The author is chief engineer for Crawford Broadcasting in Birmingham, Ala.
For a long time now, most white-hat cybersecurity experts have taken the position that their companies just needed to keep ahead of their black-hat counterparts by removing the low-hanging fruit and thereby knocking out 95 to 98 percent of the possibility of a security vulnerability crippling their organizations.
The “fruit removal” involved keeping security patches updated on network routing and switching equipment, keeping computer operating systems and other hardware up to date, educating users about making their passwords difficult, and making sure firewalls and VPNs were guarding access to all of that data in the first place.
Overall, the company I work for has done a reasonable job of keeping ahead of most of the script kiddies and people with moderate to low level hacking skills. There is this one pesky hacker from Portland that one of my colleagues has gone around with on several occasions, but we typically have been ahead.
That is, until recently.
We’re coming into some scary times regarding the protection of data that even the best of practices will have a hard time combating. Quantum computers have been coming of age for a while now and are about to throw a wrench into some long-established security practices.
Unlike the device you’re probably reading this article on, one that uses binary 0’s and 1’s (called bits of data) to chew efficiently through the math required by your programs and to generate content, quantum computers use quantum bits (qubits), where the bit value can be both values at once at the same time. The power in quantum computing comes when the hardware is able to begin reading multiple qubits which expands exponentially as 2n, where n is the number of qubits. Quantum computers are similar to the computers you know; they all get better computationally with more powerful processors and additional cutting-edge hardware. Is there some kind of difference in performance? That question is loaded.
It all comes down to the different math that can be done with each. Getting back to the security bent, binary computers are great for a lot of computations and have advanced our civilization at breakneck pace, but they are really awful at cryptography math.
The fundamental prime number type math that keeps your well-thought-out password safe or the website encryption that we count on to make sure we’re looking at a “secure” site is nearly unbreakable by regular computers. Even the most advanced supercomputers struggle to break the encryption that powers most of the internet. (Here’s a site that will tell you how long it would take to break your current passwords: www.security.org/how-secure-is-my-password/).
In contrast, a quantum computer is fantastic at encryption-style math.
In 2024, Google’s Willow quantum chip, a state-of-the-art 104-qubit processor, performed a specific computation in 5 minutes that would have taken a traditional supercomputer 10 septillion (1025) years. Obviously, the “specific” may have been a well-engineered problem to exaggerate the computational differences, but the fact remains that I’ve got five minutes to wait, I don’t have 10 with 25 zeros years to wait.
Why does all of this even matter?
Most specialists believed that a quantum computer could break most RSA-2048 encryption with a computer that contained between 100,000 to 1 million qubits.
Just this past month, both Google’s Quantum AI team and a Cal Tech startup named Oratomic both produced papers that stated that they had figured out a way, with the help of AI, to reduce the necessary number of qubits in a quantum computer to down around 10,000.
When Cloudflare, a company that manages about 25% of internet traffic, saw these papers, they moved their timeline for having necessary post-quantum encryption in place on their systems up from 2035 to 2029, a six-year reduction.
The concerns I have are twofold.
First of all, the problem is massive, as it affects financial institutions, internet entities, governments and big businesses. Most companies (or people) simply aren’t ready for what is going to be necessary to protect themselves.
The second, more sinister nature of the issue is that there have been entities stealing encrypted data for a long time that have been waiting for this opportunity to come around.
These “Harvest Now, Decrypt Later” folks clearly didn’t have the time or resources available to purchase a supercomputer and wait for the results. But they could hang on to entire lists of encrypted passwords and data and store them … and wait.
They have been continuing to collect and sit on the data with the thought that, eventually, quantum computing would be more accessible and they would be able to begin drilling down on the data they’ve collected and have a payday.
I know it sounds like the internet basically is planning to eat itself for dinner. But there are things we can begin to do ahead of all of this to make sure that we are somewhat better prepared.
The first is to realize that you cannot afford to continue to keep your passwords as simple, cute phrases, or birthdays or anything that can be remembered. I suggest you start to use a password manager. There are many available. When you use a password manager, your password can be longer, which will at least present a challenge to a quantum computer and require more time to decrypt.
The second is to begin to use two-factor authentication with as many accounts as you can.
Generally, TFA not only requires your password, but you also have a physical device that gets texted or emailed to you with an actual code that you must enter in order to access your accounts.
This requires an “Authenticator” app running on your device, but it is tied to the account so that when access is requested, you are notified and asked to give the code. If the code isn’t provided, no access is granted.
A third alternative would be to employ a “hardware” key, something like a Yubiko Yubikey or a handful of alternatives that provide a complete air-gap from the internet. These keys physically connect via USB or wirelessly via NFC or Bluetooth and are tied to a user’s fingerprints or other biometrics. The keys require physical interaction from the user for access to any account or digital asset.
The fact remains that a lot of us have traded ease for digital security. The two are diametrically opposed. As quantum computing matures, many users will be exposed because they simply didn’t know better. A user who has a lot of convenience baked into their digital data life has weaker or minimal security.
I fear that we’re moving toward a time when making things more difficult for yourself will put a hedge of protection around all of your data, but using the same practices in our workplaces could protect your company as well. You’ve got a three-year head start, but don’t be surprised if, with AI’s assistance, that timeframe gets shortened again.
This article first appeared in Crawford’s Local Oscillator newsletter.
Comment on this or any article. Email [email protected] with “Letter to the Editor” in the subject field.
