That is according to security industry professionals who believe that even though quantum-level computers capable of slicing their way through complex encryption algorithms are at least 10 to 20 years away, the time to prepare is now. This is not because implementing the technology will be time consuming, but to ensure that the data currently being compiled by organizations – and even individuals – now will require protection against new threats down the road.
“The level of preparation for what some are calling the ‘cryptoapocalypse' varies from hysteria to head in the sand,” says Jonathan Sander, vice president of product strategy for Lieberman Software. “Many are simply hoping the vendors will sort it all out and build in what's needed.”
There are some steps that need to be taken now to prepare for the eventuality of quantum computing and the impact it will have on encryption. Steve Grobman, CTO of the Intel Security Group at Intel, points out that there are data sets being created in 2015 that will need to be able to withstand the quantum-level decryption that will be available in a few decades.
“Do you care if your credit card number is secure in 20 years from now?,” Grobman says. “Probably not. Compare that to your medical history. Then, having your records breached could affect you.”
Even when quantum computing becomes available the impact it will have on encryption will not be immediate as there are a few mitigating circumstances that will hold it back – and so limit its impact.
“The industry is constantly on the lookout for new technologies, and quantum computing is no exception,” says Igor Baikalov, chief scientist at Securonix. “I don't expect it to be a major game changer though; more of a gradual improvement. Although quantum technology is drastically different, the cost of it will guarantee gradual progression. There will be no overnight adoption.”
OUR EXPERTS: Encryption
Igor Baikalov, chief scientist, Securonix
Craig Gentry, research scientist at the IBM T.J. Watson Research Center
Steve Grobman, CTO, Intel Security Group at Intel
Luther Martin, chief security architect, HP Security Voltage
Dwayne Melançon, CTO and VP, research and development, Tripwire
Jonathan Sander, VP of product strategy, Lieberman Software
Rod Schultz, VP of product, Rubicon Labs
Rod Schultz, vice president of product at Rubicon Labs, adds that the financial aspect should not be understated. “This change to quantum computer resistant algorithms will require incredible synchronization between industry and government and will make the money spent on Y2K look like a drop in the bucket. There is already movement by NIST to force this transition, but unlike Y2K, there is no finish line.”
Other industry insiders are even less worried that quantum computing will play much of a role when it comes to security, indicating that the technological hurdles that need to be overcome will take much longer to leap. “The engineering problems that need to be overcome are extremely daunting and may take several decades or more to solve,” says Luther Martin, chief security architect at HP Security Voltage. “But industry is already thinking about how to handle this extremely unlikely eventuality.”
Regardless of the impact quantum computing has, or does not have, going forward the need for encryption is not going to disappear no matter what new technologies come down the pike.
“Encryption isn't everything in data security, but it's about as important as plumbing is to a high rise building,” says Sander. “Would you want to live on the 23rd floor of a 50-story building with no indoor plumbing? That's simply to say that without encryption to rely on data security will be a mess with data spilling out onto the floor all over the place.”
Securonix's Baikalov points out that even though encryption may be one of the pillars on which good security is built, it is still only one element of the overall equation. “Current cryptosystems, if properly implemented and used, are practically unbreakable, yet data security is still a huge issue,” he says. “Key management and access control are the most common technological culprits in data breaches. It doesn't matter how sophisticated and burglar-proof your lock is if you leave the key under the mat.”
The good news is there are encryption types now available that should safeguard data against any upcoming technological threat. Grobman (left) notes that public keys using asymmetric and hash function algorithms would likely be unsecure, but symmetrical, such as AES 256, as well as hashing functions such as SHA2, will remain safe.
“A subset of the cryptographic algorithms we depend on, such as RSA, could be cracked on a quantum computer once a scalable practical implementation is built,” he says. “Other algorithms, such as AES, do not depend on this class of world-load and are generally as difficult to crack on a quantum or standard compute platform.”