Since the time of Covid, no one goes to technical conferences anymore. Since the effort of marketing hasn’t stopped, we’ve all adapted to our new normal. As such, I’ve been participating in a number of security executive “round table” sessions over a variety of video web systems. In these typically 30-minute sessions, certain security topics are discussed amongst a group of between five and ten security professionals. Lately, the discussions have centered around crypto key management and key protection. Invariably, however, the topic will typically move to Quantum computing and how this up-and-coming technology will affect data security. The misinformation and the scaremongering around Quantum computing is really confusing security professionals.
Asking a question about Quantum computing today would be like asking if the industrial revolution would affect space travel. They are remotely related but their impacts were perceived at very different times in history. There is no doubt that Quantum computing will make an impact on computer computational power but to all of the futurists who say it’s around the corner, I’d like to see someone define how far away that corner is, how much faster and how expensive it will be. Some say Quantum computers are already here. Some say we’ll have them in 6 years, others say 30 years. The truth is probably somewhere in the vast middle of these guesses. And for those reading this and have heard that people have already created a Quantum computer, they really haven’t. Although the current systems are “Quantum” they are far from ideal. The nuance to this statement is that reliable and accurate quantum computers do not exist. We have approximations and simulations but these perform imperfect calculations for a very limited time. Scientists are working on ways to solve problems using these imperfect systems but these are in no way comparable to what a fully reliable working Quantum computer would be able to do.
The other thing that most people don’t realize is that a Quantum computer is not simply just a much faster traditional computer rather it’s a whole new computing platform which will require a whole new way of thinking. New cooling, new containment, new programing language, new everything. Taking the leap from an abacus to an Intel chip would be an acceptable analogy by comparison. Additionally, you probably won’t see a Quantum computer powering a corporate database or a file retrieval system. Quantum computers will probably be relegated computational intensive questions like what’s the best way to use the gravitational force of the planets to propel a space ship toward Mars.
To put this into perspective, if you ever saw the original 1975 Rollerball movie with James Caan, there’s a “computer” named Zero that is depicted as a cylinder of water with little bubbles rising up through it. It’s not too far-fetched that a Quantum computer might resemble Zero more than it would something like a Cray from the ‘80s and ‘90s or even HAL from Stanley Kybrick’s 2001: A Space Odyssey movie. In short, we’re anticipating something quite revolutionary.
For the discussion that’s come up in my round table sessions, the concern seems to be that Quantum computing will break current encryption algorithms. If you’ve ever attended one of my encryption webinars, you’ll remember that there are 1.15×1077 combinations for an AES 256 bit key. This is a number that is very hard to comprehend. The only single thing that is this large would be all the total number of atoms in the universe. This number is about 1×1078 or only one order of magnitude larger than the AES 256 bit key combinations. No matter how you look at this, that’s big.
Today’s computer cannot even come close to cracking an AES 256 bit key through a brute force attack in any reasonable lifetime and while it might be theoretically possible for a Quantum computer to crack a crypto key, it’s still going to take a long time and it’s going to be really expensive. What people don’t take into consideration is that no matter how fast computers get, hackers intent on decrypting data or thwarting crypto protection don’t today and won’t in the future spend their time trying to crack crypto because most companies aren’t protecting their keys in the first place. Because they’re not protecting their keys, the hackers are searching for and finding the keys that are (in many cases) hidden in software. Much like a burglar who tries to break into a house, he’ll always look for the key under the mat or the flowerpot or above the door. The greatest lock in the world won’t deny a hacker entry if they have the key. This was true for the last 1,000 years and will be true for the next 1,000 years as well.
Even with the advent of Quantum computers, a hackers’ first impulse won’t be to crack the key but rather it will be to steal the key. In other words, security professionals have the power today to stop most crypto theft by protecting their crypto keys. This same protection will extend into the Quantum era because Quantum computers will be expensive and not available to even your higher end hackers.
The question should not be “Will Quantum computing really effect a company’s security posture?” The question should be “What can I do today and tomorrow to make current and future crypto stronger?” The whole Quantum computing scaremongering is a red herring. But like all shiny objects, it’s hard not to look at the “Quantum problem.” Companies need to concentrate on solving the simple attack before even thinking about the exotic one. The simple solution has always been and always will be to protect your keys in a Hardware Security Module. If you protect your keys in hardware, you’ll force the hacker to go to the next company. Don’t be that next company.