Security
Post-quantum security tools are here. Do enterprises really need them now?
Nobody has any idea when a real quantum computer will actually impact enterprise tech, but NIST wants companies to upgrade their security sooner rather than later.
It's hard to remember in a world that's gone mad over AI, but quantum computing was at the center of the tech hype machine just a few years ago. Computers built around quantum principles promise to unlock a new level of performance that traditional (known as "classical" in this world) computers simply can't match, but that computing power could also be used to break the encryption standards that make secure internet commerce and enterprise computing possible.
The National Institute of Standards and Technology released three post-quantum cryptography algorithms on Tuesday that will allow companies to protect themselves against the threats posed by quantum computing.
“Quantum computing technology could become a force for solving many of society’s most intractable problems, and the new standards represent NIST’s commitment to ensuring it will not simultaneously disrupt our security,” said Under Secretary of Commerce for Standards and Technology and NIST Director Laurie E. Locascio in a press release.
The encryption standards that protect modern internet traffic turn basic text or numerical data into a string of seemingly random numbers and letters that can only be deciphered with a key. Those standards work because it would take a massive amount of computing power to try and figure out the decryption key using today's computers, and it's easier to just steal somebody's login credentials if you want to obtain sensitive information from a database.
However, quantum computers could theoretically harness enough computing power to defeat those encryption algorithms, which started to worry government officials and enterprise security teams as the technology advanced. NIST put out a call for help developing post-quantum encryption standards eight years ago, and the standards released Tuesday are "based on different math problems that would stymie both conventional and quantum computers," according to NIST.
Still, quantum computing is no closer to making a real-world impact on enterprise computing than it was eight years ago.
"Experts have been expecting a (cryptographically relevant quantum computer) to be available 'in a decade' for several decades now," as the former head of the U.K.'s intelligence agency noted earlier this year, according to Recorded Future News.
Companies working on quantum computers have steadily added "qubits" — the atomic unit of quantum computing — to their experimental machines for years, but merely running those systems requires them to maintain a temperature near absolute zero. But even then, the qubits are so unreliable that "unlocking the full potential of quantum-computing applications will require new hardware and software tools that can control inherently unstable qubits and comprehensively correct system errors 10 billion times or more per second," as Riverlane's Steve Brierley put it earlier this year.
That means that despite decades of hype, nobody has any real idea when quantum computing could threaten existing encryption algorithms.
"All the goal posts are moving, and it would take a brave person to put a specific prediction out there,” Quantinuum's Duncan Jones told Security Week.
Ignoring the uncertainty, NIST recommended that enterprise computing shops embrace the new standards.
"We encourage system administrators to start integrating them into their systems immediately, because full integration will take time," NIST's Duncan Moody said. The argument is that assuming a quantum computer that can defeat existing encryption arrives in the early 2030s (Runtime is officially taking the over on this bet), a lot of government and corporate data generated in the second half of the 2020s could still be immensely valuable down the road.
However, "part of the challenge is that most systems that currently depend on public-key cryptography for their security are not necessarily capable of running the resource-heavy software used in post-quantum cryptography," Recorded Future News reported. Enterprises already in the midst of upgrading their computing infrastructure to train and run AI models could find it hard to justify spending even more money on a science-fiction project.
"At the end of the day, security is like an insurance; and like any insurance we need to be certain that the premiums we pay are not more expensive than the cost of a failure," IBM's Michael Osborne told Security Week.
(This post originally appeared in the Runtime newsletter on Aug. 13th, sign up here to get more enterprise tech news three times a week.)