So how much time do we have? Each month a new milestone is broken—from Intel’s Tangle Lake and
Google’s Bristlecone with 50- and 72-qubit hurdles—evidence of the race around error-corrected quantum
compute with many companies investing in the promised processing efficiencies.
What do these benchmarks mean for digital businesses? The cryptography supporting the existing and
new systems being put into production today will be broken by quantum. The foundations enabling and
protecting the business—identity, signature, SSL certificates, blockchain identity and non-repudiation,
encryption technologies for data protection—will be null and void.
Although it will take thousands of qubits to become a threat to cryptosystems, Accenture believes that
national labs and nation states will quietly break that processing barrier within the next eight years—by
2025. Most estimates for commercially available quantum computing range from 10-20 years in the future
due to the fragility of quantum computing, which requires an interference-free environment of nearly zero
degrees Kelvin. However, businesses and industries that are targeted by nation state threat campaigns
should anticipate the accelerated timeline because these accomplishments will be largely unreported.
If that isn’t enough, exposure is not limited to business operations and data at some notional point eight
years from now. Another dimension to the threat is the past. Adversaries who have collected intelligence
and information from years of campaigns will also have the keys to a company’s history—and it may be
revealed. Security executives must ask: What information have nation states been collecting about their
business, such as passwords, intellectual property or an understanding of business methods?
Companies must comprehend both the nature of the threat and threat actors to know what they are collecting
now. Understanding threat actors’ motivations is critical to understanding business exposure and prioritizing
remediations around cryptographic methods and other means of protection. Threat intelligence is business
intelligence. Threat intelligence managed service providers provide the deep knowledge and understanding of not
only the threat actors and their sponsorship, but also the marketplace around a company’s data on the dark web.
Clearly, the timeframe to begin strategic mitigation planning is now. With careful preparation,
companies can reduce the exposure of cryptographic systems that provide authentication, integrity
and confidentiality in business operations and communications by making existing enterprise systems
more resilient and migrating away from enterprise systems where compromise is imminent. Those that
begin the process now will be more likely to complete it before the inflection point when quantum
computing is viable and capable of breaking our cryptographic protections. To get started, CISOs
should take these steps:
ASSESS THE CHALLENGE
Gain a big picture understanding of where the risks are across the business. By knowing how
business processes are enabled by cryptographic methods, it will be easier to grasp the scope
of the challenge. In addition, perform a more detailed inventory to capture crypto method, key
length and where the keys and methods are kept and used across storage, enterprise/business
partner infrastructure and applications.
DEVELOP QUANTUM MITIGATION STRATEGIES
Update existing cryptographic methods, evaluate and use new standardized quantum-resistant
methods when released, or turn to alternative controls to protect the data.
Several cryptography-as-a-service solutions have matured and should also be considered.
Vendors that separate key from cryptographic method will position the business to transform
quickly as emerging quantum-proof standards and cryptographic methods are developed,
significantly reducing risk through the business transformation.
To learn more, read Accenture Labs’ upcoming Quantum Cryptography technical white paper for
security IT and administrators, which provides more context, research and analysis of the issue,
along with short-term steps to bridge the gap and long-term steps to maintain new quantum-proof