Are we prepared for quantum-based security?

The federal government may be underestimating the effort required to prepare for the threats posed by quantum computing.

The good news is there is still time to reduce those threats, said Duncan Jones, head of cybersecurity at Cambridge Quantum Computing. “Quantum is a two-sided coin, and on the positive side, we have quantum technology emerging now that can better protect U.S. interests against sophisticated cyberattacks -- and we can use quantum today to generate stronger cryptographic keys, for example,” he said.

Quantum computers differ from classical ones in that the latter use bits of data – zeros and ones – while the former uses quantum bits, or qubits, which can take a range of values. As a result, quantum computers can accelerate problem-solving, including breaking today’s cryptographic codes, which are essentially mathematical operations.

“Imagine someone gave you an open padlock. You can go attach that to anything you wanted to and shut it. Then you’ve got a problem because you can’t open the padlock unless someone gives you the key,” Jones said. “That’s the kind of problem that we rely on in cryptography…. The challenge that quantum brings is that those mathematical problems that we’ve settled on as our commonly used ones are actually quite solvable in a quantum computer in the future.”

In fact, a survey by the company found that of 104 U.S. federal government respondents, 76% believe new technologies, such as quantum, will break standard encryption, and 57% expect it to happen in the next two years.

What’s more, 74% of respondents said they worry that a quantum-enabled cyberattack will happen without warning. Quantum computers are not yet powerful enough to break encryption, but those are the computers in development at companies that are open about their progress. What’s happening behind closed doors or in unfriendly nation-states is a concern, Jones said.

Additionally, quantum attacks could work retrospectively, he added. For instance, a hacker could access and store sensitive data today, saving until quantum computers are sophisticated enough to decrypt it.

Sixty-four percent of respondents said they don’t think they are ready to defend against these types of attacks, but it is possible to do so, Jones said, by making cryptographic keys unpredictable. One way to do that is to move away from using the mathematical basis of today’s encryption schemes and toward a new one that neither classical nor quantum machines can break. The National Institute of Standards and Technology is leading this effort with the Post Quantum Cryptography standardization process.

“The NIST process will help ensure that these algorithms become standardized in [Federal Information Processing Standards] publications and are ready for consumption by federal authorities,” Jones said.

The catch is that about a third of survey respondents are not aware of this work by NIST, and 32.7% have taken no action to prepare for quantum-enabled attacks. Still, almost 90% said they expect they’ll be ready to defend against them within two years.

“I worry this indicates a lack of understanding of the effort involved,” Jones said. “They need to start addressing the threat as soon as possible. It’s a big task and leaving it longer is just putting more federal data at risk.”

The standardization process for quantum also must move faster, he said. Last month, NIST and the United Kingdom’s National Physical Laboratory signed a statement of intent to collaborate on quantum technologies, but “at the moment the advice from the U.S. government -- and to some extent the U.K. government as well -- is to wait a minute…. I’m not convinced that’s great advice,” Jones said.

While standards are being hashed out, agencies can start identifying where and how they use cryptography to protect their highest-value assets and exploring new technologies to get quantum-resistant production use cases up and running.

Several agencies are studying quantum. The White House Office of Science and Technology Policy announced in late 2020 the launch of Quantum.gov, the official website of the National Quantum Coordination Office, and released the “Quantum Frontiers Report,” listing areas for research. NASA has a Quantum Artificial Intelligence Laboratory. In August, the Energy Department issued a request for information asking for access to quantum systems after Congress asked the department “to develop a roadmap to provide researchers access to quantum systems so as to enhance the U.S. quantum research enterprise, stimulate the fledgling U.S. quantum computing industry, educate the future quantum computing workforce, and accelerate advancement of quantum computer capabilities.”

Over the summer, Axiom Space, which is building a commercial successor to the International Space Station, used Cambridge Quantum’s Quantum Origin to communicate with ISS. The solution is a key-generation platform based on verifiable quantum entropy, meaning it uses quantum mechanics to generate cryptographic keys seeded with verifiable quantum randomness from Quantinuum’s H-Series quantum computers, powered by Honeywell.

“Quantum is going to have an unbelievable impact on the world. I don’t think people quite grasp how large it is,” Jones said.

Stephanie Kanowitz is a freelance writer based in northern Virginia.