How tech companies are readying IT security for quantum computing

Quantum computing has been around for a while now, but in recent years, companies like Google and IBM—along with startups, research institutes, and universities—have been making huge strides in the field. This progress is pushing businesses to think more seriously about quantum and its impact on IT security.

McKinsey & Company estimates that quantum computing could account for nearly $1.3 trillion in value by 2035. This brings a lot of considerations for security professionals, who need to protect their organizations from the shifts in computing power and the threats quantum will bring.

Over the next decade, we can expect big tech companies to keep ramping up their efforts on quantum. Because the potential for quantum to solve problems faster than ever before could transform both business operations and society as a whole.

In this article:

• Why start preparing for quantum now?
• NIST and the path to industry-wide adoption
• A starting point: Identify current encryption use
• Challenges in implementing post-quantum cryptography (PQC)
• Summary: Focus on the now with an eye on the future

Why start preparing for post-quantum now?

Today, functional quantum computers do exist, and some companies even offer access to them. However, these computers have a limited number of qubits, which means they aren’t yet powerful enough to solve problems beyond what today’s supercomputers can already handle.

To go further than today’s supercomputers, quantum computers will need up to 20 million qubits. Currently, the most powerful quantum computer has only 1,200 qubits, so there’s still a long way to go.

However, experts predict that powerful quantum systems could be ready by 2030. Until then, IT teams need to start preparing their encryption to make sure it’s secure enough to protect data and privacy against the complexity quantum computing will introduce.

Some bad actors are already harvesting data that they can’t yet decrypt, planning to access it once quantum arrives. While that data may be outdated by then, it could still be valuable, especially when it comes to intelligent services data.

Given how expensive it is to store data, most bad actors will likely only keep the information that’s relevant to them right now. But it’s never too early for organizations to start planning.

Read more: How quantum computing will transform IT security

NIST and the path to industry-wide adoption

Fortunately, cryptography experts are already building cryptographic schemes that quantum computers won’t be able to break. This is called post-quantum cryptography (PQC).

In the US, the National Institute for Standards and Technology (NIST) is at work certifying post-quantum encryption methods for various applications. After launching the work in 2016, NIST identified four algorithms to be standardized. These are based on so-called lattice and hash problems, which experts believe will be much harder to solve for quantum and conventional computers alike.

In the future, it’s expected that NIST’s standards will be widely adopted across the industry. For IT professionals, this means there’s no better time than now to start developing a PQC plan to protect all customer and corporate data.

A starting point: Identify current encryption use

When preparing for PQC, a good place to start is by identifying all the points of encryption within your organization. Start with sensitive areas like VPNs, external server access, and remote access. IT leaders should also assess their current cryptographic methods and think about how the organization can upgrade to post-quantum standards in the future.

Some of today’s encryption methods are particularly vulnerable to quantum computers. For example, RSA, which encrypts a large portion of internet traffic, uses prime factors that are difficult for traditional computers to decode but much easier for quantum computers to crack.

Before a powerful quantum computer is released, organizations will need to replace RSA. Fortunately, there are several ways to do this. One is to double the number of bits used in current RSA encryption, from 2,048 to 4,096. This makes it significantly harder for quantum computers to break.

The same applies to other encryption schemes. By increasing the problem size, you make it far harder to solve.

In the coming years, we can expect most operating systems to deploy post-quantum-safe crypto libraries. Browsers will use these libraries to protect browsing data. As a result, keeping software patched and up to date will become even more critical.

For companies providing web services, now is the time to think about how to ensure compatibility with these crypto libraries.

Read more: How quantum computing will transform IT security

Challenges in implementing post-quantum cryptography (PQC)

While post-quantum cryptography is a promising solution, it’s still evolving, and implementing it isn’t straightforward. Professionals face several IT security challenges as they prepare their organizations for the quantum future.

Compatibility with legacy systems

One of the biggest hurdles in implementing PQC is ensuring compatibility with existing systems and infrastructure. Many organizations rely heavily on legacy systems built around traditional encryption methods like RSA, ECC (Elliptic Curve Cryptography), and Diffie-Hellman.

Transitioning these systems to PQC-compatible algorithms requires major updates to both hardware and software. This includes updating certificates, secure protocols, and API integrations. Legacy systems might not work with post-quantum standards, which could mean they need to be reworked or completely replaced.

Performance and efficiency

Post-quantum encryption algorithms are more secure, but they can also require a lot of computational power. This could create performance bottlenecks, especially in environments where high-speed encryption and decryption are critical, like real-time communications or large-scale cloud systems.

IT professionals will need to weigh the trade-offs between the increased security of PQC and the potential performance impact. Some algorithms are optimized for specific use cases, but others may require more processing power, which can lead to higher energy consumption and slower operations.

Standards and industry adoption