“The danger that a nation-state opponent will get a large quantum computer and access your information is real,” says Dustin Moody, mathematician at the National Institute of Standards and Technology (NIST). “The threat is that they copy your encrypted data and keep it until they have a quantum computer.”
With this “reap now, decrypt later” strategy, officials are trying to develop and deploy new encryption algorithms to protect secrets from an emerging class of powerful machines. This also includes the Department of Homeland Security, which claims to be leading a long and difficult transition to so-called post-quantum cryptography.
“We don’t want to get into a situation where we wake up one morning and have a technological breakthrough and then have to do three or four years of work within a few months – with all the additional risks that come with that,” says Tim Maurer, who advises the Secretary of Homeland Security on cybersecurity and new technologies.
The DHS recently released a roadmap for the transition that began with a call to catalog the most sensitive data within both the government and the business community. Maurer says this is an important first step “to see which sectors are already doing this and what support or awareness are needed to ensure they act now”.
Prepare in advance
Experts say it could be a decade or more before quantum computers can do anything useful, but with money pouring into the field in both China and the US, the race is on to make it happen – and better protection against Quanta develop stops.
The US has been running a competition through NIST since 2016 aimed at producing the first quantum computer-secure algorithms by 2024, according to Moody, who leads the NIST project on post-quantum cryptography.
Moving to a new cryptography is a notoriously tricky and tedious task that is easy to ignore until it’s too late. It can be difficult to get for-profit organizations to pass themselves off as an abstract future threat years before this threat becomes a reality.
“If organizations don’t think about the transition now,” says Maurer, “and they are overwhelmed when the NIST process is complete and there is a sense of urgency, it increases the risk of accidental incidents … transition is never a good idea. “