How Will Quantum Computers Impact Cybersecurity?

Cryptography forms the foundations of today’s security for any system connected to the internet, but today’s standards are under serious threat. In this article, quantum computing researcher Koen Groenland explains why cryptography is so incredibly important, what threats loom, and what action organizations must take. 

Cryptography is everywhere

Cryptography is the art of securing messages over a network, preventing your data from being read by unauthorized eavesdroppers (confidentiality), and from unwanted changes or malware insertions (integrity). To understand the scale of this issue, we must first appreciate how deeply embedded cryptography is in modern business operations.

Cryptography is not just for spies or high-tech firms; it is active every time a staff member logs into a laptop, every time an automated payment is sent to a vendor, and every time a confidential strategy document is saved to the cloud. It secures our internal communications, protects our intellectual property, and validates the integrity of our software updates. Typical examples include:

Websites and Online Services: The ‘HTTPS’ in a browser’s address bar signifies that your connection is encrypted using cryptographic protocols like TLS (Transport Layer Security). This prevents eavesdropping when you send your password or credit card details, and guarantees that the page you view really originates from the registered owner of the website.

• Email: Secure email services use cryptography to encrypt your messages, keeping your private conversations private.
• Cloud Storage: When you upload documents to the cloud, they are often encrypted both in transit and at rest, protecting them from unauthorized access.
• Internal Systems: Databases, employee logins, virtual private networks (VPNs), automated factories, payment systems, and all other network-connected applications rely on cryptography. 
• Digital Signatures: When you digitally sign a document, cryptography ensures its authenticity and integrity, proving who signed it and that it hasn’t been tampered with.

I’d argue that modern cryptography is insanely successful. Nearly every website today is secured through HTTPS, and practically all other digital applications follow similar cybersecurity standards. Moreover, cryptography is ridiculously efficient: our own systems can be secured with barely any loss in performance, whereas even attackers with the most powerful computers in the world cannot break properly maintained systems. At least, that has been the case up until now. With the advent of quantum computers, we are realizing that there is a fundamental flaw in the foundation of online cryptography. 

For a corporate board, cryptography represents the fundamental mechanism of trust. If the cryptography fails, the trust between the organization and its customers, partners, and regulators evaporates. In short, without functional cryptography, a modern enterprise cannot operate.

Cryptography is continuously changing

A common misconception in management is that cybersecurity is a fixed expense: that once you buy a firewall or an encryption tool, the job is done. In reality, cryptography is a constant arms race.

As computing power grows and mathematicians discover new ways to ‘attack’ algorithms, older standards become obsolete. We have seen this before: the transition from the aging DES standard to the more robust AES, or the retirement of the SHA-1 hashing algorithm.

Occasional updates will always be needed, now and in the future, because of:

• Moore’s Law and Brute Force: With every passing year, computers get faster and cheaper. This means that methods used to ‘brute force’ (try every possible key until the right one is found) can become feasible. Algorithms considered strong a decade ago might be vulnerable today or in the near future.
• New Attack Techniques: Cryptographers and malicious actors are constantly discovering new mathematical and computational methods to break encryption. These breakthroughs necessitate the development of stronger, more complex algorithms.
• Obsolescence: Some older cryptographic standards are simply no longer considered secure due to inherent design flaws or known vulnerabilities. Continuing to use them is like leaving your front door unlocked.
• Emergence of Quantum Computing: This is the big one we’re facing now. The development of quantum computers poses an unprecedented threat to current public-key cryptography, which brings us to our next point.

Staying secure requires a proactive lifecycle management approach. If an organization fails to update its cryptographic standards, it effectively leaves the back door to its data unlocked, inviting regulatory fines, data breaches, and reputational ruin.

What’s the deal with quantum computers?

For decades, our digital world has relied on two primary mathematical systems: RSA and ECC (Elliptic Curve Cryptography). These systems are the ‘gold standard’ for securing everything from web browsing (HTTPS) to digital signatures. They work because they are based on math problems that would take today’s most powerful supercomputers thousands of years to solve.

Quantum computers change the rules. Because of a breakthrough known as Shor’s Algorithm, a sufficiently powerful quantum computer will be able to solve these specific math problems almost instantly. When this “Cryptographically Relevant Quantum Computer” (CRQC) arrives, RSA and ECC will be rendered useless.

If a CRQC were to be unleashed today, the damage to society would be unimaginable. Encrypted communication over the internet would be easily intercepted. Quantum computers could generate digital signatures and certificates that are indistinguishable from authentic. Monetary transactions can be modified or faked, leading to loss of trust in the financial system. Crucial infrastructure such as electricity grids, water treatment plants or highway control systems are easily hacked. Without adequate precautions, we face a digital apocalypse. 

Even though quantum computers are still ten to fifteen years away, they should be at the top of an organization’s cybersecurity agenda. Organisations already face two different risks: 

1. Harvest Now, Decrypt Later (HNDL): Adversaries are currently intercepting and storing encrypted sensitive data. Even if they cannot read it today, they intend to decrypt it the moment they have a quantum computer. If your data needs to remain secret for 10 or more years, it is already at risk.
2. Infrastructure Longevity: Most software and hardware products have lifespans that will stretch well into the quantum era. Especially critical infrastructure, industrial controllers, and systems that deal with personal or high-value data require careful actions.

Luckily, there is a clear solution, which is called Post-Quantum Cryptography (PQC). This term broadly refers to new mathematical standards designed to be secure against both today’s computers and tomorrow’s quantum threats.

What steps should you take to keep your organisation safe?

Performing an update to PQC is mandatory for all systems that currently employ RSA or ECC. I do not foresee major issues for software that is under active development. However, organizations will face major headaches with older software and crucial operational technology — some experts even call this the most complex IT migrations in history. To manage this risk, several guidelines exist. We strongly recommend the PQC Migration Handbook, written by a collaboration of the Dutch secret service with two research institutes, as well as the guidelines by American standardization organisation NIST on Migration to Post-Quantum Cryptography. All guidelines recommend similar steps, that we summarize here:

1. Establish a Crypto-Agility Roadmap You cannot protect what you don’t know you have. The first step is to conduct a “Cryptographic Inventory.” Identify where your organization uses encryption, which algorithms are in place, and where your most sensitive data resides. This is a daunting step in large IT environments, but many manual hours can be saved with automated scanning through ‘Cryptographic Asset Discovery and Inventory’ (CADI) software, such as Eon Insights. 

2. Prioritize Based on Data Longevity Once a clear overview of all assets at risk is made, one can assess the urgency to update. Not all data needs to be migrated at once. Focus first on ‘high-value targets’ that must remain confidential for the next decade or more, such as trade secrets, personal data, and crucial infrastructure. 

3. Engage with Your Supply Chain Most organizations do not write their own encryption software; they buy it from vendors like Microsoft, Amazon, Cisco, or SAP. Management must begin asking these partners: “What is your PQC migration roadmap, and when will your products support NIST-approved quantum-resistant algorithms?”. Governments and companies typically already have policies on PQC-compatible products, or should have this very soon. As an example, the US government is regulated through CISA and the NSA’s Commercial National SecurityAlgorithm Suite. 

4. Migrate all cryptographic assets This is a major operational challenge: most organisations have thousands to millions of applications. Fortunately, a vast majority can likely be updated in an automated way, targeting many applications at once. The largest challenge lies in legacy software which is no longer maintained — code may have been lost, vendors may be bankrupt, or workforce may have moved on. Moreover, systems running 24/7 may not have seen updates in many years and are particularly risky to change. Alternatively, Eon Path can instantly re-secure applications without worrying about legacy code or downtime, at the cost of adding a minor amount of computational overhead. 

5. Build “Crypto-Agility” Moving forward, your IT infrastructure should be “crypto-agile.” This is a design philosophy where cryptographic algorithms can be swapped with little effort. This ensures that when the next threat emerges, your organization can quickly pivot before major damage is incurred. 

The quantum threat is a significant business risk, but it is a manageable one. By initiating a migration strategy today, corporate leaders can ensure their organizations remain resilient in the face of the next great shift in the digital landscape.

Want to know more?

Here are several resources that we recommend. 

PQC Migration

• The PQC Migration Handbook is an excellent guide for (IT) managers, written by the Dutch secret service AIVD and authoritative research organisations CWI and TNO. 
• Cloudflare’s pages on PQC provide much more in-depth information and statistics on the current state of global migration. 
• Introduction to Quantum Computing for Business provides a slightly more technical (but still accessible) basis for PQC. 
• The Global Risk Institute publishes frequent updates on a questionnaire amongst experts where they ask when a cryptographically relevant quantum computer will emerge. 

The Public Key Infrastructure Consortium organizes frequent conferences with non-commercial, high-quality presentations and ample room for networking and discussions. Recordings are made available for free.

How quantum computers break cryptography

MinutePhysics has several great videos, which require some deeper knowledge and intuition of quantum information theory. This seems to be the most accessible explanation of how Shor’s algorithm really works.

• MinutePhysics on Youtube: How Quantum Computers Break Encryption

• MinutePhysics on Youtube: How Shor’s Algorithm Factors 314191