Can quantum computing create better cyber security cultures?

The persistence of cyber threats is only getting worse. Organisations all around the world are becoming increasingly vulnerable, leveraging data and business operations that are at risk from threat actors eager to steal sensitive information for their own malicious ends.

The problem is that traditional security solutions are not keeping up with these threats, and it seems like we’re constantly seeing security postures from large corporations (Optus, Medibank, etc.) being immobilised by sophisticated data breaches. And with advancements in the quantum computing sector, conversations pertaining to cyber security solutions have called for more specialised safety solutions. 

As business leaders, we ought to invest in the highest calibre of security tools to ensure our companies can stand tall through the onslaught of security risks. Quantum computing will bring its own security challenges, but thankfully, our foresight will help us prepare our organisations early and lay the groundwork for a more dynamic security ecosystem.

What is quantum computing (in simple terms)?

Quantum computing (QC) combines the fields of physics, computer science, and mathematics into a discipline that leverages quantum mechanics to solve difficult problems more quickly than common computers (known as classical computers). Quantum computers can be used to strengthen technical solutions, such as simulations and machine learning.

QC can be a double-edged sword

While quantum systems may not be the most accessible/common solution now, this does not mean that the commercial space is completely devoid of their presence. McKinsey states that several corporations – Amazon, Alibaba, etc. – “have already launched commercial quantum-computing cloud services”. At the same time, according to their 2020 prediction, they believe “that by 2030 … 2,000 to 5,000 quantum computers will be operational.”

All this to say, QC can be used by companies for several cases. They can include:

·      Improving supply chain distribution.

·      Developing more relevant strategies for trading.

·      Risk assessments for products.

·      Optimising networks.

·      And more.

QC’s potential to revolutionise the business landscape is vast. However, this makes it a threat to our cyber security, both at a corporate level and for national security. Companies have always been, and will continue to be, vaults of sensitive data that cyber security threats view with dollar signs in their eyes. As cyber threats evolve and become more common, they are sure to look into new ways of bypassing our security solutions and gaining access to our systems.

Asymmetric encryption: a relic of the past

The main concern that cyber security professionals have regarding QC is its potential to overcome cryptographic security measures. In other words, QC could transform our data encryption tools into straw houses that do nothing to keep out the various types of threat actors on the scene. QC’s ability to solve codes would be rooted within Shor’s algorithm – a quantum algorithm that can crack public-key cryptographic solutions that are commonly used to secure internet-based correspondences such as emails.

When threat actors have the ability to seamlessly decrypt asymmetric encryption systems, organisations will have a greater risk of:

·      Falling victim to data theft.

·      Increased chance of cyber-attacks.

·      Being unable to authenticate documents.

·      Reputational damage, including a direct hit against customer trust.

·      Financial ramifications.

In 2022, successful data breaches cost companies across the globe an average of $4.35 million, a significant amount of money that a business owner could better spend on improving their operations. While breaches can occur from several sources (for example, phishing emails), we can normally help to reduce the chances of them occurring by deploying cyber security solutions. 

But in this case, where QC has the potential to make our security tools nothing more than cracks in the road, business leaders will have to start preparing for quantum computing and its cyber threats now in order to have the greatest chance of protecting themselves from malicious entities once QC becomes more prevalent in business circles.

QC’s capabilities as a security threat should inspire a new wave of security cultures   

With the business world's heavy use of Internet of Things (IoT) devices to operations that become increasingly sophisticated as the days go by, company leaders have always possessed a keen interest in cyber security. However, with the advent of quantum computing, cyber threats will become much more difficult to counteract.

Consequently, organisations ought to shift some of their attention to their internal environments. Businesses need a healthy cyber security culture in order to protect their data and their customers. In other words, if companies want to give themselves the best chance of avoiding or reducing the impact of cyber threats, they need to instate a set of behaviours and practices that are derived from the latest security trends.

A dynamic digital security culture starts with understanding the risks and threats to your business. In QC's case, we need to know the technology's current status, quantum-based cyber security trends, and how threat actors come into the mix. While some may argue that the issues posed by QC are still somewhat far from today, business leaders need to make sure that everyone within their organisation is aware of the threat, effectively addressing the situation pre-emptively.

In their security report (covering July 2021 to June 2022), the Australian Cyber Security Centre stated that they witnessed "[a] cybercrime report every 7 minutes on average". While QC may have done little to nothing to contribute to that statistic, cybercrime is still a crime, whether the illegal activity is future decryption and theft or holding files for ransom.

When QC becomes fully ingrained in workplace culture, it is not unrealistic to assume that the aforementioned number may increase. But by bringing attention to the issue now, business leaders will be able to develop hardy cyber security cultures that are ready to meet QC-powered cybercrime head on.

What can businesses do to innovate their cyber security cultures?

The future is fast approaching, and the last thing organisations should be doing is waiting to see how QC changes the cyber threat landscape before enacting changes. As of now, the Australian Signals Directorate (ASD) does not have a preference for algorithms suited for post-quantum cryptography (PQC). 

Instead, they have their sights set on the National Institute of Standards and Technology (NIST) in the United States, letting the agency manage and determine what algorithms can protect information from quantum-powered cyber threats. So far, the NIST has chosen four algorithms to make it into the eventual standard, with more coming at some point in the future.

Until then, the NIST, in collaboration with the United States Department of Homeland Security (DHS), has unveiled a roadmap that business leaders can use to rework their cyber security solutions and companies for the inevitable arrival of QC.

At a very basic level, the roadmap requires businesses to:

·      Reach out to organisations involved with developing standardised PQC algorithms and changes. In Australia, this could translate into staying updated with Standards Australia, which called for the country's involvement in shaping international QC security standards.

·      Determine what company data requires security measures. This can highlight the information that is most at risk (presently) and whether or not it can be decrypted via QC.

·      Determine what company technologies use cryptography and highlight the solutions that specifically use public-key cryptography.

·      Ascertain organisational cyber security policies that will need to be changed for a post-quantum business world.

·      Carefully vet which system is a priority for the company.

·      Develop a post-quantum strategy that will allow IT systems to be upgraded in a way that does not compromise data security.

It should be pointed out that the NIST's roadmap is not the only method of innovating a cyber security culture. It is an aspect of a company's efforts, whereby the information gathered and the objectives met can help influence the organisation's culture as a whole. Business leaders will still need to implement common cyber security solutions – endpoint management platforms, security awareness training, zero-trust access policies, etc. – to secure their IT infrastructures and enthuse their employees on the benefits of cyber safety.  

In the cyber security landscape, resilience results in organisations being able to withstand a wide range of attacks, regardless of their origin. We'll have to wait and see what else quantum computing truly holds for company security in the future. But as of now, there is nothing stopping us from preparing for that reality. And the sooner we start our preparations, the better.

Quantum computing will challenge our cyber security solutions, but the information we have now also makes it an asset

Every day, researchers are discovering new ways for QC to empower threat actors. Knowing that it has the means to overcome cryptographic measures is a major concern. But at the same time, it's also forcing the tech industry (and businesses) to take action now to ready themselves for a future where sophisticated cybercrimes can be mitigated with equally impressive security solutions.

In the meantime, the best we can do is keep our ears to the ground, stay up-to-date on the latest QC developments, and make sure that our business' security cultures are resilient enough to handle them.

Is this a fair assumption?