What is the cyber security risk from quantum computing?

Planning | Understanding | Regulation | Risk management implementation | Quantum risk preparation | Contact

Quantum computing is set to harness the laws of quantum mechanics to solve problems too complex for today’s classical digital computers. But will the rise of quantum computing increase cyber security risk?

KPMG in Canada surveyed 250 large corporations and found that around 60 percent of organisations in Canada and 78 percent in the US expect quantum computers to become mainstream by 2030.³ But as quantum computing proliferates, so do concerns about its potential impact on cyber security.

Most of the businesses surveyed were ‘extremely concerned’ about quantum computing’s potential to break through their data encryption. Sixty percent of respondents in Canada and 73 percent in the US believe ‘it’s only a matter of time’ before cybercriminals are using the power of quantum to decrypt and disrupt today’s cyber security protocols. At the same time, however, 62 percent of respondents in Canada and 81 percent in the US admit that they need to do a better job of evaluating their current capabilities to ensure their data remains secure³.

KPMG in Germany’s research in collaboration with Germany’s Federal Office for Information Security (BSI) showed that 95 percent of respondents believe quantum computing’s relevance and potential impact on today’s cryptographic security systems is ‘very high or high’, and 65 percent said the average risk to their own data security is ‘very high or high’. Only 25 percent of firms said the threat posed is currently being addressed in their risk management strategy.⁴

Quantum computers will be able to break common encryption methods at an alarming speed. Encryption tools currently used to protect everything from banking and retail transactions to business data, documents and digital signatures can be rendered ineffective – fast. Attacks using a ‘harvest-now, decrypt-later’ approach can enable adversaries to steal encrypted files and store them until more advanced quantum computers emerge. So, data with a long life time value, such as health data, financial records and government files will be of immediate interest to bad actors.

The level of preparation that organisations do today is expected to be critical to limiting exposure and vulnerability to emerging threats, making quantum risk planning a priority.

Businesses need to understand the quantum risk in order to take action in areas including:

• web browsing
• remote access
• software
• digital signatures
• communication
• crypto currencies.

Dr Michele Mosca has developed a theorem that suggests a pathway to consider in order to protect data and keep it quantum-safe.

Mosca’s theorem stresses the need for organisations to begin due diligence in the post-quantum space immediately. It states that the amount of time that data must remain secure (X), plus the time it takes to upgrade cryptographic systems (Y), is greater than the time at which quantum computers have enough power to break cryptography (Z).

Once organisations are aware of their risk environment, they should be in a position to prioritise activity and mitigate or eliminate risks. However, this may not be a quick or simple process and may take years for each organisation.

Managing technical debt, for example, can be a significant challenge for organisations relying on systems that will be incapable of running modern cryptographic profiles. There is now an opportunity to evaluate migration timelines and understand how long it will take to make infrastructure quantum resistant. To do this, organisations should understand the challenge and allocate budgets for both the mitigation and ongoing monitoring that the post-quantum world will require.

It’s critical that organisations not only prepare for the quantum threat in their long-term risk planning, but also strengthen data protection now to help minimise quantum’s potentially disruptive and costly impacts.

As quantum emerges and organisations continue to explore and discover both its game-changing advantages and threats, new legislation and regulations are being developed. In 2022, a US law was passed that requires government agencies to take action in using post-quantum cryptography and encourages the private sector to follow suit⁷.

In December 2023, the National Institute of Standards and Technology (NIST) in the United States released two draft publications to guide organisations aiming to redefine their capabilities and combat potential quantum-based attacks. The documents Quantum Readiness: Cryptographic Discovery and Quantum Readiness: Testing Draft Standards for Interoperability and Performance outlines concrete issues and potential solutions when migrating to a new post-quantum cryptographic standard⁸.

The growing list of initiatives includes:

• the Quantum Computing Cyber security Preparedness Act 2022, advising US federal organisations to prepare now for a post-quantum cyber security (PQC) world
• National Security Memorandum on Promoting US Leadership in Quantum Computing While Mitigating Risk to Vulnerable Cryptographic Systems
• White House Memorandum on Migration to Post-Quantum Cryptography
• Monetary Authority of Singapore MAS/TCRS/2024/01: Advisory on Addressing the Cyber security Risks Associated with Quantum⁹
• Quantum Security for the Financial Sector: Informing Global Regulatory Approaches, World Economic Forum in collaboration with the Financial Conduct Authority¹⁰.
  

The answer is now. While quantum computing may seem like a futuristic science fiction concept, the technology is poised to exert major consequences across today’s cyber security capabilities. KPMG believes innovation to protect against quantum cyber threats is needed without delay.

In the US, in 2014, the NIST released a draft of the NIST Cyber security Framework 2.0 (CSF 2.0) – a major update to the Cyber Security Framework (CSF)– to help organisations reduce cyber security risk. To be finalised and published in 2024, CSF 2.0 reflects changes in the cyber security landscape and will offer additional guidance on implementing the CSF¹¹. 

The NIST has also chosen four encryption tools that it says are designed “to withstand the assault of a future quantum computer, which could potentially crack the security used to protect privacy in the digital systems we rely on every day¹².” The four encryption algorithms will become part of NIST’s post-quantum cryptographic standard and all are expected to be finalised and ready for use in 2024¹³. 

Meanwhile, improvements and standards in Quantum Random Number Generators¹⁴ (QRNGs), for entropy enhancement and randomisation, and Quantum Key Distribution¹⁵, a secure communication method for exchanging encryption keys only known between shared parties, also aim to harness the power of quantum technology and protect data.

It’s important to note that today’s post quantum solutions may create a false sense of security, as we do not know if the quantum algorithms considered resistant today will remain that way as quantum computers become larger and more effective. The danger is illustrated by the discovery of vulnerabilities in the NIST-selected encryption algorithm CRYSTALS-Kyber¹⁶.

Organisations can start to prepare for quantum threats by gaining a precise understanding of potential risks across their value chain. They should also identify methods to become more cryptographically agile in updating and deploying new cryptographic techniques as they become available. It’s also crucial to create end-of-life strategies for data, products and systems that will become obsolete or unable to support new cyber security requirements in a quantum-computing world.

KPMG’s technology consulting specialists have extensive experience in cyber security and quantum technologies. By providing quantum risk assessments tailored to your business, we can help you understand specific threats posed by quantum technology.

We can help you prioritise at-risk data and systems, and develop a customised cyber security strategy into your long-term risk planning to assist with preparation for quantum threats.

Steps to quantum-secure encryption include:

1. Discover: Identify cryptographic algorithms and protocols used to protect data and assets.
2. Assess: Perform a risk assessment to identify quantum-vulnerable systems and assets.
3. Manage: Prioritise remediation efforts and develop a remediation roadmap.
4. Remediate: Implement mechanisms that enable crypto agility, and transition-vulnerable cryptographic systems to post-quantum cryptography based on priority.
5. Monitor: Perform ongoing monitoring of remediation efforts and changes to the threat and regulatory landscape.
   

KPMG specialists are using our quantum readiness assessment methodology and innovative collaborations to help make a difference for clients. KPMG firms’ collaboration with IBM Quantum (Quantum Safe) and InfoSec Global allow us to begin understanding the cryptographic footprint/baseline and work towards remediation and potential digital solutions. KPMG specialists are here to help.

To arrange a quantum readiness assessment or learn more about quantum computing, get in touch.