YQK is coming — time to get ‘quantum-safe’

Most of us remember Y2K, the panic that consumed the final years of the last millennium. The whole world feared that, when the clocks flipped from 1999 to 2000, the digital systems that governed our lives would crash, with cataclysmic results. Of course, a true meltdown was avoided, thanks to the collective action of software engineers around the world, and the decisive action of Congress, which devoted $3.4 billion to upgrade code and “Y2K proof” critical government and industry systems. 

Crisis was averted 22 years ago — but now we have to dodge another one.

Call it “YQK” — except this time, the “Q” stands for “quantum.”

Quantum computing is an incredible, nascent technology that relies not on binary code — the now-familiar 0s and 1s — but on the properties of subatomic particles, like entanglement, for computational power. Quantum computers have computational properties that could soon solve complex problems that current computers can’t, which will revolutionize fields from materials and drug discovery, to finance.

But exponential computing power also means that, in the wrong hands, quantum systems could brute force their way through even our strongest digital walls. Right now, most encryption is similar to a very big combination lock. If our current computers wanted to break through, they’d have to try every possible combination, a task that might take them a century. Future quantum computers, however, could solve such a combination in days — maybe even hours.

So, what might YQK — a quantum computing catastrophe — look like in practice?

Imagine that the algorithms that protect corporate and government data are compromised. Financial markets are adversely impacted. Energy grids and defense networks are disrupted. There is a mass wave of identity theft.

Here, however, is the good news: It’s entirely preventable, with technologies that we already have, including cutting-edge techniques like lattice-based cryptography (protocols based on extremely hard, historically unsolvable math problems) and fully homomorphic encryption (which enables someone to work with encrypted data while it’s still encrypted).

In Washington, conversations and activities are underway on how we can deploy these nets of protection to avert YQK. The National Institute of Standards and Technology (NIST) recently announced protocol standards involving these technologies, including the CRYSTALS-Kyber public-key cryptography protocol, which was amongst the final four protocols developed by IBM scientists and collaborators. When adopted, they will safeguard various computing systems from quantum hacking. 

Congress can help ensure that these tools are scaled across industry and government before it is too late.

Organizations of all stripes need immediately to start implementing these protocols — especially those holding sensitive data, like government agencies. It’s true that quantum systems won’t be able to break current encryption for many years. But “black hat” hackers aren’t waiting. They’re already harvesting encrypted data. At the moment, those numbers are scrambled. But once quantum technology matures, they can be unscrambled in moments. It’s like a criminal who steals a safe today, knowing he’ll be handed the combination in a few short years.

Federal agencies can prevent this “harvest-now, hack-later” problem by updating their encryption protocols. But that’s a little easier said than done. It will take time, dedicated personnel, and — most of all — a government-wide strategy. It will likely never happen if various federal agencies are left to haphazardly adopt quantum-safe technologies in their own ways, at their own speeds.

This month the House passed a bill that grasps this reality: the bipartisan Quantum Computing Cybersecurity Preparedness Act. Among other measures, it calls on the director of the Office of Management and Budget to survey executive-branch systems, determine which ones are most vulnerable to a quantum hack, and prioritize their migration to post-quantum cryptography. This, the bill says, must be done within the year, along with an estimate of how much it will cost. It also calls for regular updates about how federal agencies are uptaking quantum safety standards. If we want to avert a YQK, the Senate should send this bill to President Biden’s desk as soon as possible.

My hope is that, in the end, YQK will be like Y2K — a manageable event. But that didn’t happen by accident back then, and it won’t happen without a lot of hard work this time around either. Many of the world’s top engineers and software companies poured resources into making sure Y2K didn’t happen. We must do the same today.

The biggest difference? Since we don’t have a nice round number like “2000” as a finish line, we should assume that time is of the utmost essence. When it comes to adopting quantum-safe protocols, tomorrow is better than next week, and today is best of all.

Dario Gil is senior vice president and director of research at IBM.