Quantum computing timelines have sped up recently due to advances from several different entities. This acceleration is driven by breakthroughs in quantum error correction, logical qubit scaling and improved fault-tolerant architectures.
Google and CalTech are the latest entities to post information about the timeframes to be post-quantum ready, a state where you have migrated your vulnerable public key algorithm-encrypted records to quantum-resilient algorithms. Caltech stated that the timeline could be as soon as 2030, identifying you don’t need as many qubits as previous studies had indicated if you adjust the architecture in error correction, including advancements in surface code implementations and reduced physical-to-logical qubit ratios, reducing this size down to 10-20 thousand. Meanwhile, Google’s blog post mentioned it was prioritizing authentication service encryption to be quantum-ready by 2029 and encouraged other teams to follow suit.
These two timeframes are roughly 5-6 years ahead of previous deadlines from the European Union strategy on ensuring encryption services were post-quantum migrated prior to 2035, largely due to the increasing threat of “harvest now, decrypt later” attack scenarios targeting sensitive long-lived data. Many in technology may feel like this is just the sky continuing to fall, much like in Chicken Little, but there should be some practical assessment, including conducting a cryptographic asset inventory and evaluating crypto-agility maturity, from your organizations on where you are in your post-quantum journey and whether you comfortable with your progress against this latest update on the speed to post-quantum. Your board is likely already asking quantum risk questions of your executives. Addressing them confidently will reassure the leadership that you have things in order, particularly around data confidentiality lifespan, third-party encryption dependencies and readiness for cryptographic transition.
According to last year’s Quantum Computing Pulse Poll conducted by ISACA, 55% of organizations had not started working on their quantum computing roadmap, highlighting a significant gap in proactive quantum risk preparedness. Of those that had started working toward the post-quantum computing world, 46% were focused more on regulatory compliance impacts, while just 38% were working on quantum-safe cryptography. This could indicate that a skills gap exists within your technology teams on cryptographic sciences, or that you do not have the capacity in house to address this risk vector, particularly in areas such as lattice-based cryptography, key management modernization and crypto-agility design. Adequate resources should be devoted to developing this area of your team if you are working this in-house, but outsourcing is also an option as each risk posture and organization is different.
Hopefully this year brings new vigor to the topic and appreciation of the need to start working on this pending change. While we must not overlook the impacts and juggling that the AI surge has created within information security, we must remain vigilant in managing the severe risk broken encryption of widely used algorithms such as RSA and ECC will have on existing enterprises, especially as organizations begin integrating quantum risk into enterprise risk management frameworks.
A good resource to consider when you get started is found in volume 1 of the ISACA Journal, where a jointly authored article explores key strategies to successfully address the pending impacts of quantum computing on your organization. If nothing else, a risk assessment of the impacts of quantum on your organization is essential to understand the risk posed by quantum computing given the updates to the timelines based on this new research. Educate your workforce on the risk to your organization with focus on proper data governance, prioritized lines of effort and a plan to migrate encryption to quantum-resilient algorithms. This should kick-start your team in addressing this looming risk scenario, now predicted sooner than expected. Finally, keep an eye out and monitor NIST PQC standardization progress and vendor readiness.
