We have an urgency problem when it comes to quantum computing that is rivaling even the underlying technology challenge.
As a society, we often are surprised at how fast major innovation moves. A tipping point arrives, and in many cases – as we’ve seen recently with generative artificial intelligence – we dramatically underestimate the impact. In the case of quantum computing, that underestimation could have dire consequences for our organizations.
Now is the time to ring the alarm bell, as underscored by ISACA’s new Quantum Computing Pulse Poll. The majority of respondents (62 percent) are worried that quantum computing will break today’s internet encryption but 55 percent say their enterprises have not taken steps to prepare for it, even though 52 percent think it will change the skills that businesses need and nearly half (46 percent) say it will create revolutionary innovations. Importantly, the “harvest now, decrypt later” attack methodology is another significant risk, centering on the idea that if attackers collect encrypted data now, they can hold onto it, and eventually might have a large enough quantum computer in the future through which the data could be decrypted.
NIST standards show the way
For a while, the security community was in a holding pattern, awaiting definitive guidance on how to proceed, but that no longer is an excuse for inaction. In 2024, the US Department of Commerce’s National Institute of Standards and Technology (NIST) finalized a set of post-quantum cryptographic (PQC) standards designed to withstand cyberattacks from a quantum computer – a major and much-anticipated milestone. Now that the algorithms are out, we can take action using approved standards – yet as the poll showed we’re mostly not, with some exceptions, such as quantum encryption built into Chrome-based browsers.
There is much work to be done to prepare for what is often referred to as “Q-Day,” the unknown date when quantum computers will be able to crack current internet encryption, and it needs to happen quickly. Organizations should work now to re-encrypt their data. If they don’t have the infrastructure to do that or have not properly inventoried which data needs to be encrypted, that is a major problem. Another pressing challenge is upgrading IoT devices, which are harder to transition to post-quantum cryptographic algorithms. This can leave IoT systems that manage oursensors, cameras, factory devices, devices used by utility enterprises and more, in peril.
We also need to implement browsers and websites that support new NIST-approved algorithms for post-quantum cryptography. There are Federal Information Processing Standard (FIPS) standards available for both digital signatures and encryption that will implement cryptography that quantum computers will not break. We’re in a race to implement that across our browsers and websites and switch over to safe, post-quantum cryptography before quantum computers can break them. Unlike the buildup to Y2K, we don’t know the exact date we need to beat, but it is a race nonetheless.
The current technological issue that designers of quantum computers need to solve is not just scaling the size of the quantum computer but also improving the error rate. Today the error rate is so high that we are still several years off from building a powerful enough quantum computer to break today’s encryption. The quantum computing industry is seeking a breakthrough to solve this error rate problem.
No magic switch to flip
Open source code and many vendors who provide encryption support the new standards, so it’s not like organizations have to write code themselves that meet the encryption standards. We have the tools available, but many companies have not yet started to assess what data needs to be re-encrypted and how they should go about it.
That is especially problematic because this is not a situation in which organizations are just going to flip a switch and everything will be done, so they’ll have to approach the transition by criticality. To start heading down a constructive path, here are a few questions for audit, risk and security professionals to ask their organizations and their audit subjects:
- Where do we use encryption, and can we switch those applications to the new NIST PQC standards?
- How can we re-encrypt previously encrypted data the new way?
- Where do we use digital signatures, and how are we going to switch over to NIST-approved PQC digital signatures standards?
The ISACA community should take the lead on quantum preparedness
The ISACA poll shows that only 5 percent of respondents consider addressing quantum threats a high business priority for the near future, underscoring the urgency that is lacking across the security community. When the topic of quantum computing comes up, I sometimes hear people say experts don’t think quantum computers will be able to crack today’s encryption for a long time, but this overlooks the “harvest now, decrypt later” problem, which creates urgency to act now. And what if some of the prognosticators are wrong and instead of, say, in 10-15 years, quantum computers break modern encryption in four or five years? Timelines can compress rapidly and unexpectedly when technological break throughs occur. Since the work has to be done eventually anyway, why wait so that there is more sensitive data to worry about being stolen?
If we don’t move now to start solving issues like re-encrypting our data, switching to new digital signatures and moving our systems over to new algorithms, we are creating problems that will become increasingly difficult to address.
Cybersecurity professionals, IT auditors and other members of the ISACA community should be at the forefront of understanding these risks. We are past the wait-and-see point. The sooner we can get the clock working in our favor, the better our chances of avoiding a quantum calamity.
