President Joe Biden signed a national security memorandum (NSM) on Thursday calling for government agencies to implement measures to mitigate risks posed by guantum computers to US national cyber security.
The NSM highlights the dangers of cryptanalytically relevant quantum computers (CRQC), including their potential ability to brake public-key cryptography.
Immediate risks include:
- Endangering civilian and military communications.
- Undermining supervisory and control systems for critical infrastructure.
- Defeating security protocols for the vast majority of Internet-based financial transactions.
“While it can take unrealistically long times for traditional computers to attack currently recommended encryption algorithms, quantum computers are expected to be able to break such encryption in trivial amounts of time. This means that when quantum computing leaves the lab, all currently encrypted data will be vulnerable to confidentiality breaches. This is another step on the march of progress. In my career, I have seen MD5 hashing go from recommended to obsolete due to advances in computing. The same is true for sha-1. I’ve also seen SSL 1-3 and several TLS versions become obsolete due to exploitable or potentially exploitable weaknesses which prevent their use in protecting sensitive data. Advances in quantum computing will do the same for everything out there now.”
The NSM has been welcomed by security experts, who believe it is a major step in the right direction for preparing the US from the threats that quantum computers pose.
Roger Grimes, data-driven defence evangelist at KnowBe4, notes why preparing for the threat of quantum computers is so important:
“While no one, at least publicly, knows when the threat of quantum computers will be realised, we all know that it is sooner rather than later. Most quantum experts put the eventuality of quantum computers breaking much of today’s cryptography at 10 years or less. I do not think anyone would be shocked if it happened in five years or less. Me, personally, I think we are talking only a few years. The question is if we and the rest of the world will be ready…and have quantum-resistant cryptography and systems in place before the quantum cryptographic break happens? Every single company in the world should right now be preparing to convert their systems to quantum-resistant protections. They need to start with taking an inventory of what important data is protected by what quantum cryptography and key sizes. Just that process alone will likely take most companies half a year to years to do right. They need to start NOW! And almost no company is doing anything. Most are not even aware of the coming problem at all. It is a problem. It is a growing problem as the clock continues to tick down to when the quantum threat becomes a realised problem. President Biden is taking a good step in declaring, “Get going!”. But how many people are listening and understanding?”