Quantum computing cyber risks

Ian West at KPMG reflects on the key takeaways from the latest ‘Future of TMT’ event

Just a few years ago, quantum computing felt like something of a fantasy, a dream that belonged to the distant future. But how quickly things move on. Now, quantum is much nearer than many people think. It may only be 5-10 years before its use is quite widespread. Already, there are viable quantum technologies available on the market and some big tech players have formed a deep understanding of the topic. And in the TMT sector and elsewhere, those at the front of the pack are setting up specialist units to make an assessment of the opportunities – and the threats.

It’s important to recognise both sides of the equation. Without doubt, quantum computing will open up whole new possibilities. But it also brings risks, especially around cyber. Put a powerful quantum computing capability into the hands of a bad actor and their ability to crack codes and break into systems will be exponentially increased.

It was therefore fascinating and timely to hold a panel discussion event recently with some highly knowledgeable participants. I was joined by Michele Mosca, CEO of evolutionQ, a specialist in quantum-safe cyber security; Dr Daniel Shiu, Chief Cryptographer at ArQit, that specialises in quantum encryption technology; and Vincent Van Wingerden, Technical Architect at Azure Quantum at Microsoft. 

A quantum of positive opportunities

Firstly, to the positives. Quantum computing will enable us to calculate things that we just can’t calculate right now. It could have huge and positive benefits in areas like science and medicine. It could also be a powerful tool across business sectors. In TMT, for example, it could help telco businesses with the planning of the complex movements of their fleets of field engineers, instantly recalculating and re-planning when any disruptions or unexpected events occur. Anything relating to data, probabilities, permutations, forecasts, models, logistics – quantum will potentially change the game.

Ultimately, when quantum computers are used everywhere it will also lead to better security as Vincent Van Wingerden observed when he said: “Theoretically, quantum computers will allow us to send signals that are completely safe.”

The quantum cyber threat

The challenge, though, is getting there. Because many of the forms of communication and security we use now – commonly based on public key encryption (asymmetric cryptography) – will be wide open to quantum capabilities.

As Michele Mosca said: “Cryptography is a foundational piece in today’s digital infrastructures and security. Not all cryptography will be vulnerable to quantum computing, but many current forms will. Public key encryption could be decimated by it. Past communications, for example, such as those via video calls or through VPNs that have been recorded and stored could be hacked into through quantum. That ship has sailed.”

A problem for today, not the future

This is a ‘now’ problem not an issue for the future – because much of the technology currently being deployed by businesses will still be in use in 15-20 years’ time. That’s why thinking about quantum and quantum-readiness needs to start today.

However, in a snap poll that we carried out at the event, 45 percent of attendees said the quantum threat was not on their business’ radar at all; 30 percent have only had early discussions; and just 25 percent have engaged with experts to protect the business.

Getting to grips with quantum now makes sense on many levels. No one wants to be left behind in something that could ultimately revolutionise their industry. And it makes financial sense too. It is not expensive to invest in quantum, because you don’t need to buy any hardware or software – it’s all in the cloud. The cost is the people resource you put onto it. It’s worth remembering that it’s cheap to get started now, but expensive to catch up later.

Quantum Risk Assessment

So where should you start? A good place is with a quantum risk assessment. It’s an area that we’re starting to work with growing numbers of TMT clients on – identifying risk points, establishing a roadmap to address them and thinking about the lifecycle management that will be needed.

One of the most common problems, as Daniel Shiu pointed out, is that businesses frequently don’t know where they are using public key encryption: “Public key encryption presents a massive attack surface via quantum. Businesses don’t know how vulnerable they are because they don’t actually know where public key encryption is being used across their enterprise.”

Building back better

If all of this sounds quite scary, the more reassuring point is that solutions are being developed. As Daniel Shiu observed, the advent of quantum is in fact creating (through necessity) an opportunity to rethink and revisit the assumptions the internet was created on way back in the 1990s. Or, as Michele Mosca put it: “There’s a chance to ‘build back better’ - though it will take some years.”

As Vincent Van Wingerden said: “Different types of encryption are being developed to mitigate against quantum risks and some of these are quite well-advanced. There are some methods already that we believe will be resilient. New types of cryptography will eventually replace the old.”

There was some variation in opinion on how far things have come. But there was certainly an overall consensus that solutions can be found, through techniques such as hash chains, symmetric cryptography, quantum key distribution and hybrid key agreements.

There is certainly a need for solutions. We could possibly expect to see some well-funded nation states introducing quantum techniques into their attack methods within the coming years.

Taking action now

That’s why it’s critical to take action. It’s OK not to be ready right now, but it’s not OK not to be doing anything. Create a team in charge of quantum readiness – and make that their core role, rather than a side-of-desk add-on. Give them senior support and backing. Make it part of lifecycle management and be prepared to be asked by the Board about it – they’ll put the question sooner or later.

Another risk to bear in mind: as quantum grows, we can expect a significant skills crunch. People with the requisite quantum knowledge – both on the opportunity and cyber risk side – will be in huge demand. I hope the government helps push the agenda to build quantum skills in the UK. With such game-changing technology, we’ll need them!

Original blog can be found here.