What is the cyber security risk from quantum computing? - KPMG Australia (2024)

Planning | Understanding | Regulation | Risk management implementation | Quantum risk preparation | Contact

Research by KPMG Australia shows that protecting data and dealing with cyber risks is viewed by C-suite executives and board members from private sector enterprises as a top challenge in 2024 – and for the next 3 to 5 years.²

In Australia, to address this quantum threat, the Australian Signals Directorate (ASC) are encouraging organisations to understand and make plans to transition to the use of Post-Quantum Cryptographic algorithms within their own environments.

Encryption is everywhere. As an immediate step, organisations need to understand their risk from the use of public key cryptography and how they value data in their environment. This will impact multiple systems and applications that are fundamental to business operation. The transition to a quantum resilient environment will take many years and multiple budget cycles, so the best strategy is to start understanding this risk now.

Michael Egan
Director – Quantum, KPMG Australia

KPMG in Canada surveyed 250 large corporations and found that around 60 percent of organisations in Canada and 78 percent in the US expect quantum computers to become mainstream by 2030.³ But as quantum computing proliferates, so do concerns about its potential impact on cyber security.

Most of the businesses surveyed were ‘extremely concerned’ about quantum computing’s potential to break through their data encryption. Sixty percent of respondents in Canada and 73 percent in the US believe ‘it’s only a matter of time’ before cybercriminals are using the power of quantum to decrypt and disrupt today’s cyber security protocols. At the same time, however, 62 percent of respondents in Canada and 81 percent in the US admit that they need to do a better job of evaluating their current capabilities to ensure their data remains secure³.

Quantum computers will be able to break common encryption methods at an alarming speed. Encryption tools currently used to protect everything from banking and retail transactions to business data, documents and digital signatures can be rendered ineffective – fast.Attacks using a ‘harvest-now, decrypt-later’ approach can enable adversaries to steal encrypted files and store them until more advanced quantum computers emerge. So, data with a long life time value, such as health data, financial records and government files will be of immediate interest to bad actors.

The level of preparation that organisations do today is expected to be critical to limiting exposure and vulnerability to emerging threats, making quantum risk planning a priority.

Businesses need to understand the quantum risk in order to take action in areas including:

• web browsing
• remote access
• software
• digital signatures
• communication
• crypto currencies.

Dr Michele Mosca has developed a theorem that suggests a pathway to consider in order to protect data and keep it quantum-safe.

Mosca’s theorem stresses the need for organisations to begin due diligence in the post-quantum space immediately. It states that the amount of time that data must remain secure (X), plus the time it takes to upgrade cryptographic systems (Y), is greater than the time at which quantum computers have enough power to break cryptography (Z).

Once organisations are aware of their risk environment, they should be in a position to prioritise activity and mitigate or eliminate risks. However, this may not be a quick or simple process and may take years for each organisation.

Managing technical debt, for example, can be a significant challenge for organisations relying on systems that will be incapable of running modern cryptographic profiles. There is now an opportunity to evaluate migration timelines and understand how long it will take to make infrastructure quantum resistant. To do this, organisations should understand the challenge and allocate budgets for both the mitigation and ongoing monitoring that the post-quantum world will require.

It’s critical that organisations not only prepare for the quantum threat in their long-term risk planning, but also strengthen data protection now to help minimise quantum’s potentially disruptive and costly impacts.

As quantum emerges and organisations continue to explore and discover both its game-changing advantages and threats, new legislation and regulations are being developed. In 2022, a US law was passed that requires government agencies to take action in using post-quantum cryptography and encourages the private sector to follow suit⁷.

In December 2023, the National Institute of Standards and Technology (NIST) in the United States released two draft publications to guide organisations aiming to redefine their capabilities and combat potential quantum-based attacks. The documents Quantum Readiness: Cryptographic Discovery and Quantum Readiness: Testing Draft Standards for Interoperability and Performance outlines concrete issues and potential solutions when migrating to a new post-quantum cryptographic standard⁸.

The growing list of initiatives includes:

• the Quantum Computing Cyber security Preparedness Act 2022, advising US federal organisations to prepare now for a post-quantum cyber security (PQC) world
• National Security Memorandum on Promoting US Leadership in Quantum Computing While Mitigating Risk to Vulnerable Cryptographic Systems
• White House Memorandum on Migration to Post-Quantum Cryptography
• Monetary Authority of Singapore MAS/TCRS/2024/01: Advisory on Addressing the Cyber security Risks Associated with Quantum⁹
• Quantum Security for the Financial Sector: Informing Global Regulatory Approaches, World Economic Forum in collaboration with the Financial Conduct Authority¹⁰.
  

The answer is now. While quantum computing may seem like a futuristic science fiction concept, the technology is poised to exert major consequences across today’s cyber security capabilities. KPMG believes innovation to protect against quantum cyber threats is needed without delay.

In the US, in 2014, the NIST released a draft of the NIST Cyber security Framework 2.0 (CSF 2.0) – a major update to the Cyber Security Framework (CSF)– to help organisations reduce cyber security risk. To be finalised and published in 2024, CSF 2.0 reflects changes in the cyber security landscapeand will offer additional guidance on implementing the CSF¹¹.

The NIST has also chosen four encryption tools that it says are designed “to withstand the assault of a future quantum computer, which could potentially crack the security used to protect privacy in the digital systems we rely on every day¹².” The four encryption algorithms will become part of NIST’s post-quantum cryptographic standard and all are expected to be finalised and ready for use in 2024¹³.

Meanwhile, improvements and standards in Quantum Random Number Generators¹⁴ (QRNGs), for entropy enhancement and randomisation, and Quantum Key Distribution¹⁵, a secure communication method for exchanging encryption keys only known between shared parties, also aim to harness the power of quantum technology and protect data.

It’s important to note that today’s post quantum solutions may create a false sense of security, as we do not know if the quantum algorithms considered resistant today will remain that way as quantum computers become larger and more effective. The danger is illustrated by the discovery of vulnerabilities in the NIST-selected encryption algorithm CRYSTALS-Kyber¹⁶.

We can help you prioritise at-risk data and systems, and develop a customised cyber security strategy into your long-term risk planning to assist with preparation for quantum threats.

Steps to quantum-secure encryption include:

1. Discover: Identify cryptographic algorithms and protocols used to protect data and assets.
2. Assess: Perform a risk assessment to identify quantum-vulnerable systems and assets.
3. Manage: Prioritise remediation efforts and develop a remediation roadmap.
4. Remediate: Implement mechanisms that enable crypto agility, and transition-vulnerable cryptographic systems to post-quantum cryptography based on priority.
5. Monitor: Perform ongoing monitoring of remediation efforts and changes to the threat and regulatory landscape.
   

Further reading

Find out how to prepare for quantum cyber security risk