Quantum computers promise to solve the most complicated problems and equations that computers today cannot. But the promise is not all positive. The majority of global organizations see the emergence of quantum computing as a major threat to security, according to findings from DigiCert’s 2019 Post Quantum Crypto Survey.
While quantum computers aren’t commercially available yet, leading tech companies are making major headway in this space. In January 2019, IBM unveiled the world’s first circuit-based commercial quantum computer, the IBM Q System One. In October 2019, Google used its quantum computer processor, dubbed Sycamore, to solve a complex computation in 200 seconds, which would otherwise take a supercomputer 10,000 years to finish.
More recently, Amazon joined the quantum computing race by offering its cloud platform customers access to quantum hardware from three startups.
Go here to see a listing of eWEEK’s Top Predictive Analytics Companies.
Quantum computers are unique since they use quantum bits, or qubits, and can be in multiple states at once. This means they can tackle an immense number of outcomes, resulting in greater computational ability. This also means quantum computers could potentially break the most sophisticated encryption algorithms, which has security experts worried and businesses confused about what to expect in the future.
DigiCert conducted its global survey in partnership with ReRez Research to understand how organizations are addressing security and how much they know about Post Quantum Cryptography (PQC), which are cryptographic algorithms necessary to withstand quantum computing threats. The respondents were divided among IT directors, IT security managers and IT generalists from 400 companies across the U.S., Germany and Japan. They survey focused on four industries: financial, health care, transportation and industrial.
The findings show enterprise IT has general awareness of PQC, but there is also some early stage confusion. Less than two-thirds of those surveyed knew the correct definition of PQC. More than half (59 percent) said they’re deploying hybrid (PQC + RSA/ECC) certificates, which is unlikely because PQC certificates are still in early testing.
Quantum computing is definitely on key execs’ minds
Despite some uncertainty around what PQC involves, the survey’s overall results are promising. Quantum computing is on the minds of IT professionals, who are aware of the impending threats. Half (55 percent) believe quantum computing is a large threat today, while 71 percent think it’ll be a bigger threat in the future.
Most organizations anticipate quantum computing threats will become a reality within three years. That’s why 83 percent of respondents believe it’s imperative for IT to learn about quantum-safe security practices. A third reported they have already established budget to prepare for PQC and another 56 percent are planning to come up with one. For nearly all of these companies, the PQC budget will be “somewhat” to “extremely” large.
The survey found there are three specific concerns companies have when implementing PQC. First, the cost of fighting and mitigating quantum threats is too high. Second, data that is protected from attacks today will become easy to decrypt in the future. Third, encryption on devices and applications embedded in products will be more vulnerable when quantum computers become mainstream.
In preparation, companies should be aware of the risks they face and create a quantum crypto maturity model that reflects those risks. Crypto-agility is an effective way to swap old algorithms for new ones as changes take place quickly, so companies should establish it as a core practice.
Lastly, companies should collaborate with key vendors to establish digital certificate best practices. By tracking PQC industry progress, including products and services, companies can prepare for what’s ahead.
Zeus Kerravala is an eWEEK regular contributor and the founder and principal analyst with ZK Research. He spent 10 years at Yankee Group and prior to that held a number of corporate IT positions.
