Faster problem solving, more investment and time travel attacks -- quantum predictions for 2024
Although quantum computing is still some way from commercial reality for most people and organizations, the technology is developing.
Many of the concerns surrounding it are about what a world of post-quantum computing might mean for cybersecurity. We asked industry experts what they think is in store for quantum in 2024.
Mike Loukides, vice president of emerging tech content at O'Reilly Media says better understanding is needed. "Quantum computing is still a long way off. A few people are kicking the tires and doing some experiments, but without several breakthroughs in fundamental physics, we won't have usable quantum computers next year. And maybe not in five or 10 years. There are two huge problems: quantum error correction and copying quantum data. Recently, there have been some claims of significant progress in error correction -- if those claims pan out, that will be a huge step forward. The other problem is potentially bigger. With digital memory, if you want to move data, you run a wire from one bit to another. If the value is 0, you load a 0 into the bit at the other end of the wire. That doesn’t work with qubits. You can run a wire -- but as soon as you read the value of a qubit, you get a 0 or a 1, and that's not enough because qubits aren't just 0s and 1s. You don't get the qubit's quantum state, which is a superposition of 0 and 1. And if you can't move data around, you can't build computers bigger than a single chip. This really isn't a matter of 'lots of smart people working on it will make progress.' We need a better understanding about how the world works at a quantum level."
Dr Jan Goetz, CEO of IQM, says:
While progress in quantum cybersecurity may be slow, there are other areas where we are closer to achieving quantum advantage. One such area is machine learning, where quantum computing can provide significant speedups for complex problems. We are already seeing this being tested in projects such as process optimization in production. Another area where quantum computing is showing promise is in the simulation of chemical problems. This is already being applied in projects such as battery development.
As we move into 2024, we can expect to see more proof-of-concept use cases being published and a wider adoption of quantum computing in various industries. This will require collaboration between end-users and quantum experts to identify use cases and develop solutions that leverage the unique capabilities of quantum computing. Overall, while progress in these areas takes time, the potential benefits of quantum computing make it an exciting and promising field to watch in the coming years.
Amit Sinha, CEO of DigiCert, says senior executives will become more knowledgeable about post-quantum computing, and companies will start accelerating their investments. "A recent Ponemon Institute survey on PQC revealed that while most IT leaders are concerned about the risk of 'harvest now, decrypt later' cyberattacks, business executives are still not aware of the present implications of quantum computing. It also revealed that the majority of organizations lack clarity in ownership, budget and strategy for PQC preparation. In 2024, education and planning activities will accelerate investment in this area."
Chris Hickman, CSO of Keyfactor, says work will be needed to adapt to a post-quantum world:
One of the biggest concerns with quantum computing is its potential to break cryptography. Luckily, NIST plans to finalize standardized post-quantum cryptographic (PQC) algorithms in early 2024. But organizations need to remember that this marks just the starting line for PQC algorithms. Once the algorithms become standardized - then products, developers and everyone can start using them with some confidence that they are supported to protect cryptography in a post quantum world. It should also allow for greater interoperability. However, organizations will need to undergo significant testing and planning to adopt these new algorithms, as they differ entirely from the ones currently used in asymmetric cryptography.
Quantum ready cryptography will also require longer key sizes. This is a concern because many of today's devices have limited memory and/or processing resources.
In 2024, organizations must start planning and testing to adopt NIST's new PQC algorithms. Additionally, they must begin assessments on how prepared the entire supply chain for their organization is/will be, which is equally important. It will be imperative for security assessments and vendor audits to begin taking PQC into account.
Denis Mandich, CTO and co-founder of Qrypt, highlights the risk of nation states using quantum attacks. "As the US prioritizes quantum development, the government will continue to push legislation forward that helps protect US data from China's exploitation, especially as the risk of China using quantum computers to monetize vast repositories of encrypted IP continues to heighten."
José Araujo, CTO at Orange Cyberdefense, says:
Whilst Quantum will be a key theme in 2024, businesses need to be aware of ‘Quantum threat’. This is the risk that quantum computers, if they become efficient, will impose on current cryptographic systems. Symmetric algorithms are less affected, but the public keys ones -- currently used everywhere -- will no longer be secure if such computers appear.
Many challenges must be addressed to develop such computers and we are still far from this 'Q-day' but it is never too late to be prepared for a 'Harvest-now, decrypt later' attack.
The scientific community is developing post-quantum cryptography algorithms. But, because they are recent, in Europe, we do not recommend to completely 'shift' to quantum resistant cryptography but combining it with existing methods to use the best of both worlds. This hybrid approach guarantees continued protection by recognized public key algorithms and will, most likely, be prepared for this future type of attack.
Carl Froggett, CIO of Deep Instinct, believes quantum computing will continue to collide with AI, causing destruction. "While there are still a lot of unknowns, the intersection of quantum computing and Artificial Intelligence (AI) will take the cybersecurity and tech industry by storm -- and blow traditional computing capabilities out of the water. Quantum computing is likely to become disruptive -- if not destructive -- the more it integrates with AI and gets into the hands of bad actors. Recently, the Cybersecurity and Infrastructure Security Agency, the National Security Agency, and the National Institute of Standards and Technology published a quantum ‘fact sheet’ to help industries prepare now for the inevitable future -- which is coming sooner than we think."
Maurice Uenuma, VP and GM, Americas at Blancco, says concerns about AI will gain ground in regard to quantum computing and the future of cybersecurity. "Enterprises are becoming more aware of potentially significant future impacts of AI on previously well-established data security strategies. For instance, while only theoretical at this juncture, one of the big concerns about AI combined with quantum computing is that there is a possibility that most of what is encrypted at present could be decrypted in the future. As security strategists continue to think through these possibilities in 2024, more enterprises will begin to plan their post-quantum computing strategies along with new, emerging security capabilities to ensure they have security controls that work not just today, but tomorrow as well."
"While the timing of threats posed by scalable quantum computers is still speculative, the need to prepare for this threat is real," says Kazuhiro Gomi, president and CEO of NTT Research. "With NIST's expected release of more PQC standards in 2024, industries, governments, and others are expected to begin ramping up their migration planning efforts. This is based on the concern that malicious actors are currently collecting ongoing communication data and could compromise security once scalable quantum computers become available. In this regard, it's important to note that cryptography researchers are working on fortifying the security of advanced cryptographic methods, such as attribute-based encryption (ABE), for PQC readiness."
Dr. Adam Everspaugh, cryptography expert at Keeper Security expects to see the rise of ‘time-traveling attackers’:
Quantum computers that can break modern cryptography may become a reality within the next decade. Though the date is uncertain, the superiority of quantum computing capabilities poses a very real threat to nation-states, enterprises and individuals alike. The primary attack of concern is store-and-crack, where attackers may capture and store encrypted information and web traffic now, and then when quantum computers are available, break the encryption and read the secrets that are stored. If the secrets are still valuable in the future, attackers can use them to exploit sensitive systems.
Quantum computing algorithms are known to break public key cryptography including RSA and elliptic curve cryptography by efficiently solving the underlying hardness problems on which these cryptosystems rely. To address this risk today, the industry must begin reviewing research and guidance from NIST, in order to incorporate quantum-resistant cryptography to ensure long-term security.
This is echoed by Dirk Schrader, VP of security research, and Ilia Sotnikov, security strategist at Netwrix. "Quantum computing is advancing rapidly, so forward-thinking cybercriminals will be stealing encrypted data that they cannot unlock with today's technology but that they might soon be able to decrypt. The top targets will be organizations with large volumes of sensitive data, such as government and defense agencies, financial and legal firms, and large corporations with valuable intellectual property. To reduce risk, organizations should not treat encryption as a panacea but instead build a multi-layered strategy that includes data classification, risk assessment and mitigation, and incident detection and response. In addition, they should remember that data harvesting can go unnoticed when there is no immediate ransom demand or other visible consequences, and improve monitoring of activity around their sensitive data, including encrypted content."
Jaya Baloo, CSO at Rapid7, says the security the industry will risk falling behind if it neglects early quantum adoption. "Like the rise of AI, new and powerful technologies such as quantum computing present a large unknown that looms over the security industry. The ambiguity of not knowing whether quantum will prove to be a greater threat than an asset exposes the sobering reality that even the most technical audiences have difficulty understanding how it works. In order to adequately prepare for the quantum evolution, the security industry must avoid the faulty position of waiting to see how others prepare. Instead, they must be early adopters of defensive protocols against quantum."