Commercial transactions on the Internet and routine cyber security depend on the effectiveness of public key cryptography. Quantum computers will make existing standards obsolete. The impact of this starts now.
Estimates vary on when a quantum computer powerful enough to realise this threat will be built. A range of dates from 8 to 20 years have been suggested. More rapid scenarios are also possible: a major programme by a nation state could bring this down to perhaps 5-7 years; alternative schemes based on quantum simulators rather than waiting for a full scale device might overturn these estimates further.
Perhaps a business might reasonably assume that they should plan against a viable security threat from quantum computers by 2027. Surely that seems like a comfortable way off?
However there is a problem. If a hostile party intercepts and stores data today, they will be able to break its encryption in 2027. Additionally, the transition programme to put new quantum safe arrangements in place inside an organisation might itself take several years. Remote systems and embedded devices are a further complication. Not only will these require update, but the security protocols routinely used to validate such updates are themselves among those at risk.
Do you meet the Mosca Inequality: D + T < Q ?
- Data Life – How long must data used today remain confidential even if intercepted and stored for later decrypt by a hostile party?
- Transition – How long will it take an organisation to transition its existing operational cyber security arrangements to adopt quantum safe alternatives?
- Quantum Computers – The number of years before a device capable of breaking current encryption standards becomes available.
Michele Mosca of Canada’s IQC has suggested that soon companies will be differentiated by the adequacy of their risk management and transition plans against this threat.
Assuming you start now and the transition takes 2 years, that’s still only an 8 year safe window. Is the CEO happy to defend to customers and investors that sensitive data just 8 years old might be revealed?