James Preston, Principal Security Consultant at ANSecurity, warns that as the timeline to “Q-day” accelerates, organisations must begin transitioning to Quantum-resilient security.
It’s been hard to miss the repeated announcements about the Quantum revolution.
Alongside fusion power and carbon nanotubes, the possibility of scaled Quantum computing has the potential to be one of the main pillars of a new age scientific innovation.
Still, Quantum computing is a double-edged sword and whatever amazing capabilities it provides the world of computing, it can furnish threat actors with incredible capabilities too.
Specifically, by leveraging Shor’s algorithm it provides the ability to break the encryption on which the modern world relies within meaningful timeframes.
This makes the Quantum horizon and its impending arrival, a dangerously ambivalent development.
Classical computers use bits to store information as either 0s or 1s.
That might sound simple, but it’s the basis for much of the computing that powers the modern world.
Quantum computers on the other hand use qubits to store data as 1s, 0s or both 0 and 1 simultaneously.
This capability will allow them to solve mathematical problems far faster than the previous generation of computing.
Once scaled this will have revolutionary effects in a number of fields – from climate change to cancer research.
One of the other fields it will revolutionise – for better or worse – is cryptography.
It would currently take a classical computer millions of years to break a 2048 bit RSA Key, making achieving such a task cost and time prohibitive.
A Quantum computer on the other hand would do that in a fraction of the time with estimates ranging from weeks to just seconds.
This might seem like a technical nuance, but its significance can’t be understated.
RSA and Elliptic Curve cryptography is the technology that encrypts and ultimately upholds most of the current world’s digital infrastructure.
Through application in technologies like VPNs and TLS it keeps communications confidential, data private and secrets secret.
The arrival of Quantum heralds the end of that iron-clad assurance that holds the digital world together.
Serious cryptographic upheaval could soon follow.
But when will this happen? The question of when Quantum will arrive is an ambiguous one and continues to produce multiple predictions.
Indeed, the date for “Q-day” – the day when a Quantum computer becomes practically realisable – appears to constantly change.
Just five years ago, Q-day was expected to arrive around 2050, but that expected date has quickly revised down with every further breakthrough in the field.
Now, a broad swathe of technologists and institutions believe that Q-day will arrive roughly around 2035, the deadline for which both the US and Canadian governments have set to fully make their infrastructures Quantum-safe.
As one might hope, Q-day is now being actively prepared for.
The US National Institute of Standards and Technologies (NIST) has been developing Post-Quantum Cryptographic (PQC) algorithms to help prepare for the arrival of Q-day.
Unlike the current standard of RSA-2048 or ECC-256 keys, PQC algorithms will be able to resist Quantum based decryption attempts.
It’s now up to organisations to adopt those PQC algorithms and migrate their systems.
In some cases that will be easier said than done.
It’s at this juncture – just as they’re about to prepare for Quantum – that many organisations will find that they don’t even know the current state of their cryptographic assets.
Many organisations are used to relying on their existing cryptosystems which – to be fair – have largely kept them safe and secure for a long time.
Still, organisations now face a real problem: They don’t know what they have, what uses encryption, what type of encryption or where any of it resides.
In order to adopt PQC algorithms, they’ll need to have a full understanding of their own environment and in today’s increasingly complex digital world – many simply can’t do that.
The first step to prepare for Quantum will be that organisations understand their own cryptographic environment, what they use and ultimately what needs to be replaced.
They’ll need to discover and create a map of applications, services, certificates, keys, digital signatures and the cryptographic libraries used within internal software.
They’ll also have to determine how long they need to protect data for.
As a matter of necessity for compliance and other business considerations, there is a lot of data that needs to be kept secret for over a decade.
This could include deeply private personal data such as health records or top-secret proprietary information like long-term financial data.
By the same token, other data of lesser importance or with a shorter shelf life, can be deprioritised.
From that point, PQC migration can begin, prioritising those assets and technologies which need to be replaced quickly and remain protected for years to come.
Ultimately, the stage that businesses will need to reach is crypto agility – the ability to switch between different cryptosystems as and when the particular threat or condition demands it.
This will need to be done without a wholesale rewrite of the underlying infrastructure in which that cryptosystem operates.
PQC is still a nascent discipline, and the authors of these algorithms expect problems to emerge and supposedly Quantum-proof cryptosystems to be proved fallible, crypto agility will be important for switching out deprecated cryptosystems with secure ones – as and when threats change.
The current generation of encryption continues to keep us mostly safe.
That said, threat actors are already making plans. In the last few years, we’ve seen the rise of Harvest Now, Decrypt Later attacks.
Cyber-criminals are now stealing large tranches of encrypted data, cognizant of the fact that they can’t decrypt it yet.
On Q-day – whenever it arrives – they’ll have a mountain of private data that they’ll be able to decrypt and exploit or blackmail their victims with.
As new breakthroughs in this area occur, Q-day gets closer and closer.
The day when Quantum computing finally threatens current encryption may arrive in a decade or sooner.
Yet it will likely take years for many to successfully migrate their cryptosystems to Quantum-safe ones.
The scale of the work required can’t be understated, any more than the scale of the potential threat.
Organisations need to start preparing for Quantum now so that they can be ready on Q-day and that preparation begins with understanding exactly what software and systems they rely on today.
By maintaining accurate software inventories, tracking end‑of‑support dates, and identifying where vulnerable or legacy cryptography is embedded, ANSecurity helps organisations build the visibility and lifecycle discipline needed to plan a safe, phased transition to Quantum‑resilient security.
