Is this the year we take quantum threats seriously? [Q&A]
Quantum computing is something that seems to have been hovering just out of reach for a decade or so -- in fact research into the concept first began back in the 1980s.
More recently quantum has come closer to a commercial reality, with big players like IBM publishing a road map with a clear, detailed plan to scale quantum processors and build the hardware necessary to take advantage of the technology and other big players like Google, Amazon, and Microsoft having since followed suit.
But quantum has brought with it concerns, not least surrounding the potential to break security and encryption technology. We spoke to Curtis Simpson, CISO at Armis, to learn more about the potential risks from quantum and what businesses can do about them.
BN: How far do you think we are from seeing commercially available quantum computing?
CS: I think we're five to 10 years away from commercially available next-gen quantum computing, but the pipeline to achieve this is being built now. Research from the World Economic Forum estimates that over $35 billion was spent on quantum investments last year, not only in hardware and infrastructure but in algorithmic training, developing a quantum workforce pipeline and setting governance policies. From looking at the evolution of other revolutionary technologies, like generative AI and blockchain infrastructure, it's fair to expect that the quantum industry's advancement will rapidly outpace businesses' ability to handle the risks and governments' ability to regulate -- unless we prepare now.
I will say this -- there's a poster I have on my office wall that reads, 'Retire before quantum'. It's half a joke, half true -- we're still in the foundational period, but we're approaching the tipping point where the threats will outmatch the skills of our security teams and it will be wild to try to keep up.
BN: What are the real security risks of quantum?
CS: Foundational cybersecurity today comes down to one core competency -- encryption. Next-gen quantum computing flips that on its head -- its ability to break traditional encryption will make today's algorithms essentially useless. In other words, if tomorrow we have one specific player with fully functioning quantum capabilities, then it means there are no walls against that player, leaving the rest of us vulnerable. Our current encryption methods are based on conventional models of computer architecture, and they stand to lose their efficacy as quantum computing literally untangles our ways of securing data.
For businesses, that means their data -- their most valuable digital asset -- will be even more vulnerable to threat actors taking advantage of quantum computing. Enterprises and critical infrastructure struggling to adopt multi-factor authentication and map their assets will need to accelerate their ability to innovate security capabilities. Otherwise, they're going to be in a tough spot; wholly unprepared for their entire security posture to be rendered useless.
BN: What challenges will addressing these risks present?
CS: Digital transformations need to continue accelerating to the point where everything in an enterprise environment is not only in the cloud, but also able to be migrated and replicated to evolving quantum cloud offerings. Today's cloud compute leader may not be tomorrow's quantum cloud compute leader. Enterprises should be prepared to migrate and replicate critical, differentiating capabilities to be leading cloud compute offerings.
Similarly, both in support of funding accelerated transformations and from a quantum risk avoidance perspective, business and technology functions must truly partner on the confident elimination of technical debt. Moving at the current pace, many enterprises will still be relying upon legacy systems storing sensitive data or handling critical business processes when the quantum threat accelerates.
The challenge is that already costly transformations will likely continue to grow in cost as companies finalize their move to their cloud and then immediately focus on portability or multi-cloud capabilities and the ability to migrate and replicate at the microservice level. It already costs on average more than $5 million and 1-2 years for a company to go cloud-native, according to research from OutSystems. Imagine your organization has done all that work and earned the trust necessary for that change -- and now, you have to transform an architecture with thousands of workloads, apps and assets all over again. In a tight economy where businesses have to show profitability and prudence, it will take a significant amount of research and buy-in to make CFOs make network separation a priority. It requires a cultural shift, where leaders understand that runaway growth cannot happen at the expense of security and long-term planning.
BN: Which security solutions should organizations be looking at for a post-quantum world?
CS: Zero-trust micro segmentation is going to be a bare-minimum requirement for managing the attack surface in a post-quantum world. The main action security teams can take now is to use these strategies as a guide to map assets, make unauthorized access as difficult as possible, and create intentional segmentation -- rather than waiting for quantum threat actors to disconnect networks on their own terms. Even if these are not the most efficient solutions yet, they create important safeguards upon which businesses can add additional layers of security. The reality, though, is that we still have to build most of the security solutions that will stand up to quantum decryption. It's important to make investments in security strategies that protect your most critical assets both at rest and in motion -- and advances in encryption can hopefully improve that security over time.
BN: Why do we need to take action on this now if it's still some years away?
CS: No matter how quickly we become aware of new threats, change on a business operational level always comes slowly. When we consider how long it's taken to get on board with instituting multifactor authentication at scale, much less buying into the concept of a zero-trust strategy or cyber incident reporting requirements, we don't have much time. We need to start now in order to build quantum security technology for commercial use, educate organizations on this paradigm shift, create a pipeline of quantum engineers that does not require a Ph.D (or any graduate work whatsoever) and work with public-sector organizations and standards groups to create industry consensus on best practices.
If anything, we're behind, because it will take nation-state attackers, ransomware groups and even script kiddies far less time to achieve quantum attack methods than it will for us to create this defense posture. For that reason, there's never been a more important time to start planning for this eventuality and investing in the infrastructure we need.
Photo Credit: The World in HDR / Shutterstock.com