Quantum computing: is our data still safe?

Developments in quantum computing are moving at a rapid pace. This new technology offers countless new possibilities, but also entails risks, especially in the field of cybersecurity. PwC experts Gerwin Naber and Peter Avamale advise organisations to prepare in time. 

The widespread adoption of quantum computing is no longer just a distant future concept. With the investments into the research and progress being made, we expect this to be a reality in less than five years. The latest development is the investment by the European Commission in eight supercomputers with quantum computing technology. One of these computers will be hosted in the Netherlands, another strategic development to drive  quantum technology ecosystem even further. 

Quantum will bring ample new opportunities, varying from medical advances and acceleration of accompanying technologies such as AI, to solutions on how to secure our internet in the future. However, in the short-term, quantum technology would cause a significant increase of cybersecurity threats. The advent of quantum computing would represent a fundamental shift in how we secure our digital information through cryptography, and it could happen faster than previously anticipated.

Is quantum computing a looming threat? 

For years, experts have discussed the potential implications of quantum computing on current encryption methods. As quantum technology advances, the ability of these computers to solve increasingly complex equations poses a significant threat to existing cryptographic frameworks. This has raised concerns that current encryption methods, particularly those using 2048-bit keys, could be vulnerable in the not-so-distant future.

While organisations encrypt business-sensitive and personal data under the assumption that they are safe, the reality is that bad actors may already be employing a 'collect now, decrypt later' strategy, storing encrypted data with the intent to unlock it using future quantum technology. If, in the future, large language models also run on quantum computers, this could break encryption keys relatively quickly. 

Understanding vulnerability

It is critical to address the urgency of this situation. Companies must begin assessing their current usage of cryptography (e.g. for encryption, digital signatures, etc.) to understand where they may be vulnerable. This is more than just an IT issue; it should be a high priority for company leadership due to how foundational cryptography is for business-critical digital services, and the potential impact on reputation, business continuity, and competitive advantage. A good starting point for an assessment includes the following questions: 

• What forms of cryptography do we use and where? 
• Which of these are vulnerable to evolving quantum threats? 
• How well are we prepared to transition to quantum-safe solutions (and have we validated our capability to do so)? 

Conducting this assessment is a significant undertaking for many organisations, especially those with complex or legacy infrastructures. Many may not realise the level of effort and time required to evaluate and update systems until it is too late. Identifying the storage locations of cryptographic keys and updating them to ensure quantum safety presents a timing consuming challenge, which should not be underestimated.

A technological refresh 

Since 2015, NIST has been working with the cryptography community on selecting and standardising quantum-resistant algorithms. These are encryption methods that are resistant to quantum attacks. The first three completed standards were released in August 2024 and organisations are advised to start implementation immediately. However, implementing these new standards requires coordination between various stakeholders and considerable effort to transition existing systems. Companies must prepare not only for the adoption of these new standards but also for the technology upgrades that may be needed to make other dependent systems compatible.

Action is needed now 

The rapid advancements in quantum computing bring us closer to a critical turning point in cybersecurity. Organisations across all sectors must urgently prepare for quantum threats. Organisations should elevate quantum readiness to a board-level priority and take proactive steps to assess vulnerabilities and mitigate risks. 

A structured approach, as recommended in recent guidelines by the AIVD, can make this process more effective. This involves:

• Identify critical assets: Determine which data and systems are most vulnerable and have the highest impact if compromised by quantum capabilities.
• Assess current cryptographic usage: Evaluate where and how cryptographic algorithms are used across the organisation, identify which are susceptible to quantum attacks.
• Develop a migration plan: Create a roadmap to replace vulnerable algorithms with quantum-safe alternatives, considering operational dependencies and required technology updates. Begin execution of the plan by testing quantum-safe solutions in a limited scope, to understand the ramifications of a broader migration.
• Engage stakeholders: Ensure that company leadership, IT teams, and business units are aligned on the importance of quantum preparedness and understand their roles in the transition.

In addition to these, we also recommend preparing for a "cryptography crisis" scenario, one in which existing encryption is broken before the migration is completed (the migration is not quick enough).

By taking action, companies can prepare for a future where quantum-safe encryption is essential. Delays in addressing these vulnerabilities could lead to severe long-term consequences, especially given the rapid pace of quantum computing developments.