Quantum Computing - do I need to follow the details?

I am sure you have heard about Quantum Computing and are wondering whether you really need to follow all the details about this emerging technology. In this article, we will run through some important points and the potential knock-on effects.

It should be noted that I am not working in Quantum computing areas myself, however, I do follow the technology with great interest. If you are working in this field and spot something incorrect, please get in touch so I can ensure the article is as accurate as possible.

Aim:

The aim of this article is not to solve the potential issues but to highlight what you may want to consider with the emergence of this technology.

I do not predict that this article will cover all the areas of concern, fix problems or provide a solution for you, the aim here is to highlight some potential considerations for the technology.

Sources:

There are many sources for Quantum computing research these days; to provide some context I have included these articles below for reference to this blog article, however, you should always research further:

MSN News article (Article 1):

https://www.msn.com/en-nz/news/other/scientists-at-oxford-achieve-quantum-teleportation-breakthrough-with-quantum-supercomputer/ar-AA1yPd0X?ocid=msedgntp&pc=LCTS&cvid=6b490fd692a64859e1beb62a28af878e&ei=27

CSO Online article about RSA encryption being broken (Article 2):

https://www.csoonline.com/article/3562701/chinese-researchers-break-rsa-encryption-with-a-quantum-computer.html

NIST encryption (Article 3):

https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards

How did the internet get so vulnerable (Article 4):

https://www.washingtonpost.com/sf/business/2015/05/30/net-of-insecurity-part-1/

Main body:

In this article, we won't go into what Quantum computing is or how it works as there are many articles available that go into great detail and explain them very well. What we will discuss is considerations and concerns for the private citizen, companies and Government entities as they relate to day-to-day operations, or malicious actors taking advantage of this technology.

We will also discuss how some wording in articles can raise concerns as to how this technology may be adopted.

What effect will Quantum computing have on the general citizen?

This will likely be the hardest area to transition, the average private citizen does not really know how important encryption is in daily life. Banking, social media, card transactions, encryption of mobile devices (phones, tablets, laptops etc.) and much more. Encryption is weaved into every facet of everyday life from sending messages to your family, to buying a coffee or checking your balance on your phone. All of these actions are encrypted to keep you, your communications and your money safe - so if quantum computing can break this encryption in the near future how will the world react?

The answer is that we will need to upgrade encryption standards, networks, hardware and potentially many other small items to get things working securely. This does take time, especially in countries that cannot afford to perform upgrades on the scale required.

The issue will likely be a few years away, but companies that serve the general public will need to start planning ahead now. The public should be informed and aware of which companies are making the effort to keep them safe, and this process will likely be a long-term and ongoing project.

In short, this has the potential to really affect day-to-day life if companies do not plan ahead. If companies are proactive enough and are communicative with their customers we can expect minimal disruption. It will be similar to when technology moves forward in other fields, such as the evolution of mobile phone technology where switching off 3G towers was widely communicated and anyone affected was supported through the process. Everyone will have some responsibilities for this, the companies can do their side and the general public will have to keep up to date and move with the times. This will likely include:

• Upgrading non-compliant devices

  • Phones, tablets, computers, routers etc.

  • Regular updates of software and applications

• Ensuring security policies are followed

  • There may be new verification policies and procedures being introduced

  • There may be restrictions placed on certain activities should something be suspicious

• Temporary working solutions may be put in place

  • Should there be an extreme situation, you may end up with temporary measures being put in place while companies and infrastructure catch up.

    • One example may be if the Payment card industry runs behind in meeting new requirements, you may see some stores (online or physical) become unable to transact business the usual way.

There are other possible implications for the general public, these are just some initial considerations.

How will this affect companies?

This is probably the largest subject to discuss as companies come in all shapes, sizes and functions. Predicting all the implications for companies would be impossible, there are however some questions companies can start asking themselves now to start planning their purchases accordingly.

The generic questions later in the blog article also apply, in this section, we will ask some company-focused questions that are worth considering.

• What functions in my company rely on encryption?

  • If you have not thought of this before, it is now a good time to start examining which parts of the business may be affected if current encryption standards were to suddenly be deprecated.

  • Are some of these encryption methods more critical than others?

• Does my company need the entire network to be on the Internet?

  • Your company may be too large to upgrade all at once, so to protect your company while you transition it may be worth seeing if any part of the company network can be air-gapped while you bring the company up to standard.

• What will the reputational damage be if we don't respond to the change?

  • You have seen many companies fall into disrepute due to bad security practices that have ended up in a breach and loss of consumer trust (and even court proceedings). If your company does not hold any sensitive or personal information of your staff, customers, suppliers etc. then you are likely to have a very low risk of reputational damage. The inverse is also true, if you hold that data and it gets breached because you were not being proactive, there is a good chance of reputational damage.

• What external factors am I relying on?

  • You may be doing everything right, but are the external parties? Supply chain attacks have been behind plenty of attacks with current-generation technology, it's an attack vector you want to avoid.

    • Ask your partners/suppliers how they are preparing for these threats

    • Check with your financial institutions to ensure they are also preparing

    • Check with any services you rely on to ensure they have a plan

  • Is there a plan for when an external party does not prepare?

    • You may want to lock out their access in the event they do not comply

    • Look into an alternate company in case you need to make a quick change

As mentioned this is not a complete list, more points will likely come up in future or some may be addressed entirely as information and advances are announced. However, it is always recommended to be prepared for the worst-case scenario.

Government Organisations:

When most people think of Government organisations they think of large buildings in the Capitol with impressive looking security and a budget that should let them be proactive with these types of threats. While that may be true for Central Government, when you look at all the others out there you see that the problem may be wider than originally thought:

• Local Government

  • Local councils generally have a smaller budget, they will likely need the support of the central government to respond to this emerging threat.

  • Social offices (welfare, medical, employment) are widespread and also have limited budgets.

• Emergency Services

  • Not all emergency services are funded by the Central government, a large part of Medical and Fire first responders are volunteers and funded by donations or insurance levies. They are usually stretched with their budget as it is, when you add in having to upgrade their emergency infrastructure while keeping operational capabilities you will likely find they are unable to afford such a project.

  • For example, the tablets that are on most of these appliances will contain incident information, patient information, sensitive information not for public release and critical information for Police. These tablets generally use the existing phone network to communicate, if the phone network is vulnerable then so is all that data.

  • Even Police who are centrally funded don't have the money to easily upgrade everything across all areas, imagine the ability to alter records, erase evidence, view case files and potentially get confidential informant information off these devices and you can see many issues and potential leaks which would put lives at risk.

• Tax offices, Health departments and wider Government

  • All government entities hold a lot of sensitive information, and each of these departments will need to ensure they are protecting that information.

So that's what is at risk for Government, but how else will this affect Government?

Governments are supposed to protect the people they govern, so they will need to ensure safeguards are being put in place and there are consequences for those who do not comply and put the safety of the public at risk.

If you read Article 1 from the sources section, you can see the phrase "Virtually immune to hacking" which sounds great. However, when you look at Article 4 you can see how the internet was not designed with security in mind and as such criminal and nation-state actors look to abuse this daily. Ideally, it would be immune to hacking, however, such a bold claim can provide a challenge to the criminal element and proceeding with that mindset can mean we wind up in a similar situation we find ourselves in today.

What we really need Governments to do is lead the way in ensuring this is implemented with security in mind. This would need serious scrutiny, testing, auditing and an ongoing assessment of the standards being implemented.

Considerations for everyone:

Through the last few sections, we mentioned there are some common basic considerations, these are:

• Is the company I use preparing for the Quantum computing security risks?

  • This could be your internet company, mobile phone company, bank or other.

  • Social media or other sites you log into should be responding to this risk

  • Is your website hosted by a company that is being proactive?

• Can I isolate parts of my network from the internet when needed?

  • Companies may want to move sensitive information off the main network initially

  • If you have a lot of internet-enabled devices at home, can you migrate them to a local instance so they are not out to the internet? (I can recommend looking up NetworkChuck on YouTube as he does a lot of videos)

• Do I need to upgrade any devices to meet the new requirements?

  • This will be a moving target initially as it is not currently rolling out, however, if you are about to upgrade your phone and you see in the news that there may be some major changes to the phone infrastructure - it may be worth checking with your phone company about the best device.

  • Similar to the point above if you are replacing network hardware, cameras, servers etc. then you may want to make sure you are not spending a lot of money on an upgrade that will become obsolete within a short time frame which would be more costly.

• Am I receiving updates from the relevant companies to keep informed?

  • Keeping up to date with news is hard, there is so much out there from various sources with varying levels of reliability. Contact your companies to see if they have an official mailing list you can be added to.

  • Shameless plug: SecuriKiwi offers this service! If you sign up with us we will keep youdoes updated with the facts around news articles and practical advice on how to stay safe.

• Do I have enough resources to learn and keep up to date with developments?

  • You may not be the most tech-savvy, but you may have people around you who are. Do they know enough to keep you informed and safe? if not then you may want to hunt around for a blog, or news board, enrol in courses or subscribe to news channels for tech news to keep updated.

  • If you are a company, does your IT team have enough time to keep up to date with the ins and outs of Quantum Computing threats? if not then you may want to hire a specialist, bring in a consultant or invest in some training time for your existing team. It is a good idea to consider this now as you don't want to be reactive, you will want to be proactive and ideally ahead of the game.

Summary:

In summary, as previously alluded to at the start of this article, we do not know exactly how this will affect all organisations at this stage. Unlike most changes where people can 'wait and see', the implications of encryption being broken have a lot of implications that should be planned for ahead of time.

Governments need to ensure that these technologies are not being rolled out without the right considerations for security, or oversight as attacks on Critical Infrastructure with the current technologies are an ongoing concern.

And to answer the titular question of this article, you should definitely follow the details of this in some way. Either by direct research or signing up for news bulletins which can keep you updated on the important developments, you do not want to be left out of the loop and caught short.