Discover more from Discourse
In the face of possible security threats, cyber agility can help us overcome the concerns posed by quantum computing and embrace a more innovative future
By Matthew Mittelsteadt
Quantum computers represent the closest science has come to wizardry. These cutting-edge machines are in a superposition of strange and cool, and in recent years, quantum computing has been advancing at a breakneck pace. This certainly creates the possibility of unnerving threats. For one, if quantum computers grow powerful enough, they could create a destabilizing cybersecurity crisis.
But the rise of quantum computing also provides the potential for exciting prospects for our future. We may be on the threshold of a more innovative world we can barely fathom today. As we consider quantum computing, we ought to reframe the “threats” posed by quantum computing as opportunities. Not only will quantum computers bring innovation, but inherent in mitigating their dangers is the chance to limber up our digital economy with cost-saving, security-enhancing design.
The Emerging Quantum Future
While the idea of quantum computing has been around since 1981, it was only recently that engineers were able to cobble together proof-of-concept systems that merely functioned. But today, engineers are finally pushing the tech past proof of concept toward something increasingly powerful. In November, IBM debuted its Osprey quantum computer, a system with double the processing power of its one-year-old predecessor, the Eagle quantum computer. Double seems almost unimpressive, however, compared to Osprey’s 16-fold processing power gains over its slightly older 2019 predecessor, the Falcon quantum computer. This tech is evolving exponentially. While still in its infancy, this rapid growth suggests we must start considering its future impacts today.
For the uninitiated, quantum computers fundamentally diverge from all “classical” computers that came before. In a classical computer, like the one you are using to read this article, computation is based on manipulating and storing electrical signals in computer chips. Quantum computers ditch electrical signals entirely, instead using physical particles like electrons and protons to perform computation. To calculate something, these computers take in a problem, precisely arrange particles to interact in such a way that leads to a solution to that problem, and then measure the results of those interactions.
If this seems confusing, you’re not alone. Thankfully, it’s not how these systems work that matters. It’s what they do.
This physics-laden form factor isn’t just unique—it’s also incredibly useful. In classical computers, there are certain computing problems wryly referred to as “hard,” with solutions that would take millions of years to compute. This means they are practically impossible to solve. But where classical computers fail, quantum computers pick up the slack. Quantum computers can use different forms of math that unlock lightning-fast solutions to these otherwise million-year calculations. For instance, it turns out the only way to simulate complex particle physics models is with the very particle physics that drives the calculations of quantum computers. These systems aren’t just academic; they have many potential practical applications. Quantum computers could unlock powerful automated drug discovery, precise weather system modeling and materials discovery. While quantum computers will have minimal use for lay people, they will unlock boundless innovation for engineers.
The Impending Quantum Threat
But in the face of all this possibility, quantum computing also poses a looming threat that cannot be understated. With enough power, these systems can solve certain types of math so quickly that they could “crack,” or render insecure, most of the cryptographic algorithms our digital communications systems are built on. Without strong encryption, bank accounts could be pilfered, infrastructure taken offline by cyberattack, private medical records stolen, encrypted chat messages freely accessed. Our digital economy depends on functional encryption algorithms; if they are cracked, we face a privacy and security nightmare. Think Y2K but on steroids.
In recent years, security experts have taken solace in assertions that to pose a threat, these systems need processing power well beyond what is possible today. These estimates suggest we have a decade or more before we need to worry. Alarmingly, however, this conventional wisdom may be flawed. In late 2022, Chinese researchers debuted a yet-to-be-verified method that claims to break cryptographic algorithms using only the low-powered quantum computers we have today. While it’s too soon to verify if this is true, it suggests that the theoretical 10 years we have to manage this threat isn’t guaranteed. It could emerge at any moment, and in fact, it may already be here.
Thankfully, fixing the problem is indeed doable. The National Institute of Standards and Technology (NIST) has provided a range of replacement “quantum-resistant” encryption algorithms that should, as Secretary of Commerce Gina Raimondo has said, help “secur[e] our sensitive data against the possibility of future cyberattacks from quantum computers.” That said, an economywide transition to these algorithms will require significant time, effort and money. Added to this challenge, the hardware and expertise needed to make these changes will be tight amid a chip shortage and an ever-shortening runway.
While policymakers have taken initial steps toward mitigation, most industry-facing regulators have yet to act or even issue warnings. It is unclear whether regulatory inaction is rooted in a perception that this threat is intangibly far off or if regulators are simply uninterested. Regardless, a threat-based pitch hasn’t worked.
Transitioning the entire digital economy to quantum-resistant cryptography means rebuilding our flawed security systems from the ground up. This is a once-in-a-generation moment to shore up our security, tighten our algorithms and establish new cyber norms that can govern technology in the coming decades. As Milton Friedman said, “only a crisis—actual or perceived—produces real change.”
Of primary importance is tackling the problem of technical ossification. All industries are built on a highly decentralized technical ecosystem. As a result, changes to digital norms, protocols and standards move slowly and cannot keep up with ever-changing security and innovation demands. Email, for instance, runs on a 1980s protocol called SMTP that has resisted change since its introduction. It wasn’t until 2012 that email was updated to support Chinese and Russian characters. Even today, criminals can easily masquerade as someone else because email has yet to implement user authentication. As a result, 83% of organizations fall victim to email phishing attacks annually, costing millions. Clearly, technical ossification can create very real harm.
Today, the quantum insecure cryptographic algorithms used in most applications are particularly ossified, and not designed for flexibility. Their functions are often immutably seared into the silicon of computer chips or coded as to exert maximum pain during updates. This will pose an inevitable challenge as organizations are forced to replace these soon-to-be-obsolete algorithms. As we revisit the design of most, if not all, digital communications technologies, we should use this moment to clear the technical decks and limber up this outdated infrastructure.
Cyber agile design represents the most promising opportunity. Cyber agility refers to the practice of designing systems to allow easy modification, alteration and customization. Under cyber agile design, systems are coded like Legos, where engineers can pop in a new algorithm with a satisfying click anytime an old one grows obsolete or is proven unsafe.
Our standard internet communications provide an excellent case study. In recent years, there has been a major push by Google, the Electronic Frontier Foundation and others to transition most web communications toward cyber agile security tools. Today, when you access a given website, the site can easily customize the algorithm safeguarding its traffic. If at any point security researchers deem these safeguards insecure, cyber agile design allows administrators to simply swap in a replacement with minimal effort.
This flexibility not only accommodates nimble responses to changing security demands but the bespoke performance demands of each website. For Netflix, cyber agility allows the site to select algorithms that maximize for service-critical streaming speeds. Meanwhile, Citibank is allowed to choose algorithms that contain ironclad security features. Through flexibility, websites can prepare for future algorithmic changes while enjoying choice over their security tools. While current internet communications are not yet agile enough to accommodate these new quantum security algorithms, this model is one the broader technical ecosystem should emulate and expand on.
The impending quantum security transition is not merely an excuse for implementing these designs—it’s a perfect pairing. While NIST has indeed provided an initial slate of algorithms that should guard our computers from quantum computing-based cyberattacks, these tools are hardly battle tested. The mathematics behind these new algorithms hasn’t received extensive study, and it’s not unlikely they contain glaring holes researchers missed. In July, these concerns were made manifest when a pair of researchers cracked one of the four NIST provided algorithms in just an hour on a laptop. While the rest remain secure, this signals a need for a contingency plan to ensure a smooth transition to quantum-resistant algorithms. Cyber agility is that contingency.
We should assume these algorithms will fail when tested in the real world and design our systems to quickly replace them and preserve our security in the face of that failure. This assumption also means preparing for the costs of perhaps frequent IT transitions to mitigate insecurity. Cyber agility will allow our systems to implement future changes on the cheap. One large, costly IT transition today can mean many inexpensive and easy transitions in the future. On net, this may minimize cost while ensuring our systems are always using the most secure algorithms. Implementing cyber agility alongside quantum security is a win-win.
What If This Threat Is Overblown?
It is important to stress that this quantum computing cyber threat is not guaranteed. While quantum computers are evolving extremely quickly, and despite Chinese researchers’ claim of an unverified method of breaking cryptography with existing systems, many still contend that the tech may never fully emerge. Under that scenario, adopting these changes necessitates extensive IT transition costs and effort while preventing nothing. Between the costs of these changes and the uncertainty of the quantum threat, many might believe that the expected value of these changes is negative. This is likely the core reason industry-facing regulators have been silent on the issue. Overhyping the threat of a sci-fi technology poses a reputational risk; maybe a wait-and-see approach is best.
Let’s assume the threat doesn’t materialize: Are these changes still worth it?
Thankfully, if quantum security is paired with cyber agility, there is a sound business case regardless. Existing cryptographic algorithms are imperfect. Former industry standards such as the DES cypher and the MD5 hashing function have been cracked and used as the basis for crippling attacks. But due to systematic inflexibility, these now-useless algorithms (and related attacks) are still quite common. Cyber agility would solve this while accommodating quantum security needs.
Cyber agility will also help security systems withstand policy fragmentation and churn. As cyber policy has edged into the mainstream, we have sewn together a national and international patchwork of regulatory requirements. Adding quantum threats to the mix will only complicate this mess. If businesses are to operate across state or national borders, as many do, cryptographic agility will be essential. If New York were to adopt new banking security rules tomorrow, an inflexible bank would be challenged by the costly software audits and code updates needed to conform to that one jurisdiction’s demands. Meanwhile, an agile bank would find the process small, routine and low-cost. Just as cyber agility allows Netflix to customize its algorithms to its streaming needs, cyber agility also allows systems to customize algorithms to varied legal demands.
From a business perspective, designing cryptographically agile, quantum-resistant systems kills three birds with one stone: Systems will be able to manage quantum threats, handle classical threats and flex to accommodate regulatory churn. What impact does this have on our analysis? If quantum attacks do materialize, the value of the changes will obviously be very high. If these attacks do not, the loss incurred might be offset by these other benefits. Either way, the expected value may well be positive.
Preparing for the Future, Today
The effort needed to respond to the quantum computing cyber threat has clear value. With our current runway, perhaps we can design the systems we want, rather than wait and be forced to accept emergency patches that merely function. Success requires action today. Naturally, primary responsibility falls on the private sector. Private actors understand their systems best and have both the quantum security algorithms and cyber agility frameworks needed to act. Through the diversity of private action, we can stress-test these tools, refine their use and promote security innovation.
To encourage this process, however, regulators must step up. NIST has already called on federal agencies to prioritize cyber agility to address this challenge; we should broaden that message to the private sector. Industry-facing regulators should begin issuing threat notifications and expert guidance to provide industry both the tools and runway needed to redesign their systems with the care cyber agility demands. To ensure this risk is taken seriously, regulators must monitor progress while iteratively updating recommendations with any discovered implementation challenges. Further, regulators should begin working with relevant international organizations such as SWIFT to ensure systemic action and amplify this message. Crucially, regulatory messaging should stress not just cyber risk, but opportunity as well. The stick of the looming quantum threat is perhaps best paired with the carrot of this exciting, potentially cost-effective response.
I have great optimism about the future of quantum computing, and I am excited about its potential to simulate particle physics, design new materials and discover lifesaving drugs. If the quantum threat materializes before these quantum benefits, however, politicians may bury this exciting tool under regulations designed to stop a weapon. Let’s take the optimistic route. This tech can have real benefits, and it is our choice to unleash it.