Back in the late ‘90s, some of us lived through the so-called Y2K panic, when people in the technology industry realized that many computers could malfunction after the date turned from Dec. 31, 1999, to Jan. 1, 2000. In the leadup to the turn of the millennium, many companies rushed to fix their computers, which had been programmed on the basis of two-digit years, so they could handle four-digit years.
The security industry is now facing its own Y2K problem, as advances in quantum computing threaten to break traditional public key encryption methods in minutes, or even seconds. The difference is that with Y2K, the technology industry had a definitive deadline for remediation. With quantum computing, we don’t know when traditional public key encryption will become obsolete.
Not to be alarmist, but I suggest public key encryption may fall before most people expect. Quantum breakthroughs are happening regularly, with IBM rolling out the 433-qubit Osprey in November 2022, which was three times more powerful than its predecessor from a year earlier. We should assume quantum development is happening in other countries without huge public announcements.
Within another couple of quantum computing generations, these machines will be able to crack current encryption models in the time it takes to brew a cup of coffee, instead of the millions of years a standard computer would need.
For a few years now, security researchers, some spurred by the U.S. National Institute of Standards and Technology, have been working on new “quantum-resistant” encryption methods that would supposedly protect data better than current tools. Notice that most people who talk about this issue use the word, “resistant,” because we don’t really know how robust the new encryption methods will actually be when they’re up against powerful quantum computers.
Then, in National Security Memorandum 10, issued in May 2022, the Biden administration called on the government to adopt quantum-resistant encryption by 2035 and for agencies to move their high-value assets to the new encryption systems by then.
With the U.S. government aiming for 2035, other organizations may see that as a target date to adopt quantum-resistant encryption, but I believe the time to act is much sooner. If the U.S. government is signaling a 2035 deadline, my expectation is that defense and intelligence agencies will need a significant period of time to test quantum computing against their own use cases.
So my prediction is that the real deadline is closer to 2025 than 2035. And we’re not considering the advances that foreign governments are likely making in quantum computing. Defense and intelligence agencies from other countries are all vying for this quantum advantage as well.
I’m not the only one who believes the end of traditional encryption may be coming sooner rather than later. In recent months, I’ve observed leading organizations in critical infrastructure and related industries starting to hire cryptography experts, signaling a real and urgent concern about quantum computing.
Public key encryption has been the foundation of integrity for both digital data and internet communications for decades, even before the commercial internet became a thing, and it’s likely to become unreliable very soon. Much like generative AI, quantum computing represents another technological advancement with huge promise and also significant potential to dismantle systems and institutions we trust and take for granted. The next generation of encryption needs to be something very different.
All of us in the security industry should prepare for quantum computing. As security leaders, we need to consider the scope of the problem for our organizations and ask ourselves some questions: do we have the means to identify our organizations’ most critical assets, do we have a plan in place to do so, and if not, when will we have a plan?
Rolling out quantum-resistant computing needs to be on every security leader’s agenda. It’s a topic that’s been easy to kick down the road, but 2025 is only about 18 months away. We need to start preparing our organizations to defend themselves against those who are pushing the boundaries of quantum computing.