Quantum Computing and the Coming Threat to Data Security
An emerging technology and its implications for risk management
Friday, March 29, 2019
By Jeffrey Kutler
Cybersecurity threats are a clear and present danger to businesses, governments and critical infrastructures. The National Institute of Standards and Technology made a significant contribution to managing those risks with the NIST Cybersecurity Framework, a best-practices guide that has been downloaded more than 500,000 times by entities around the world since its February 2014 publication.
As part of its standardization mandate within the U.S. Department of Commerce, NIST is now looking ahead to a security threat beyond the scope of today's cyber defenses. It stems from quantum computing, a still-emerging technology that promises to break the bounds of even the most powerful supercomputers.
The material properties of the units known as quantum bits, or qubits, “expand the power of computing multi-fold,” says Matthew Scholl, chief of the NIST Computer Security Division.
Boundary-breaking performance is an exciting and potentially revolutionary prospect for those engaged in modeling and simulations. But with quantum computing will come the capability to defeat the data encryption that protects information transmitted over credit card, e-commerce and other secure networks.
Scholl, a presenter at the 20th GARP Convention, points out that quantum remains in a very early commercial stage - IBM and Google are among those making some headway - and the security peril is years away. Michele Mosca of the Institute for Quantum Computing, University of Waterloo (Canada), has said that there is a 1 in 7 chance that public key cryptography will be broken by quantum computing by 2026.
In 2012, NIST launched a Post Quantum Cryptography (PQC) standards project to promote development of encryption systems that will “work with current, classic machines,” Scholl says, while also being “resistant to the capacity of quantum machines.”
The lead time was necessary. As noted on NIST's PQC overview page, “many scientists now believe [production of large-scale quantum computers] to be merely a significant engineering challenge. Some engineers even predict that within the next 20 or so years, sufficiently large quantum computers will be built to break essentially all public key schemes currently in use. Historically, it has taken almost two decades to deploy our modern public key cryptography infrastructure. Therefore, regardless of whether we can estimate the exact time of the arrival of the quantum computing era, we must begin now to prepare our information security systems to be able to resist quantum computing.”
In September 2018, NIST announced the formation of the Quantum Economic Development Consortium with the goal of ensuring that “we have best capacity and capability for the U.S. to be the leader in this market going forward,” Scholl says.