Quantum computing attacks, which are feared to completely break modern cryptography on the Internet, are still nearly a decade after being viable. However, it is widely seen as inevitable, and this has not prevented attackers from preparing in advance. new vote Deloitte has found that there is an immediate and significant cyber risk from “harvest now, decrypt later” (HNDL) attacks, in which attackers steal encrypted information and simply sit on it until quantum computing advances make it easy to hack.
Among other findings, just over half of the IT professionals surveyed said their organizations are currently at risk of HNDL attacks. But less than half are currently at the top of their analysis of these emerging cyber risks, and about 11% say there will be a need for a cyber incident (the point of which is too late) before they get their leadership to do something. about the threat.
Remote cyber risks seem to be in the early stages of exploitation
The Deloitte survey included input from more than 400 IT professionals working in organizations that are actively studying the benefits of quantum computing, but not necessarily the new level of cyber risk that comes with it. Just over 26% said they had completed a risk assessment at this point. 18% have plans to do so this year, and 16% said they will do so in the next two to five years. 13% say they either have not planned to do this for more than five years or have no intention of doing so at all.
Roughly the same number of organizations that plan to conduct a cyber risk assessment long before quantum computing is expected to become a threat, just over half of all respondents feel that HNDL is an immediate threat to their organization. 21% do not feel threatened and 28% do not know.
What might lead some of the most reluctant organizations to take the threats of quantum computing seriously? 27% of respondents said it would require regulatory pressure. 20% believe leadership should be persuaded to demand change, 15% believe that change will happen if competitors are observed to do so, and 11% say it would take no less than a quantum computing attack to move the needle in their favour. organisation. Just under 7% felt customer or shareholder requests would make a difference.
A crack in quantum computing is expected by 2030
Cyber security experts differ in their opinions on this topic, but most believe that the quantum computing threat will arrive in as little as five years and possibly no more than 15. This means that organizations should reasonably expect to have defenses in place by the end of the present decade on At the latest.
While encryption is a vital part of data protection software, files encrypted with today’s algorithms will likely be cracked in seconds at some point by quantum computing tools. If these encrypted files are stolen now, then the threat actors only need to wait a few years to access them easily. Thus, the HNDL threat requires immediate attention, but so far awareness of it is lagging (not to mention purposeful action).
However, some experts warn that organizations should not pull too hard in the opposite direction and make panic moves to change crypto algorithms overnight. Not entirely new standards from NIST are expected until 2024, and most IT departments have many unaddressed cyber risk issues that are more immediately useful for improving security.
The risks are also not evenly distributed across industries and institutions. Current HNDL threat actors are roughly the nation-state attackers looking for state secrets and proprietary information that they can later unlock. These groups are also almost certainly the attackers among a limited group of people who have early access to stable quantum computing once it becomes a reality. Google Sycamore’s unstable quantum computer costs millions of dollars even before it hits hundreds of specialized communications cables that come in at $1,000 per two feet of length and have to be housed in a special cooling unit capable of constantly maintaining a very accurate temperature, and can malfunction if It has been off for hardware repair for a long time. The cyber risks of quantum computing are almost certainly limited to nation-states, at least in the early stages of their existence.
Currently, the HNDL threat is best addressed by keeping attackers off networks and away from sensitive files. Taking an inventory of “long-term” information assets that are not expected to change or become obsolete in the next few years, such as bank account numbers, can help as an immediate step; This highly sensitive data can be processed by existing means such as turning the switches.