The US government is bracing for cybersecurity threats to everything from trade secrets to state secrets due to a long-anticipated shift toward smarter, faster computers built around quantum mechanics.
A new US law from late 2022, the Quantum Computing Cybersecurity Preparedness Act, calls on federal agencies to develop strategies to prevent unauthorized access to vulnerable information technology in a future where more powerful devices could breach current defenses. Information protected using today’s methods of encryption will be at risk of exposure with the advance of quantum computing.
“We call it the ‘Y2Q’ moment,” said Denis Mandich, a former US intelligence official who co-founded Qrypt, a company that specializes in post-quantum cryptography. The ‘Y2Q’ moniker refers to a quantum equivalent of Y2K, when ringing in the year 2000 was projected to wreak havoc on computer systems because of a coding issue.
Defense and intelligence agencies so far have led federal efforts to prepare for a potential quantum-driven breakdown in digital defenses that could undermine US national security. The rest of the US government will have to step up efforts to gird for quantum cyber risks too, as will corporate America. Both have been beset by a steady stream of hacks and leaks already testing their ability to keep information safe.
Cryptography involves encoding sensitive communications or data so that only authorized parties can access it. If a hacker steals encrypted information, it’s designed to be unreadable without the right digital key.
State-sponsored hackers and cybercriminal syndicates, however, sometimes collect encrypted information they intend to unlock later as better computers become available, in what’s known as a “steal now, decrypt later” technique.
Quantum computers could pose an “existential threat” for companies in industries that invest heavily in research and development, such as pharmaceuticals or clean energy technology, if their intellectual property is stolen and decrypted by a competitor, Mandich said.
“So much data has already been harvested,” he said.
The government’s reliance on hardware and software vendors means its quantum readiness push is likely to affect the private sector too. The market for federal agencies purchasing cryptography solutions has tripled since fiscal year 2012, peaking at $692 million last fiscal year, according to data from Bloomberg Government.
Researchers have been working on quantum computing for decades. While
It’s expected to take until at least 2030 for the devices to develop into practical applications, with multiple hardware platforms in progress.
“It’s going to take time,” said Ryan Lasmaili, co-founder and CEO of encryption startup Vaultree. The company’s technology allows organizations to analyze and use data without needing to decrypt it first.
Lasmaili said quantum algorithms could be integrated into Vaultree’s tools as they become more available. “We’ve adapted ourselves for that time, if it comes,” he said.
Quantum computers seek to use quantum mechanics to solve mathematical problems that are too difficult for conventional computers. This advancement in problem-solving skills is expected to make it easier for quantum computers to crack the math behind encryption.
“It would compromise cryptography,” said Andrew Childs, a professor in the University of Maryland’s computer science department. “That’s something we can work around” by developing other types of cryptography to resist quantum attacks, he added.
The US Commerce Department’s National Institute of Standards and Technology started a project in 2016 calling on the world’s top cryptographers to develop and vet encryption methods that could resist an attack from a future quantum computer. NIST chose its first set of quantum-resistant encryption tools in July 2022.
The quantum readiness law enacted in December highlights the risks that such computing poses to the US government’s most sensitive data. The Quantum Computing Cybersecurity Preparedness Act requires federal agencies to inventory their vulnerable cryptography systems and develop a plan for countering quantum risks.
“This act recognizes the importance of significant technological change,” said Jayne Ponder, an associate at law firm Covington & Burling LLP who counsels companies on data privacy, cybersecurity, and emerging technologies.
“Quantum computing is coming,” Ponder said. “It’s important for the federal government to get ready.”
The National Security Agency has called on industry vendors to adopt quantum-resilient encryption in products they sell to the government. Companies that are contractors with other parts of the federal government also are likely to follow NIST’s standards.
Even companies that aren’t doing businesses with the federal government may look to the standards for guidance, Ponder said.
The transition to quantum-resistant encryption technologies is likely to be a “painful process,” Qrypt’s Mandich said.
“We’ll have to endure a lot of cybersecurity risks in the transition time,” he said.