024.”
Once the standard is fully developed, it will likely initially be released to military and intelligence agencies before gradually trickling down for general public and commercial use, he said. “So small- and medium-sized businesses won’t need a Pentagon-sized budget to utilize quantum-resistant e-commerce, email and other digital assets. Instead, their banks, and other providers will bake the upgraded encryption standards into their products, similar to e-commerce and other protections they currently embed. Over time, all providers of apps, log-ons and web interfaces will shift to the new algorithms. Of course the bad actors will continue to innovate, but NJIT and other institutions will continue to research ways to improve cyber defenses.”
The security threat presented by quantum computers is something to be concerned about, “But we don’t need to worry immediately about it,” according to Jaideep Vaidya, a management science and information systems professor at Rutgers Business School–Newark and New Brunswick.
“Cryptography, or taking data and converting it to something that looks like gibberish, underlies all secure communication,” he said. “So everything sensitive we do on the internet such as sending credit-card information to purchase goods is protected, as indicated by the ‘https’ [Hypertext Transfer Protocol Secure] that prefaces a web address. We are not quite at the point where quantum computers can crack these encryptions, but it is important to keep government and other computers secure even when large quantum computers pose a threat to RSA and other encryption. However, that won’t happen until at least a few more years.”
NIST plans to have new post-quantum cryptographic standards developed by 2024, he added, “so the main objective then will be to move the existing infrastructure, like browsers and the underlying public-key technology, to the new standard. For the most part, businesses will not need to make major changes, but they should be aware of NIST’s guidance and follow any recommendations about managing their activity once the new standards are issued and deployed.”
The opportunities and challenges of quantum computing are just “one more example of the way that things which were ‘theoretical’ at the turn of this century are already real and available for purchase,” according to Carl Mazzanti, president of eMazzanti Technologies. “Computing power is growing so fast that it forces cybersecurity professionals to keep on changing their own strategies. Consider that a smartphone today is exponentially more powerful than the guidance computer that NASA used for the 1969 Apollo 11 mission.”
The swift changes – and the security challenges that quantum computing is expected to bring – mean that users have to be prepared to modify their behavior, he added. “The useful life of a password is getting shorter and shorter, so the days of ‘set them and forget them’ are over,” he explained. “Now, the thing you forget to change can be your biggest vulnerability.”
Mazzanti suggested a layered defense, “beginning with a stronger password of at least 14 characters. That should be supplemented by commitments to use MFA [multifactor authentication, a secondary identification challenge in addition to entering a password] and to update software by periodically downloading security ‘patches’ from developers and providers.”
He said business owners and others should also consider deploying monitoring solutions, like Security Event and Incident Management systems, which are cybersecurity products and services that provide real time analysis, monitoring, and alerts. “The MFA of a client malfunctioned, and our SIEM [security information and event management] instantly alerted us, so their password was changed – and another seven characters were added to it – within five minutes, before anything could be compromised. Businesses have information that hackers want, so business owners need to keep up with IT and cybersecurity advances so they can continue to protect their information.”e