Quantum computing attacks, which are feared to utterly break modern encryption on the internet, are still about a decade from being viable. They are widely seen as an inevitability, however, and that has not stopped attackers from preparing well in advance. A new poll from Deloitte finds there is an immediate and significant cyber risk from “harvest now decrypt later” (HNDL) attacks, in which attackers steal encrypted information and simply sit on it until quantum computing advances make it trivial to crack.
Among other findings, a little over half of the IT professionals surveyed say that their organizations are presently at risk of HNDL attacks. But fewer than half are presently on top of their analysis of this emerging cyber risk, and about 11% say there will need to be a cyber incident (the point at which it is far too late) before their leadership will be driven to do something about the threat.
Seemingly distant cyber risk already in the early exploitation stages
The Deloitte poll included the input of over 400 IT professionals working at organizations that are actively considering the benefits of quantum computing, though not necessarily the new level of cyber risk that accompanies it. Only a little over 26% said that they have completed a risk assessment at this point. 18% have plans to do it this year, and 16% say that they will do it in the next two to five years. 13% say they either do not plan to do it for more than five years or have no intention of doing it at all.
Roughly the same amount of organizations that plan to perform a cyber risk assessment well before quantum computing is expected to become a threat, a little over half of all respondents, also feel that HNDL is an immediate threat to their organization. 21% do not feel it is a threat, and 28% do not know.
What would push some of the more reluctant organizations to take quantum computing threats seriously? 27% of respondents said that it would take regulatory pressure. 20% believe leadership will have to be convinced to demand change, 15% think change will be sparked if competitors are observed doing it, and 11% said it would take nothing less than getting hit with a quantum computing attack to move the needle for their organization. A little under 7% felt that client or shareholder demands would make a difference.
Quantum computing cracking expected around 2030
Cybersecurity experts vary in their opinions on the subject, but most believe the quantum computing threat will arrive in as little as five years and probably no more than 15. That means that organizations should reasonably expect to have defenses in place by the end of the present decade at the absolute latest.
While encryption is a vital piece of a data protection program, files encrypted with today’s algorithms will likely be cracked in seconds at some point by quantum computing tools. If these encrypted files are stolen now, threat actors need only wait as little as a few years to gain ready access to them. The HNDL threat thus demands immediate attention, but thus far awareness of it is lagging (let alone meaningful action).
However, some experts are cautioning that organizations should not pull too hard in the opposite direction and make panic moves to change crypto algorithms overnight. New standards are not expected to fully emerge from NIST until 2024, and most IT departments have numerous unaddressed cyber risk issues that are much more immediately beneficial to improving security posture.
The risk is also not evenly distributed across industries and organizations. The present HNDL threat actors are almost exclusively nation-state attackers looking for state secrets and proprietary information that they can unlock later. These groups are also the attackers almost certainly among the limited group of people with early access to stable quantum computing once it becomes a reality. Google’s insufficiently stable quantum computer Sycamore costs millions of dollars before you even get to the hundreds of specialized communications cables that come in at $1,000 for every two feet of length, must be housed in a special refrigeration unit capable of constantly maintaining an extremely precise temperature, and can go haywire if shut down for hardware repairs for too long. The cyber risk of quantum computing is almost certain to be exclusive from nation-states, at least in the early stages of its existence.
For the moment, the HNDL threat is best addressed by keeping attackers out of networks and away from sensitive files. Making an inventory of “long lived” information assets not expected to change or become obsolete in the next few years, such as bank account numbers, can also help as an immediate step; this high-sensitivity data can potentially be addressed with current means such as key rolling.