Quantum Computing Breaks Encryption: How Worried Should CISOs Be?

Researchers recently succeeded in breaking RSA encryption with quantum computing. Callum Booth takes a look at the implications of this game-changing development

In October, a story surfaced that sent shockwaves throughout the cybersecurity sector and beyond: Chinese researchers broke RSA encryption with quantum computing.

A team led by Shanghai University’s Wang Chao revealed that D-Wave’s quantum computers made it possible to successfully attack current encryption methods. Modern encryption, the art of protecting confidential information or data, may be about to crumble in front of our eyes.

This poses some important questions: how close are we to the end of encryption as we know it? How worried should CISOs and executives be about the rise of quantum computing? And what can be done today to protect businesses in the future?

The impending arrival of quantum computing

Firstly, we need to understand precisely what the paper from Shanghai University implies. Should cybersecurity professionals start panicking, ripping up the script, or abandoning all they know?

Well, let’s not move quite so fast. Quentyn Taylor — the senior director of product, information security, and global incident response at Canon — tells Assured Intelligence that the key broken by Chinese researchers was “trivially sized.”

In other words, the paper from Shanghai University was more a proof of concept than a sign that we’ve entered a new reality. Cybersecurity professionals don’t need to go to panic stations, but they can’t afford to be relaxed either.

“I believe this does show the first practical application of breaking cryptography algorithms using quantum computing,” Taylor says.

Think of the paper as a warning shot. It shows the inevitable potential of quantum computing and is undoubtedly a token of what’s to come. This leads us to our next question: When will quantum computing break encryption?

“This is the $50,000 question,” Taylor says, continuing, “unfortunately no one really knows.”

Other professionals echoed this sentiment of uncertainty.

Roger Grimes is the author of Cryptography Apocalypse, a book about preparing for the moment quantum computing breaks encryption. Grimes tells Assured Intelligence that the US government declared companies must be prepared for this reality by 2030 or earlier. Despite that, Grimes says he doesn’t think “anyone in the field of quantum computing would be shocked if it happened tomorrow.”

“This does show the first practical application of breaking cryptography algorithms using quantum computing” Quentyn Taylor

However, there is the potential that governments have already cracked this code. Taylor says that nation-states may have “more significant capabilities” than we know, while Grimes believes there’s a “decent chance” a government has broken encryption using quantum computing, “but we don’t know about it publicly.”

In contrast, Manoj Bhatt, a cybersecurity consultant who worked with the Ministry of Justice and Accenture, believes we’re still “quite far” from the day when quantum computing will break encryption.

“As quantum computing advances, so will the encryption methods used to protect our data,” he says, “and therefore, there is a risk, but it is a very low risk.”

The uniting factor is that nobody can truly guess when quantum computing will break today’s encryption. Yet the broad consensus is that the technology will advance sooner rather than later. So what happens then?

The aftermath of encryption-busting quantum computing

Bhatt is sanguine about this new reality. “Cybersecurity has been evolving for years and will continue to evolve for the years to come,” he says.

The sector handled the threats of cloud computing and the Internet of Things and is now working hard on artificial intelligence. Bhatt believes that as long as companies evolve and adopt new protective measures, they’ll be okay. Quantum computing, he believes, “will just be another angle” for cybersecurity professionals.

Marc Lueck, CISO EMEA, at Zscaler, holds a similar viewpoint. “There is an old analogy that is still fit for purpose to summarise the situation,” he says. “When running away from a bear, you don’t have to be the fastest, you just have to be faster than the slowest person.”

“People with access to sufficiently capable quantum computers will be able to read the secrets protected by quantum-susceptible cryptography” Roger Grimes

Lueck continues, saying that organisations could have a serious problem if they haven’t taken appropriate precautions by the time quantum computing arrives. The key, he says, is to avoid that situation and continue moving forward and adapting to new technologies.

However, Taylor from Canon doesn’t predict a smooth transition when quantum computing becomes capable of breaking today’s encryption. First, he predicts widespread panic. Then, “as in many developments of this nature,” he says, “we will probably overestimate the impact in the short term and underestimate it in the long term.”

This could lead to a rush of businesses switching encryption algorithms, which in many cases “will be not necessary,” leading to huge network and electricity loads. Afterwards, companies may sit on their laurels rather than remain moving with the times.

Grimes sees an even bleaker potential future. “People with access to sufficiently capable quantum computers will be able to read the secrets protected by quantum-susceptible cryptography,” he says. “We know all the big nation states are already listening in on and collecting massive volumes of today’s data…[and are] just waiting for the day when they get the right capabilities [to break it].”

Beyond this terrifying scenario of sensitive data being held by foreign powers until it can be encrypted, Grimes also mentions the impact the shift to quantum computing will have on businesses: “If the world isn’t already prepared for that day, there will be a massive Y2K-like project for every unprepared company,” he says.

All this begs an important question: how do companies prepare?

Staying safe in the post-quantum world

While the experts have differing opinions on what this future looks like, they all agree that the impact quantum computing will have on cybersecurity depends heavily on what companies do now.

So, what should they do? Bhatt believes “the key principles considered the foundations” won’t change. The foundation, as he puts it, is to “continue doing what we are doing.”

Specifically, this involves assessing risk, analysing key company assets, and ensuring the board is updated with technological developments.

“All organisations should already have a ‘post-quantum’ project team working on this issue. If not, get one; you’re already late” Roger Grimes

Lueck from Zscaler focuses more on risk, calling for CISOs to identify organisational vulnerabilities on the individual application level.

“CISOs have to re-evaluate their risk for the areas where they are using encryption today and then build a plan towards addressing that risk,” he says. “Depending on the risk level of an application, they need to define the action to take, which can range from changing the keys to exchanging the whole system.”

Taylor has similar advice for businesses looking to protect themselves from quantum computing. “My recommendation would be to have a full inventory of the types of data you have, a new process, and what the impact would be if either the encryption or the hashing could be broken.”

Grimes broadly agrees with these processes but thinks companies should take them a step further: “All organisations should already have a ‘post-quantum’ project team working on this issue. If not, get one; you’re already late.”

The inevitability of quantum computing

Ultimately, quantum computing is coming. It’s not a matter of if; it’s a matter of when, and companies must prepare.

While the fact that today’s current encryption will eventually be broken by this technology is terrifying on the surface, the right systems and processes should enable organisations to navigate these rocky waters.

And if your business hasn’t started preparing already? Consider the paper from Shanghai University a clear warning. Change is coming, and how much it impacts you revolves around the actions you take today.