A roomful of chief digital officers in suits and ties stood rapt in a Columbia University auditorium, listening as 20-something PhD candidate Jessica Pointing explained the difference between binary and quantum computing bits using a pink-frosted donut with sprinkles. Pointing, formerly at Harvard and now at Stanford University, compared binary code to a donut that can only flip between its frosted or plain face, while “qubits” act like a spinning donut that can expose a multitude of donut-to-frosting ratios depending on its exact position at any moment.
Though quantum computing was the stuff of research and science fiction until recently, becoming informed about quantum computing is no longer a choice for CDOs, CSOs and CISOs. Quantum computing is set to be the next big upheaval in technology. So, those experienced CDOs sat puzzling the possibilities as Pointing made her presentation at their summit meeting in New York. Afterward, they crowded around her for more information.
In the last two years alone, quantum computing has moved into the cloud and onto the radar of industry and government. In late September, the White House hosted a summit of tech industry and government officers, tasked with “advancing American leadership in quantum information science.” For cybersecurity professionals, the thing to know is that quantum computers can crunch the big numbers to break traditional cryptography that is prohibitive for binary computing.
Getting Ready for Your Quantum Leap
“The world has got to get quantum-ready,” said Dario Gil, Chief Operating Officer of IBM Research and Vice President of AI and Quantum. Speaking at the recent TechCruch Disrupt conference, Gil said, “there’s a massive job to do… in learning the new principles of a fundamentally new form of computation that will be part of the permanent landscape of computing.”
There is no need to panic yet, though, since mainstream adoption is still some time away, said Rick Howard, CSO of Palo Alto Networks. “That is not to say that it will not be an impactful technology when it arrives and we will not see interesting things from that research area before then, but for Quantum Computing to be widespread, we have some time,” he said.
What is quantum computing? At its most basic, it uses the principle that a quantum particle can be in more than one state at a time—like light, which can behave as matter or energy. By manipulating those states, a programmer can use qubits to transmit information in ways binary code can’t. Rather than be either 1 or 0, as a binary bit, it can be various combinations at the same time.
The speed and flexibility that quantum computing allows will put automated functions previously unavailable within reach. Quantum computers can build computer simulations of far more complex molecules than is currently feasible, so pharmaceutical manufacturers will be able to test new drugs without long, expensive human trials. Automated systems would respond in almost lifelike manner, even connect remotely with computer systems without needing an Internet connection.
“Quantum computing will theoretically be able to solve a class of problems that have heretofore been unsolvable” with today’s processing capability, said Howard. “With a quantum computer, we could theoretically reduce the number of steps to solving a problem from say, one million steps, to say, one thousand steps. That is a giant improvement and will most likely be used for problems that have to sift through large data sets.”
How Quantum Computing can Undermine Current Cybersecurity
“This may all sound well and good, except for the fact that internet security is for the most part predicated on the following assumption: it is hard to factor large numbers into their prime components,” said Alex Costas, software engineer of Schellman & Co., an IT audit company.
“The immediate problem in the cybersecurity space that comes to mind is the breaking of cryptologic keys,” said Howard. “A fundamental component of any encryption algorithm is that it uses a mathematically complex computation so that even if the bad guys know what the algorithm is to encrypt a message, it will still take them millions of years to process every potential key to find the correct one. With Quantum Computing, the breaking of keys might be possible.”
With the advent of quantum computers, cybersecurity will become more complex. The possibility of hackers attacking old-school binary computers grows, thanks to the speed of quantum computing. Cracking a traditional password would be easier than ever.
“Quantum computers would completely break many public-key cryptosystems,” pointed out the National Institute of Standards and Technology (NIST) when it announced a project to develop next-generation cryptography standards. NIST started preparing to secure quantum computers in 2016, and began soliciting proposals for quantum cryptography. But according to its own timeline, a draft of the standards won’t be available until 2022 at the earliest.
The NIST statement noted the progress of quantum computers, but also acknowledged that “a significant effort will be required in order to develop, standardize, and deploy new post-quantum cryptosystems.” That effort, the NIST concluded, has to happen before any large-scale quantum computing is available to the public.
Events may have already overtaken the NIST’s timeline: 2018 seemed to mark a tipping point for adoption of quantum computing. In the last two years, the devices have gotten better and qubits a lot better and faster, Gil told the TechCrunch audience. “Now you can actually run things,” he said, as he demonstrated a short algorithm running on a quantum computer at IBM’s lab in Yorktown Heights, NY.
Major tech companies such as Microsoft, IBM, and Amazon Web Services are all moving quantum computing to the cloud, where researchers are starting to adopt it. Meanwhile, even as the field is experiencing shortages of talent that could slow down development, a number of startup companies are racing to become providers of cloud-based quantum computing for businesses that want to take the next step. Gil noted the IBM Q network works with more 12 quantum computing startups.
IBM created Qiskit, an open source environment to implement quantum computing routines, and at present has 100,000 users that have run 5.5 million experiments. Some researchers even created a game of quantum Battleship that can sink ships in new ways, said Gil: “There’s a lot of people trying.”
That may be exactly why security officers need to be aware of this new technology, noted Costas. Any time there is a technological advance, bad actors tend to follow, he said. “Anything relying on public-key cryptography is gone as soon as you get quantum computing with a reasonable amount of resources,” he said. Users of binary computers should upgrade their encryption to be quantum-resistant before quantum computing becomes readily available.
“Even if quantum computing does break our current encryption schemes, I have confidence that the good guys can use the same technology to provide us even better encryption schemes,” said Howard.
Quantum computing could also be used by security officers to deploy faster, better attack detection and analytics. Quantum computing would help them realize some of the potential of machine learning and AI to analyze files and data and find threats through algorithms and analytics much more quickly than ever before.
Defending systems with quantum encryption would be easier, because it doesn’t require exposing any part of the password to the public, giving hackers nothing to work with. A traditional password can be broken by using available algorithms, but quantum computing can create encryption that doesn’t require a public key, making it safer, said Costas.
“Quantum has some nice properties,” he said. “The ability to transmit a key without the ability of someone to eavesdrop is more powerful than anything else – making sure no one knows the basis for some kind of future computational attack.”
Security professionals have been updating communication protocols to be quantum-resistant, but CSOs and other security officers should begin by gaining some understanding of quantum computing in general now, said Costas. “You don’t need to know all the dense mathematics,” he said, but stay up-to-date on which kind of cryptography schemes are prone to being attacked and new updates to quantum computing.
“Be aware that this is super important and not something that ‘maybe my kids will have to worry about that.’ No,” he said. “It’s us.”