Why quantum computing is a board level security risk

In recent years, there has been an undisputed increase in enterprise data breaches across the globe. At first, this was only a concern for IT, CISO’s and CIO’s. However, with growing fiduciary responsibility, cybersecurity is gaining attention at board-level decisions. This is an important shift, as the emerging quantum threat will require organizations to carefully review their long-term data protection requirements to ensure compliance in the quantum age.

Organizations have a legal responsibility to protect customer data

For decades now, organizations have been collecting data; combing through our search results, social media posts, and online transactions to gain strategic insights into their customers. And this effort wasn’t in vain; organizations have learned how to personalize our customer experience, target advertisements, and even help mitigate cyber fraud. The uses of customer information are so vast that even after all these years of collection new avenues to utilize big data are still being discovered. The fact is, data is a powerful tool. However, with this power comes great responsibility, or at least certain stipulations.

As customers, we constantly make decisions around how we share our personal information, often trying to create a balance between security and convenience.  When we choose to make private information such as credit cards, emails, patient records or contact information available to our service providers, we also implicitly trust that there will be a high standard of protection afforded this data.  This expectation goes beyond the ethical duty companies have towards their customers and crosses into compliance at a legislative level. Whether it is adhering to the General Data Protection Regulation in Europe or specific requirements such as the Health and Information Protection Act of Ontario, enterprises are legally responsible to maintain personal data to protect their customer’s identity and information.

How does quantum information science threaten to compromise an organization’s ability to protect sensitive information?

Within a decade, experts predict that a large-scale quantum computer will be developed. With its particular computing abilities, quantum computers will have the capacity to solve some of today’s hardest problems, including the underlying problems that form the basis for public key cryptography. This is a concern as public key cryptography provides the very foundation of trust required to protect all our online data and digital transactions. In a very real sense, this has a direct effect on an organization’s ability to comply to long-term data requirements and regulations.

Today, some adversaries have the ability to intercept and store – harvest – information for later decryption using a quantum computer. That means data encrypted today could be decrypted within a decade. All variables considered, if your organization has long-term data protection requirements than a “harvest and decrypt later” attack may have already compromised your security objectives. This is critically important for organizations such as governments, financial institutions, and health care industries, who’s long-term data protection requirements can range from 10+ years to the life of a patient. With the quantum threat undermining their security objectives, organizations can be opening themselves up to liability or other damaging business outcomes resulting from a catastrophic data breach.

Organizations have an obligation to prepare for emerging threats

Security leaders are required to take reasonable action to secure against known potential breaches and to continually be aware of new and emerging threats that pose a risk to their business. We already see the quantum threat being recognized by academia and standards bodies, such as NIST and ETSI, so there may already be obligations to shareholders and customers for organizations to prepare for this threat. With growing cybersecurity regulations, failing to secure against a potential breach can open an organization up to class-action litigations due to negligence. Organizations need to begin preparing for the quantum threat so that they can react quickly and cost efficiently to the responsibilities set by standards and legislative bodies.

A quantum-safe migration is an enterprise-wide project

To become quantum-safe, all devices will need to eventually migrate to quantum-safe cryptography. This is a massive project. Due to its scale, one department will not be able to mitigate the risk across an entire organization. Instead, it’s best tackled through a collaborative effort amongst the whole organization.

To start, security leaders can begin identifying high-risk systems and networks within their organization that have critical dependencies on public key cryptography. This is not a trivial task for CIO’s and CISO’s. Public key cryptography is so ubiquitous that pinpointing exactly where it’s used and how could prove very difficult. Once the exposure has been quantified and brought to the attention of the board, steps can be taken as an organization to incorporate quantum-safe cryptography and crypto agility into the overall cybersecurity objectives of the enterprise.

What organizations need to do to mitigate their risk

As suggested by NIST, organizations need to establish procurement policies on an enterprise-wide scale that mandate crypto agility – the ability to rapidly switch cryptographic algorithms for newer/safer ones. By including crypto agility into your networks, system upgrades can be future-proofed against the quantum threat. CIO’s will be able to react quickly to standards, securing customer’s identities and protecting the organization from liability.

However, the first step begins with setting expectations among the entire organization to achieve quantum-safe security before public key cryptography is broken.