Why Your Company Needs To Assess Its Quantum Computing Vulnerabilities Now

Remember three years ago when people were talking about AI and how we believed AI was 10 to 20 years out? But the technology accelerated, and AI was immediately in our faces a year ago and keeps accelerating. The same situation is happening with quantum computing. Everyone said it would be decades before computers could break the strong 128-bit encryption algorithm that many banks and ecommerce transactions use today to secure data. Most companies did not perceive quantum computing as an immediate threat. But quantum computing has made steady progress, and companies now need to know how to deal with quantum encryption and defend their data against its threats.

For the companies and industries using it, quantum computing could be very powerful and put to a lot of good uses in solving problems other computers cannot solve. But it is currently still largely a providence of large tech firms such as Google and IBM. It is also the providence of some sovereign nations that are bad actors that fund and equip their proxies and Black Hats to create threats. And quantum computing has now crossed the point where it can decrypt strong encryption algorithms.

This completely forces us to rethink encryption. To protect their data against these threats, it is reasonable that companies must move immediately to address the 128-encryption challenge.

Are There Standards Yet?

Some engineers believe that in the next 20 years large quantum computers will be able to decrypt all current public key encryption. That seems way out in the future, but it could well accelerate, given the way the technology is advancing.

Industry standards for how to deal with quantum encryption and how to defend against threats recently emerged. In 2023, the National Institute of Standards and Technology (NIST) began standardizing four algorithms that companies can integrate into their encryption infrastructure (some available in 2024).

The problem with all encryptions is that a chain is only as strong as its weakest link. Consider this: Is your company able to conduct an audit of all of your technology stacks and your vendors’ technology stacks and your vendors’ vendors’ technology stacks to ensure that there is not a gap? Assess how vulnerable your company is and then adopt remediation.

It is not too early to start moving toward remediation. Think back to Y2K and the issues associated with legacy technologies. All new designs as well as existing tech stacks need to be quantum proofed moving forward.

Clearly this opens issues of how to track, govern, and orchestrate this remediation effort. There are both immediate and fast-coming future threats with quantum computing. Most companies have vulnerability in their own stacks and in their vendors’ stacks.

The threat is currently against the 128-encryption. It is unclear how quickly other encryptions will be challenged. Companies need to move to quantum proofing against future issues. Those threats could well be upon us much quicker than we anticipate.

How To Assess Current Vulnerabilities

So, how might a company accomplish this assessment? Certainly, companies need to investigate their entire tech stack. It is not a big stretch to believe that our ability to read code through generative AI may well be a cost-effective and robust way to scan tech stacks.

But it will not be sufficient to just scan a company’s own tech stacks for the level of the level of encryption. They also need to investigate or have their vendors investigate their tech stacks and their vendors’ tech stacks. Companies also need to consider vulnerability coming from their third-party service providers that are outsourcing and SaaS partners.

The first step is to settle on how the company will audit and examine its own tech stack this quarter and what tools it will use.

The second step is to insist that their vendors use either that approach or an equally robust approach to do it for themselves and their vendors.

The third step is to create a transparent governance vehicle to report back to the company and its vendors. Finally, be sure to keep the vehicle up to date as new tech is added in.

Companies then need to develop a robust approach to remediate the situation and move them to the quantum-secure encryption standards that have been developed. They are sufficiently mature that companies can start acting against them.

There should be a robust market for tools to remediate this as well as run in the new quantum-secure environment.

Funding

Companies need capital to investigate this issue and identify errors of instability both now and in the future. They need to invest to address those invulnerabilities and then continue to manage and monitor as they move forward.