Quantum computing technology has been in development for decades but is recently experiencing significant momentum. Quantum ETFs are being introduced, the US government is looking to invest, and breakthroughs from top industry players such as Google were recently announced. Quantum technology can be extraordinary for things like drug development, financial modeling and other, but it has a dark side; in the wrong hands, it can break the encryption mechanisms underpinning current security infrastructures. Boards and executives should start planning how to address this issue, commonly referred to as Post Quantum Cryptography (PQC).
Classical computers operate with bits which can be either 0 or 1, and the state of the bit is deterministic (known with certainty). Quantum computers operate with quantum bits, or qbits,which can be 0 or 1 at the same time (or a combination) and where states are superimposed with various levels of certainty until the state is measured, at which point they lose their quantum state. This makes quantum computers significantly faster (by many orders of magnitude) than classical computers at handling some tasks. Quantum computers are particularly suited for specific tasks that include optimization (for example, where to locate a wireless tower), simulations, machine learning and cryptography.
Quantum computers can factorize large numbers, used in encryption, in mere minutes or seconds. This means that public-key cryptographic algorithms, upon which much of the security of today’s internet rests, could be rendered ineffective, and digital signatures can be compromised. Crypto is particularly at risk because quantum breaks the cryptographic underpinnings that secure cryptocurrency transactions and wallets.
Q-Day, or quantum day, is the day when quantum computers can break cryptographic algorithms. While no one knows when Q-Day is, people estimate it could happen within 3 - 10 years. However, a few points bear keeping in mind:
• The technology does not have to be mature and widely available for Q-Day to happen as early hacking is likely to be done by major state actors
• We may not know that a breach has happened for some time
• "Harvest now, decrypt later" attacks may be already happening. This is when bad actors collect the data and wait for the decrypting technology to become available.What are the approaches
Post Quantum Cryptography (PQC) replaces or supplements existing cryptographic systems with algorithms difficult to solve even with quantum computers. It is a software solution, similar to technologies used today, but requires longer security keys that require more processing, which some systems may not support.
Quantum Key Distribution (QKD) where a secret cryptographic key is shared between two remote parties. If it is intercepted, parties will know. This approach is not vulnerable to quantum attacks but requires new communication mechanisms for exchanging the keys. These mechanisms are in development. Currently quantum keys can be distributed over fiber over a distance up to 100 miles (with ongoing work to extend that), or via satellite.
In August 2024, the National Institute of Standards and Technology published three new cryptographic standards that are considered resistant to quantum attacks and encouraged systems administrators to start using them right away.
There are ongoing debates as to what technology is better. QKD is considered safer, but much more expensive and complex to implement. Companies may explore hybrid models based on specific needs in specific areas.
The key to protecting the enterprise is to start now. According to Deloitte, "Given the embeddedness of cryptography throughout the enterprise, the transition will likely be costly and time-intensive, with the potential to pose substantial interoperability issues1”.
Many forward-looking companies are already acting. Here are some examples:
• JP Morgan is implementing quantum-safe digital signatures2. It is also partnering with Toshiba and Ciena to build the first Quantum Key Distribution network securing blockchain applications
• Apple recently introduced the PQ3 protocol, a significant advancement towards quantum-secure messaging for consumer protection
• Amazon and IBM are adopting quantum-safe cryptography while developing quantum computing hardware and software solutions
• Orange has rolled out a multi-pronged strategy to defend its network by also offer Quantum Security as a service to its business customers, and is experimenting with quantum computing and networking to solve problems.
The European Union has developed a PQC timeline for member states3. “As we enter the quantum era, post-quantum cryptography is essential to ensure a high level of cybersecurity, fortifying our systems against future threats. The post-quantum cryptography roadmap provides a clear direction to ensure the robust security of our digital infrastructure." Henna Virkkunen, Executive Vice-President for Technological Sovereignty, Security and Democracy.
Quantum safety falls squarely within the board's oversight role in minimizing cyber incidents, maintaining business continuity, and ensuring regulatory compliance.
Furthermore, the board has a responsibility to learn about this important technology, which could present significant opportunities for the firm in the future, perhaps even beyond the promise of AI, but also could make AI even more powerful. PQC also presents an opportunity to review cybersecurity measures the company is already taking, since hacking attacks are increasing in frequency and severity.
Each board will have its own approach to safeguarding the company against quantum-based hacking. However, it is important to recognize that this is a process that needs on-going stewardship, funding, talent, and strategic thinking. It should regularly be part of the agenda.
Here is a broad framework but each board should adapt it to suit their unique situation:
It is not enough for the company to safeguard its own environment but also ensure the safety of the ecosystem including supply chains, vendors, telecom and managed services providers and others, because security is as strong as the weakest link in the chain. Quantum threats don't respect preparedness.
While AI and quantum are the pressing issues of the day, technology has become fundamental to companies in all industries, and boards play a critical role in guiding companies through technological changes, according to Ernst & Young4. Companies today are expanding the responsibilities of existing committees to include technology (typically either audit or risk). While in some cases boards can retain outside expertise to educate the board on a new technology issue, it is important for the board to have organic technology expertise, and to designate some board members as responsible to keep their tech awareness up to speed and inform the board on how technology developments could affect the business. As Beth Stewart, CEO of Trewstar, a premier board services firm puts it, while 91% of chairs of audit committees of public firms are deemed to be "financial experts" under SEC/NASDAQ rules, more than half of audit committee members are NOT qualified as technology experts, at a time when technology has become fundamental to firms of all sizes and in most industries.
