Quantum Computers Could Help Hackers Defeat Encryption. Here's How to Protect Your Data

Encryption is the secret sauce that keeps private information private as it travels across the internet. Apps like Apple's iMessage use it to protect the contents of your communication, as do other services. Many encryption algorithms in use today are based on techniques developed nearly 50 years ago. They've served us well, allowing people and businesses to confidently send emails across the globe, shop online, and move company data to the cloud. But that could change, since researchers believe quantum computers capable of breaking today's encryption could arrive within a decade. In basic terms, a common form of encryption known as public key encryption relies on digital "keys" created by multiplying two extremely large prime numbers. An attacker would need to calculate the two factors to break the encryption. If the number is big enough, that's an impossible task for today's computers. But here's the rub: quantum computers have unique characteristics that make them better than regular, or classical, computers at doing certain tasks -- and one of those is factoring enormous prime numbers. A number that would take a classical computer millions of years to factor could potentially be factored in "a matter of hours" by a quantum computer, explains Ray Harishankar, the head of IBM's Quantum Safe initiative. Anticipating that future, in 2016 the National Institute of Standards and Technology, part of the U.S. Department of Commerce, called on researchers from academic institutions and tech companies around the world to design new encryption algorithms. The best options were tested both in-house by the NIST and by outside experts and underwent years of refinement and standardization. Last week, the NIST released the first three approved standards for post-quantum encryption. The goal, says Dustin Moody, a mathematician in the institute's computer security division, is for most of the U.S. government to adopt the standards by 2035. And while the standards were developed for the government, many private companies and other organizations are expected to use them as well. Why Companies Need to Prepare for the Quantum Future Today "Every enterprise that uses digital communication should be looking at this now," says Harishankar. That, of course, means virtually every business out there needs to begin evaluating their systems. Even if quantum computers that can break today's encryption are still a decade away, it could take years for the updates to be adopted across the board, and connected devices (like cars, industrial control systems, and smart appliances) available today might still be in use a decade from now. The 10-year frame is just a projection, Moody adds, and a technological breakthrough could speed up the timeline. Some in the cybersecurity community have also warned of a practice known as harvest now, decrypt later. Hackers and foreign governments may already be scooping up encrypted sensitive information -- anything from health data to military plans -- in hopes of being able to decrypt it with future technologies. Companies of all sizes should take stock of what they have that's protected by encryption -- and particularly any information that will still be valuable a decade from now. Why Implementing Quantum Safe Standards Is a Massive Job One big challenge is finding where encryption lives in various systems. It can be embedded in both software and hardware, such as connected devices and point-of-sale terminals. "If you step back and think about it, that is a huge problem," says Harishankar. Nobody can easily list each place in their tech stack that has encryption embedded, and which protocol is used in each instance. Take IBM's Db2 database software. The software has about 28 million lines of code, Harishankar says. IBM researchers discovered more than 160 instances of cryptography within the code -- and that's a smaller number than you'll find in many other companies' software, he says. For proprietary software, IBM and others have developed tools to detect where encryption lies -- it's too big a task to be done manually. Businesses that rely on third-party software should ask their vendors whether their products are quantum safe, and if not, when they will be. The National Cybersecurity Center of Excellence offers resources for migrating to post-quantum encryption, as do some industry organizations. Many of the largest tech companies are already beginning the process, and others are expected to do so now that the NIST's standards have been released. Newer versions of Apple's iMessage, Zoom's meeting capabilities, and Google's Chrome browser have all adopted post-quantum encryption in the past several months. "It is a journey. It will take multiple years to transform and test," warns Harishankar. "It's not take A and replace it with B. I wish it were that simple."