Make no mistake: quantum computers are coming.

In our first blog of this series, we examined the development of quantum computers and how they might be used to undermine commonly used encryption algorithms — making them the ‘quantum menace’ of cyber security. Our second blog looked at three new technologies that could help mitigate the growing risks and posed the question: is there really such a thing as quantum-safe communications?

Since publishing these two blogs, quantum computing has continued to develop at pace. So, this third blog focuses on the ‘what next’ — on what can we do to protect ourselves and begin to mitigate this growing and accelerating risk…

Commoditising and democratising quantum computing

We are now seeing the development of plans to offer on-demand quantum computing resources in the cloud, dramatically commoditising and democratising access to this technology. This development has occurred at a far quicker pace than previously anticipated.

The shift of quantum computing towards the mainstream is an unpleasant surprise that significantly increases the likelihood of wider, earlier adoption of these attack vectors — extending beyond nation-states, advanced persistent threats (APTs) and organised crime.

The capabilities to run suitable encryption attack algorithms will now be available to anyone. All hackers, however small fry, could utilise this capability going forward.

We know that Shor’s algorithm already provides a route to attack current asymmetric encryption, which is used in securing VPNs, financial transactions, and personal data. This algorithm can be used to identify generated encryption keys that are negotiated as part of securing your connections, and those keys can then be used to decrypt your data!

Once your network is compromised, it is conceivable that a bad actor could observe other key pieces of intelligence, such as identities, credentials, tokens, keys and so on. This intelligence could then be used to pivot into other attack vectors using known good data, increasing the likelihood of attack success and decreasing the likelihood of detection.

A deeper look at the quantum threat

Let us look at what could potentially happen should someone compromise the encryption protecting one of your VPNs or connections. First and foremost, the attacker will be able to harvest your data and have access to it in its raw, unencrypted form. This alone is a terrifying thought.

Going beyond the initial compromise and loss of data and thinking through an attack scenario, other impacts of a breached VPN or connection could include:

  • Wider attack of your infrastructure using obtained credentials, identities, keys, tokens and other high-value data items.
  • Compromise of the confidentiality of your data (including customer data, personal data, PCI/credit card data and intellectual property).
  • Brand damage due to the exposure of customer data and your critical intellectual property.
  • Compromise of the VPN connection itself through spoofing.

These scenarios open the door to more well-known impacts, such as:

  • Damage to the integrity of your data.
  • Destruction or loss of availability of your data.
  • Damage to backups and DR sites.
  • Deletion of cloud environments.
  • Loss of ability to trade.
  • Ransomware attacks
  • Poisoning of AI.
  • Misuse of B2B APIs and gateways.
  • Significant brand and reputational damage.

Clearly, this goes way beyond HNDL (‘harvest now, decrypt later’), whereby attackers capture encrypted data today, store it and wait until quantum computers become strong enough to decrypt it. The moment our least secure encryption methods become compromised, a wide enough crack is presented for damage and loss to occur.

Proactive steps toward a quantum-safe business

The implications of the quantum threat are significant across all sectors.

Enterprises must protect critical data, assess encryption strength and scrutinise SaaS providers and supply chains for vulnerabilities. Equally, investors must have a quantum-safe strategy and understand the level of quantum-threat risk for possible acquisition targets.

Governments face geopolitical stakes and must consider the correct response to move towards a position of quantum safety. Researchers must focus on the right topics, aligning their thesis to future quantum-safe technologies rather than relying on existing crypto or platforms carrying known or unknown quantum threats. Innovators also face the challenge of creating quantum-secure products whilst mitigating supply chain risks.

Thankfully, organisations are starting to take the quantum threat seriously. JPMorgan Chase, Toshiba and Ciena were early adopters in providing a Quantum Key Distribution Network to secure blockchain applications.

However, many others are now also taking steps to secure their businesses and establish themselves as brand leaders in providing quantum-safe services to customers. For example, HSBC has recently launched a Quantum Safe Tokenised Gold Service, having previously undertaken similar pilot work to secure its foreign exchange FX trading.

Moving forward, it is clear that the topic of quantum threats has huge momentum and is beginning to take over the industry spotlight. Soon, quantum threats will sit in the spot that has been occupied by AI for the last 18 months.

Now is the time to consider the level of quantum threat present in your business and what steps you could be taking to move towards a position of quantum safety. Bad actors could be harvesting your data right now, in readiness for the day when they are ready to begin attacking your encryption.

So, what can be done to provide quantum-safe communications to mitigate this new threat?

Act sooner rather than later

Organisations must recognise the quantum threat is not just a hypothetical scenario; it is an imminent challenge requiring immediate action.

There are very few individuals in the cyber security sector with any practical experience in emerging quantum-safe technologies. But at Burning Tree, we understand the cutting-edge nature of quantum threats. We have engaged experts with proven track records in this field and direct experience of this emerging threat.

Our approach to this rapidly developing challenge begins by providing quantum threat awareness training to your team — whether it is your board, CTO/CIO teams, IT/security staff or the entire organisation. This is followed by a thorough audit of your network, using structured methodology combined with innovative technology to deliver awareness and create a baseline view of the quantum-threat risk in your business.

Our team then develops a practical roadmap to guide your organisation toward becoming quantum safe. Action plans are realistic and grounded in the real world — focusing on priority areas to balance effectiveness with cost and feasibility. We can also help you build a business case to drive future investment.

Finally, we will provide a consolidated report or executive brief, delivering our full assessment report and action plan. We will even help present our findings and recommendations to your stakeholders and board.

And crucially, we can be there for the onward journey — helping you to deliver the action plan.

Waiting is not an option when it comes to the quantum threat. Our offering provides a unique and powerful blend of our experience, methodology and approach to reviewing, designing, architecting and implementing quantum security services. Contact Burning Tree at 01252 843 014 or info@burningtree.co.uk to learn more about how we can help your organisation achieve quantum safety.