By Kathy Gibson – Quantum computing is going to have a massive impact on how we use technology – and on the economy as a whole – but the power it unleashes is also going to make it much, much harder to secure our systems.
Riaz Osman, managing partner at IBM Consulting Africa, says quantum computing could add trillions to the global economy by 2035.
“We have to appreciate the level of computing power that quantum computing brings to the world is something we have never seen before,” he says.
“But, as the use of quantum becomes mainstream and contributes to economic growth, bad actors are expected to use it too – so we have to work at becoming quantum safe in the current quantum era.”
To put quantum computing into context, the technology is already solving complex problems that traditional computing could take millenia to accomplish. These include discovery, drug research, and research on outer space and beyond.
And the world is just getting started on using quantum computing: IBM’s Institute of Business Value found that organisations invested just 7% of their R&D budget in quantum computing in 2023, but this will increase by another 25% by 2025.
“Quantum computing could create $450-billion to $850-billion in net income through cost savings and revenue generation,” Osman says.
However, there are some significant barriers in the way of achieving this – inadequate skills being the top challenge. This is followed by immature quantum technology, expensive hardware, and difficulties with integration.
In addition, there is a long timeline for applications, poor access to hardware, a lack of recognised business value, and no real support from the business as yet.
But, while organisations may ignore the benefits quantum computing could hold for them, they cannot afford to be complacent about the threat that it poses in the hands of bad actors.
Having access to quantum computing will make it possible for cybercriminals to crack cryptography keys that are supposed to be unbreakable in mere seconds. The simple truth, says Osman, is that today’s best security simply cannot stand up to a quantum-powered attack.
“Public keys are almost impossible to breach with today’s modern cryptography,” he explains, “But quantum computing will change this, allowing a bad actor to unlock a 248-bit vault and access your data very easily.”
With the best estimate being that quantum computing attacks could come as soon as 2030, organisations are fast running out of time to ensure their systems are quantum safe.
“Our estimates are that it could take organisations 12 years to be quantum safe and ready to face the coming challenges,” Osman says.
Globally, organisations are already feeling the pressure – and the price – of cyberattacks; and they are sure to get a lot worse once the cybercrooks and nation-state actors have quantum computing in their arsenal.
Today, the average cost of a data breach in South Africa is R153-million – and this is expected to grow. “Those are the attacks we know about,” Osman adds. “There are breaches we don’t know about, and that the compromised organisation doesn’t know about.”
It’s entirely possible that bad actors are quietly harvesting data today and will exploit it once they have access to quantum computing to unlock its cryptographic protection, he points out.
“These attacks could be more destructive with extended after-effects.”
IBM believes that just 33% of South African organisations have updated their security to reflect quantum safe practices. For those that haven’t yet started, it’s not certain if they would be able to position their systems to be quantum safe before the first quantum attacks are unleashed.
Antti Ropponen, executive partner: global cybersecurity services at IBM, explains what quantum safe is and why it’s important.
“Quantum safe refers to the technologies, systems, and platforms that are resilient to the risks from quantum computing being used for militaristic purposes,” he says.
There are three technologies that contribute to the quantum safe picture, he adds.
Post quantum cryptography can run on today’s systems. “You don’t need a quantum computer to be safe,” Ropponen says. “Post quantum cryptography is a new type of algorithm and model to make you resistant to quantum-powered attacks.”
The other two legs, which need a quantum computer themselves, are quantum key distribution and random number generators.
Post quantum cryptography can be implemented today, thanks to the recent publication of the first three NIST standards for post quantum algorithms – two submitted by IBM and the other by a scientist now working for IBM.
Dr Stephen Berjak, IBM cybersecurity services leader: southern Africa and Africa growth markets, says South African organisations are looking to a quantum safe future, with major clients aware of its benefits and keen to take their businesses there.
“Crypto agility is the goal for many customers, and we are engaging with them on how to get there,” he says.
“The publication of the NIST standards was the starting gun and we can now move to execution,” he adds. “I believe we are at the perfect inflexion point now.”
Ropponen says that becoming quantum safe is not a quick journey and advises companies to follow global best practices.
“The first thing is to understand what you have in the organisation, to provide visibility, especially of crypto assets,” he says. “Cryptography is not always in the spotlight, but is a critical time to open that can of worms to understand where your cryptography is and how it is connected.”
The time to start is now, Ropponen adds. “The standards are out there, so there are no more barriers to begin the journey. And it is a very large transformation that’s required, so you need to start testing different solutions now.”
Another crucial step is to immediately stop buying or developing any solutions that are not quantum safe. “So improve procurement and development standards to ensure that any new systems are quantum safe by design.
“Don’t build any more new legacy.”
Berjak says the same holds true for South African companies. “The starting gun went off in August and we need to start the race.”
There are some additional key challenges that local companies face, often relating to the cost of making the quantum safe transition.
“Companies really need to identify their crypto assets and create an inventory so they know where their crown jewels are and then spend judiciously.”
The conversation about quantum safe also needs to come out of the IT department and into the C-suite, Berjak adds. “This has to be elevated out of the back room to land at board level.”
The message needs to permeate the whole organisation, he says. “The threat will touch all platforms, infrastructure, and applications. Regardless of where things are run, it will be critical to be quantum safe.
“So we need to elevate the conversation in terms of ownership.”
The most important challenge, however, is time. Berjak urges organisations to start moving to quantum safe now.
“Yes, it is urgent,” agrees Ropponen. “The biggest risk lies in doing nothing. The bad actors could be stealing your data right now and storing it to decrypt when they are ready. You need to protect today’s risks that could materialise into attacks later on.”
Regulatory pressure will eventually push all organisations towards being quantum safe, but it could be too late for companies to wait for that. “You don’t want to be starting with your 12-year transformation once quantum attacks have already started.”
Organisations across the board are starting to move on being quantum safe, Berjak points out. “I believe that in next six to 12 months we will see significant traction in the market.”