Why critical infrastructure operators should address quantum computing threats now

HSBC Holdings Plc will become the first British bank to test an advanced data-security system based on quantum cryptography1 being run by UK telecom giant BT Group Plc, Inc.’s AWS cloud and Japan’s Toshiba Corp. So-called quantum key distribution is a type of cyber defense that financial institutions think could help protect trillions of dollars of transactions from increasingly sophisticated hackers in the future. HSBC clearly believes that the impact of Quantum computing needs dealing with now.

Quantum computing is not science fiction but a current and real challenge for all businesses, in particular for critical infrastructure operators, i.e., energy utilities, telecoms, banks, insurers, shipping companies, etc. Against the background of growing global threats, security of infrastructure, protection of business-critical information, intellectual property, etc. is more important than ever.

The German Federal Office for Information Security BSI has been warning for years about the threat to public-key cryptography posed by quantum computing. According to a recent survey of CSOs and CSIOs conducted by the BSI together with KPMG,2 97 percent of the participants rate the general relevance of quantum computing for the security of cryptographic processes used today as “high” or “rather high”. Similarly, 65 percent rate the average risk to data in their own organization as “high” or “rather high.”

Q-Day is closer than many critical infrastructure operators think. Google scientists are reporting (2 July 2023) that they completed a computational task on a quantum computer that would take a classical supercomputer 47 years to complete, the Telegraph reports. Google scientist published their findings on the pre-press server ArXiv.

There are operators of critical infrastructure who are lulled into a false sense of security because quantum computing is not yet commercially available, nor will it be in a few months, and they therefore believe that their encryption is for the time being immune to attack. Two points are important in this regard: (1) converting existing infrastructure to quantum-secure communications using quantum key distribution (QKD) or post-quantum cryptography (PQC) is a lengthy transformation process that is more sensibly done in the course of network upgrades or new installations. This means that considerable lead time is required. (2) The “harvest now – decrypt later” scenario can occur at any time, i.e., a hacker group siphons off encrypted data from the attacked company, stores it, and decrypts it as soon as QaaS (quantum computing-as-a-service) becomes available from Google or AWS or Microsoft, etc.

Conclusion: critical infrastructure operators must act now!

1 Quantum key distribution could be part of future cybersecurity – Quantum computers could render current encryption useless (Bloomberg, Thomas Seal, 5. July 2023).