Quantum supremacy is the inflection point at which quantum computing will outpace the speed and accuracy of classical computing. Analyst GlobalData predicts a time frame of about five years, but forecasts vary wildly, and many come with caveats around whether use cases and standards will align with quantum technology development.
With quantum supremacy, every organisation in the world that stores and processes data will be wide open to a cyberattack. Hyperbole? Not so, according to Google CEO Sundar Pichar, who has said publicly that in five to ten years, quantum computers will break the encryption systems we use today. Perhaps most concerning is that data sent today can be retroactively decrypted in so-called “hack now, decrypt later” attacks. If this scenario is accurate, large organisations are facing a ticking time bomb if action is not taken immediately to mitigate future risk.
Ransomware attacks increased 151% in 2021, according to the World Economic Forum, with an average of 270 cyberattacks per organisation, a 31% increase from 2020. While these attacks are damaging (each breach costing about $3.6m), the data amassed in these security breaches could have even bigger consequences down the line.
Quantum's concentration on security
There has been a preoccupation with security and quantum computing for a long time, according to Quantinuum (formerly Cambridge Quantum) CEO Ilyas Khan. “Quantum computers will render pretty useless most existing methods of encryption, and, in fact, even the newer, more quantum-resistant methods are frankly untested,” he says.
Cybersecurity has increasingly become a boardroom topic and business leaders are more aware of the threat to their businesses, both financial and reputational.
Khan notes that governments and large organisations have historically viewed quantum computing through the lens of this growing cyber threat. In addition to this, the rise of ever more sophisticated nation state-sponsored attacks such as the 2020 Solar Winds global supply chain attack, which swept through the US federal government, and the May 2021 Colonial Pipeline hack, which took down parts of the US critical national infrastructure, demonstrate the vulnerability of existing technology platforms and serve as a stark warning of the potential catastrophic damage from quantum attacks.
However, Khan believes quantum technology is not simply a threat, and that it also presents a solution. “Quantum computing provides a defence for anything out there that is a classical computing threat to security as well as a defence for future attacks by quantum computers,” he says.
Data is currently protected by encryption based on the RSA and AES algorithms. In simple terms, cybersecurity is determined by randomly generated cryptographic keys. The quality of these keys is measurable by their randomness. Classical methods of encryption are broken by hackers when keys have poor randomness. Because the RSA and AES standards are not truly random, they have been shown to be breakable. The unbreakable nature of quantum keys is a function of the unpredictable behaviour that lies at the very heart of quantum mechanics. Post-quantum algorithms for key generation are currently in the process of being standardised by the US National Institute of Standards and Technology (NIST) and are expected to become codified any time between 2022 and 2024.
How can quantum computing fight cybercrime?
GlobalData’s thematic research, published in February 2021, says any predictions about quantum computing’s future market size are educated guesses at best given its nascence and the prospect of unanticipated breakthroughs. Market size in 2020 was said to be between $80m and $500m, rising to anywhere between $1bn and $5bn by 2025. GlobalData principal analyst David Bicknell says quantum security will be a significant driver of investment into the sector.
The classical computing cybersecurity sub-sector is growing rapidly, and GlobalData’s 2022 technology predictions deemed cybersecurity a primary business theme for the coming year. The analyst forecasts that the global cybersecurity market will grow to $238bn by 2030, up from $115bn in 2020.
Given that quantum computing cybersecurity solutions can be integrated with classical computing architectures, the market opportunity for the quantum cybersecurity market is broader than it appears at first glance.
Quantinuum’s security product, Quantum Origin, for example, can be integrated into existing cybersecurity systems to mitigate classical computing cyber threats as well as future proofing for the quantum age. Quantinuum head of cybersecurity Duncan Jones says it is important that the company’s customers don’t feel they need advanced physics degrees to understand quantum cybersecurity products.
Quantinuum’s cloud-based product delivers cryptocraphic keys that have been verified from a quantum source that can easily be integrated with existing hardware security modules and systems – supporting traditional algorithms, such as RSA or AES, as well as post-quantum cryptography algorithms.
It will take time for businesses to migrate to quantum-safe architectures and Jones believes businesses are underestimating how much work will be required to become quantum resistant. “Estimates of when the cyber threat of quantum will arrive vary, but there is a universal consensus that the time to act is now,” says Jones.
For some business areas, Jones says it is already too late. For example, the internet of things (IoT) and digital manufacturing are areas particularly vulnerable to the quantum threat. “IoT devices are low-power devices, they don't have access to many good sources of randomness,” he says. “I think we are definitely going to see businesses that have not moved early enough, and in five to ten years’ time, or whenever it is that they are genuinely threatened, they will wish they had move a lot faster,” he adds.
This is a sentiment echoed by Bicknell, who urges companies to take action. “Developing, testing, deploying and improving new quantum-safe cryptographic solutions will require years of research and design by different stakeholders. There is no time to be lost,” he says.
Early adopters such as IT infrastructure company Fijitsu are testing quantum-enhanced keys alongside traditional algorithms. Dr Houshan Housmand, chief technology officer research lead at Fijitsu, says the current trend of moving from a data centre model towards a cloud model will require security enhancements for resilience against quantum attacks. “This is a major concern for us,” he adds.
Housmand points out that the company’s security concerns are echoed by the UK’s National Cyber Security Centre (NCSC) in terms of the need for quantum random number generators, with particular research emphasis on integration challenges with large systems.
However, while the NCSC’s November 2020 white paper on quantum cybersecurity recommends that large organisations should factor the threat of quantum computer attacks into their long-term road maps, it also cautions against early adoption of non-standardised quantum-safe cryptography, “given the current lack of clarity around which variants will offer the best balance of security and performance, and which specific parameter sets to use”. The paper goes on to warn that “unnecessary haste and over-reliance on new approaches to cryptography may introduce costly security weaknesses”.
The NCSC expects that major commercial products and services will transition to quantum-safe cryptography once NIST standards become available between 2022 and 2024. The government body therefore recommends that the majority of users follow normal cybersecurity best practice and wait for the development of standards-compliant quantum-safe cryptographic products.
Once industry standards are agreed, the market for quantum cybersecurity products is likely to develop rapidly. A consumer market is also expected to grow, with Samsung already having launched its Galaxy Quantum2 smartphone with an inbuilt quantum random number generator chip developed by Swiss quantum security company ID Quantique.
For now, the quantum computing industry’s attention is keenly focused on the much-anticipated NIST standards for quantum-safe cryptography. Once this milestone is reached, the quantum cybersecurity industry is likely to see an inflection point whether or not quantum supremacy has arrived.