Quantum is coming — and bringing new cybersecurity threats with it

The quantum-computing revolution is upon us — a paradigm shift in computing power that harnesses the laws of quantum mechanics to solve problems far too complex for today’s classical digital computers. 

Quantum computers apply the unique behavior of quantum physics to computing, introducing unprecedented capabilities to traditional programming methods. From transforming drug research, energy use, manufacturing, cybersecurity and communications to enhancing AI applications, autonomous-vehicle navigation, financial modelling and more — quantum is poised to unlock a new reality.

The emerging quantum-computing industry is already making enormous advances — as more organisations discover its potential, the global market is expected to hit US$50 billion by the end of this decade.¹ Major technology companies are rapidly developing their quantum capabilities — Amazon, IBM, Google and Microsoft, for example, have already launched commercial quantum-computing cloud services, and there are significant investments in new players such as Quantinuum and PsiQuantum.

KPMG in Canada surveyed 250 large corporations and found that about 60 percent of organisations in Canada and 78 percent in the US expect quantum computers to become mainstream by 2030.² But as quantum proliferates, so do concerns about its potential impact on cybersecurity.

Most businesses surveyed are “extremely concerned” about quantum computing’s potential to break through their data encryption. Sixty percent in Canada and 73 percent in the US believe “it’s only a matter of time” before cybercriminals are using the power of quantum to decrypt and disrupt today’s cybersecurity protocols. At the same time, however, 62 percent in Canada and 81 percent in the US admit that they need to do a better job of evaluating their current capabilities to ensure their data remains secure. ³

KPMG Australia research shows that protecting data and dealing with cyber risks is viewed by C-suite executives and board members from private sector enterprises as a top challenge in 2024 — and for the next 3 to 5 years.⁴

KPMG in Germany conducted research in collaboration with Germany’s Federal Office for Information Security (BSI), 95 percent of respondents believe quantum computing’s relevance and potential impact on today’s cryptographic security systems is “very high or high,” and 65 percent also say the average risk to their own data security is “very high or high.” Yet only 25 percent of firms say the threat posed is currently being addressed in their risk management strategy.⁵

The level of preparation that organisations do today is expected to be critical to limiting their exposure and vulnerability to emerging threats — making quantum risk planning a priority. Quantum computers can break encryption methods at an alarming speed, rendering ineffective encryption tools that are widely used today to protect everything from banking and retail transactions to business data, documents, email and more.

“Harvest-now, decrypt-later” attacks could enable adversaries to steal encrypted files and store them until more advanced quantum computers emerge.

KPMG firms are helping clients take action to understand and respond to the broad and unprecedented quantum-risk environment, as asymmetric encryption is used in multiple applications, from storage to communication. The risk landscape includes the following critical areas:

• Web browsing
• Remote access
• Software
• Digital signatures
• Communication
• Crypto currencies

There is little time to lose for organisations to gain a deeper understanding of the risks quantum may pose to their operations and security. For every organisation that holds and processes data, they should consider the lifetime value of the data that they use, and the impact of that data being used or misrepresented by bad actors. For example:

Sensitive organisational data: Highly confidential data held by military services, national intelligence, finance and government organisations.

Critical infrastructure providers: Organisations whose complex systems are critical to the functioning of communities, cities, provinces and countries, including healthcare, transportation, utilities and telecommunications. Imagine, for example, the potentially disastrous impact of quantum disrupting the operation of a city’s sprawling power grid.

Long-life infrastructure providers: Organisations providing systems that are built to have a long life span for profitability, including satellite communications, payment terminals, Internet of Things (IoT) sensor networks and transportation. Whether data consists of customer information, medical records or government classified data, a breach can have catastrophic financial, reputational and legal consequences. And some organisations are currently unaware of cyber attackers already accessing and storing encrypted company data with the aim of decrypting it in the future using a quantum computer.

Personal data handlers: Organisations managing personal data with a long confidentiality span are required by law to protect such data, including government, healthcare, financial firms and insurance organisations. They need to ensure protection over an extended period of 5, 10, 20 years or more. 

“Mosca’s Theorem”, illustrated below, suggests the timeframe required to protect data. Dr. Michele Mosca’s theorem stresses the need for organisations to begin applying diligence in the post-quantum space right away. It states that the amount of time that data must remain secure (X), plus the time it takes to upgrade cryptographic systems (Y), is greater than the time at which quantum computers have enough power to break cryptography (Z).

Once organisations are aware of their risk environment, they should be in a position to prioritise activity and mitigate or eliminate risks. However, this may not be a quick or simple process and may take years for each organisation.

Managing technical debt, for example, can be a significant challenge for organisations relying on systems that will be incapable of running modern cryptographic profiles. There is now an opportunity to evaluate migration timelines and understand how long it will take to make infrastructure quantum resistant. To do this, organisations should understand the challenge and allocate budgets for both the mitigation and ongoing monitoring that the post-quantum world will require.

It’s critical that organisations not only prepare for the quantum threat in their long-term risk planning, but also strengthen data protection now to help minimise quantum’s potentially disruptive and costly impacts.

As quantum emerges and organisations continue to explore and discover both its game-changing advantages and threats, new legislation and regulations are in the works. In 2022, a U.S. law was passed that requires government agencies to take action in using post-quantum cryptography — and encourages the private sector to follow suit⁷.

The National Institute of Standards and Technology (NIST) in December 2023 released two draft publications to guide organisations aiming to redefine their capabilities and combat potential quantum-based attacks. The documents — “Quantum Readiness: Cryptographic Discovery” and “Quantum Readiness: Testing Draft Standards for Interoperability and Performance” — outline concrete issues and potential solutions when migrating to a new post-quantum cryptographic standard.⁸

The growing list of initiatives also includes:

• The Quantum Computing Cybersecurity Preparedness Act 2022, advising US federal organisations to prepare now for a post-quantum cybersecurity (PQC) world;
• National Security Memorandum on “Promoting US Leadership in Quantum Computing While Mitigating Risk to Vulnerable Cryptographic Systems”;
• White House Memorandum on “Migration to Post-Quantum Cryptography”;
• Monetary Authority of Singapore MAS/TCRS/2024/01 : Advisory on Addressing the Cybersecurity Risks Associated with Quantum⁹;
• Quantum Security for the Financial Sector: Informing Global Regulatory Approaches, World Economic Forum in collaboration with the Financial Conduct Authority¹⁰.
  

This growing trend is likely to be investigated by other countries as we see a global movement towards identifying the risks and requirements of secure quantum technology.

While quantum computing may seem like a futuristic science fiction concept, the technology is indeed poised to exert major consequences across today’s cybersecurity capabilities. We believe innovation is needed without delay.

The National Institute of Standards and Technology (NIST) has released a draft of the NIST Cybersecurity Framework 2.0 (CSF 2.0) — a major update to the Cyber Security Framework (CSF) it released in 2014 to help organisations reduce cybersecurity risk. To be finalised and published in early 2024, CSF 2.0 reflects changes in the cybersecurity landscape and will offer additional guidance on implementing the CSF.¹¹

The NIST has also chosen four encryption tools that it says are designed “to withstand the assault of a future quantum computer, which could potentially crack the security used to protect privacy in the digital systems we rely on every day.” ¹²  The four encryption algorithms will become part of NIST’s post-quantum cryptographic standard and all are expected to be finalised and ready for use in 2024.¹³

Meanwhile, improvements and standards in Quantum Random Number Generators¹⁴ (QRNGs), for entropy enhancement and randomisation, and Quantum Key Distribution,¹⁵ a secure communication method for exchanging encryption keys only known between shared parties, also aim to harness the power of quantum technology and protect data.

It’s important to note that today’s quantum solutions are creating a false sense of security — as we do not know if the quantum algorithms considered resistant will remain that way as quantum computers become larger and more mainstream. The danger is illustrated by the discovery of vulnerabilities in the NIST-selected encryption algorithm CRYSTALS-Kyber.¹⁶

Where to start as the power of quantum advances

Organisations can start to prepare by gaining a precise understanding of potential risks across their value chain. They should also identify methods to become more cryptographically agile in updating and deploying new cryptographic techniques as they become available. It’s also crucial to create end-of-life strategies for the data, products and systems that will become obsolete or unable to support new cybersecurity requirements in a quantum-computing world.

Here are key questions to ask going forward as quantum evolves:

• How long does your data need to be secure and are you liable for its management?
• What is the actual and reputational damage in case of a compromise?
• How long does it take for your system to migrate to quantum secure?
• Do you have an inventory of cybersecurity measures?
• Are you liable for a third-party service or cloud provider and are they are moving to a quantum-safe environment?

Key actions to help mitigate quantum risks:

• Provide insightful awareness training, education and roadmaps to senior leadership;
• Implement roadmaps and solutions to modernise cryptographic environments;
• Provide guidance on investing in quantum-resistant technologies;
• Develop contingency and mitigation plans to prevent a quantum attack; and
• Continuously monitor the fast-evolving quantum and security environment.

KPMG firms are helping organisations mitigate quantum risks. Our technology consulting specialists have extensive experience in cybersecurity and quantum technologies to support your quantum journey. Our quantum risk assessment can provide a deeper understanding of the specific threats posed by quantum technology.

With the help of KPMG firms, you can apply the outcomes of this assessment to build a customised cybersecurity strategy that fully encapsulates preparation for the quantum threat into your long-term risk planning — helping to prioritise your data and systems that are at risk. Steps to quantum-secure encryption include:

Discover: Identify cryptographic algorithms and protocols used to protect data and assets.

Assess: Perform a risk assessment to identify quantum-vulnerable systems and assets.

Manage: Prioritise remediation efforts and develop a remediation roadmap.

Remediate: Implement mechanisms that enable crypto agility, and transition vulnerable cryptographic systems to post-quantum cryptography based on priority.

Monitor: Perform ongoing monitoring of remediation efforts and changes to the threat and regulatory landscape.

KPMG specialists are using our quantum readiness assessment methodology and innovative collaborations to help make a difference for clients. KPMG firms’ collaboration with IBM Quantum (Quantum Safe) and InfoSec Global allow us to begin understanding the cryptographic footprint/baseline and work towards remediation and potential digital solutions. KPMG specialists are here to help.