Quantum computing will require massive software updates. Doing that securely will be its own challenge.

The tech industry is scrambling to implement new “quantum-resistant” algorithms — which could be a “significant source” of security vulnerabilities — years before the arrival of quantum computing.


The tech industry is gearing up for a "post-quantum" scenario.

Illustration: Chor muang/iStock / Getty Images Plus

No matter how long it takes to reach commercialization in the enterprise, quantum computing could have major consequences for the world of cybersecurity well in advance of the technology going mainstream.

To date, most of the security discussion around quantum computing has focused on the possible implications for data encryption. The most common scenario: Someday — maybe in five, 10 or 20 years — mega-powerful computing systems that harness the very weird properties of quantum mechanics could achieve the unthinkable, and obliterate the current methods of encryption that the internet depends on for security.

On the other hand, maybe this will never happen at all. No one can say for sure.

It's very clear, however, that the tech industry is gearing up for this so-called "post-quantum" scenario. Software will be updated on an epic scale to accommodate new methods of quantum-resistant cryptography that are being advanced by the government and researchers.

That means while nobody can be certain if quantum computing will ever really pose a security risk itself, the preparations surely will: It's inevitable that we'll see a large number of security vulnerabilities unintentionally introduced into software as the process plays out, said Jonathan Katz, a cryptography expert and IEEE member. Any time software is changed on a large scale — particularly when it’s happening quickly — vulnerabilities will tend to creep in.

"We know how to design mathematically secure algorithms," said Katz, who’s also a professor of computer science at the University of Maryland. "We're not quite as good yet at implementing them in a secure way."

That’s a challenge the tech industry will have to figure out. If the hackers of, say, 2032 get their hands on a quantum computer that could break encryption, it would put much of the world's data at risk. (That includes, by the way, encrypted data that threat actors might be collecting today and storing away for a decrypting opportunity in the quantum future, according to experts.)

We can thank the efforts of cryptography specialists working in tandem with the National Institute of Standards and Technology for helping the industry prepare for this threat. Back in 2016, the agency helped get the ball rolling on post-quantum cryptography by launching a process for soliciting the algorithms needed to do the job.

In July, NIST presented the fruits of that six-year process, announcing four algorithms that the agency aims to use as the basis for the new quantum-resistant method of encryption. The algorithm that will provide secure web access is known as CRYSTALS-Kyber (some experts refer to it as Kyber). The three remaining algorithms will come into play for identity verification during digital exchanges.

While NIST says it expects to finalize the algorithm choices in "about two years," the vendors whose technology underpins the functions of the internet have already begun exploring how to implement them — particularly Kyber.

Make it work

Since there are a number of different ways to implement Kyber, the industry now has to settle on which type of implementation to embed into the TLS protocol, which is what enables HTTPS secure web browsing.

"The industry is now in the mode of, 'OK, we know what the algorithm is going to look like — how do we actually deploy it into systems? And what are the troubles and pitfalls of that?'" said Nick Sullivan, head of research at web security and performance vendor Cloudflare.

Software developers, however, have had decades to figure out how to properly deploy existing forms of encryption, such as RSA. "That time has allowed people to learn from their mistakes," Katz said. "And many mistakes were made along the way."

Now, we may have the same situation occur again, with the implementation of largely untested new algorithms that are based on different techniques, he said. Rather than facing an underlying issue with the algorithms, he believes it's more probable we'll see a variety of flaws in the code introduced during the software engineering process.

We know how to design mathematically secure algorithms. We're not quite as good yet at implementing them in a secure way.

Buffer overflow issues — a common bug in software code that can enable an attacker to access parts of memory they shouldn't be allowed to — are among the types of vulnerabilities that are likely to pop up a lot in a situation such as this, Katz said.

How could this happen? For one thing, there will be a learning curve involved for software engineers.

To some degree, they "will need to understand what's going on under the hood," Katz said. The complexity of the algorithms could present bigger difficulties than understanding existing methods, however.

Meanwhile, as the saying goes, speed is the enemy of security. And there's going to be a lot of new software being written as part of these post-quantum preparations, and written quickly, Katz said.

All in all, the implementation of the new algorithms is sure to become a "significant source of vulnerabilities in the five years after these things are first widely deployed," he said.

Counting down to quantum

For better or worse, the tech industry feels a lot of urgency around implementing the post-quantum algorithms. In part, that's because "nobody knows" when the threat to encryption might emerge, said Nelly Porter, Google Cloud's lead product manager for technology areas including encryption and quantum computing.

"Everybody assumes that it will take many, many years. But I think in the world of cryptography, we are much more paranoid," Porter said.

When is the earliest she thinks it could happen?

"I would say [as soon as] three years for very advanced adversaries to make it usable," Porter said. "We have time to get ready. But we don't have too much time."

Other experts have predicted longer time frames before the performance of quantum computers would be able to break encryption (specifically, what’s known as “asymmetric” encryption, or public-key cryptography).

Chris Monroe, a quantum computing pioneer and Duke University physics professor, believes it will take 10 years or more to get there. In the meantime, early quantum computing applications — for instance, optimization of delivery routes or financial models — will likely be commercialized in a shorter time frame, said Monroe, who is also co-founder and chief scientist at quantum computing vendor IonQ.

However, it'll take longer for quantum computers to break encryption because the problem sizes are so big, he said. In other words, breaking encryption will probably not be the first thing that happens when it comes to real-world usage of quantum computers.

Once technology vendors have done their part to implement the quantum-resistant algorithms, that's when the work for businesses will begin. And that will probably be the hardest part of all, experts told Protocol.

Hardware, operating systems and software will all need updates to enable the new quantum-proof encryption methods.

"There's a big patching and replacement exercise that's going to go on here — which is complicated, time-consuming and important," said Tim Callan, chief compliance officer at Sectigo, a major provider of digital certificates that are used in the encryption process.

We have time to get ready. But we don't have too much time.

The process will require taking an inventory of everything they use that leverages encryption. That’s no small task for any organization, but it will be especially daunting for those with workers, data centers and edge devices scattered around the globe.

"They're going to need to look at every system. And they're going to need to say, 'Is this system post-quantum-ready or not?'" Callan said. "'And if it is not, how do I feel about that?' They're going to have to prioritize."

Businesses that rely heavily on cloud infrastructure will have less to worry about, since a lot of the updates will happen behind the scenes, said Cloudflare's Sullivan. Those who still have a lot of physical machines in their operation will need to figure out if their devices can even be updated, or if they'll need to be replaced, he said.

One of the big questions for businesses will also be whether their existing PC fleets will be able to handle the compute requirements of the new algorithms.

While NIST included a requirement that the new algorithms would not be significantly more compute-intensive, that doesn't mean that every PC will be able to run them, said Stel Valavanis, founder and CEO of managed security provider onShore Security.

In the same way that the shift to work-from-home and videoconferencing forced many businesses to upgrade their PC fleets, the arrival of post-quantum encryption could be the "next ceiling" that businesses run into in terms of device performance, Valavanis said.

Quantum divide

While it's still too early to know for sure, there's certainly a chance we could be heading into a "haves and have nots" scenario with quantum-resistant encryption, said Keith McCammon, co-founder and chief security officer at managed detection and response vendor Red Canary.

"We're probably going to run into questions of access: Is this thing equally accessible to everybody?" McCammon said.

On the other hand, there's also a chance that some businesses will not put a priority on quantum-proofing their systems at all.

Due to the uncertain and potentially long time frames — and all of the more immediate threats that businesses are dealing with on a daily basis — there's "always that risk" that some businesses will just ignore the issue, said Boaz Gelbord, chief security officer at Akamai Technologies.

In the short term, there might seem to be no consequences of inaction, said Joseph Steinberg, an independent information security consultant. But in all likelihood, we're never going to get much of an advanced warning about when encryption will be at risk, he said.

"The Chinese government doesn't announce what they're doing. We don't really know what the current capabilities are" for quantum computing, he said.

Ultimately, "we're talking about something catastrophic," Steinberg said. "And if we're wrong — and this hits sooner than expected — we have a problem."


Judge Zia Faruqui is trying to teach you crypto, one ‘SNL’ reference at a time

His decisions on major cryptocurrency cases have quoted "The Big Lebowski," "SNL," and "Dr. Strangelove." That’s because he wants you — yes, you — to read them.

The ways Zia Faruqui (right) has weighed on cases that have come before him can give lawyers clues as to what legal frameworks will pass muster.

Photo: Carolyn Van Houten/The Washington Post via Getty Images

“Cryptocurrency and related software analytics tools are ‘The wave of the future, Dude. One hundred percent electronic.’”

That’s not a quote from "The Big Lebowski" — at least, not directly. It’s a quote from a Washington, D.C., district court memorandum opinion on the role cryptocurrency analytics tools can play in government investigations. The author is Magistrate Judge Zia Faruqui.

Keep ReadingShow less
Veronica Irwin

Veronica Irwin (@vronirwin) is a San Francisco-based reporter at Protocol covering fintech. Previously she was at the San Francisco Examiner, covering tech from a hyper-local angle. Before that, her byline was featured in SF Weekly, The Nation, Techworker, Ms. Magazine and The Frisc.

The financial technology transformation is driving competition, creating consumer choice, and shaping the future of finance. Hear from seven fintech leaders who are reshaping the future of finance, and join the inaugural Financial Technology Association Fintech Summit to learn more.

Keep ReadingShow less
The Financial Technology Association (FTA) represents industry leaders shaping the future of finance. We champion the power of technology-centered financial services and advocate for the modernization of financial regulation to support inclusion and responsible innovation.

AWS CEO: The cloud isn’t just about technology

As AWS preps for its annual re:Invent conference, Adam Selipsky talks product strategy, support for hybrid environments, and the value of the cloud in uncertain economic times.

Photo: Noah Berger/Getty Images for Amazon Web Services

AWS is gearing up for re:Invent, its annual cloud computing conference where announcements this year are expected to focus on its end-to-end data strategy and delivering new industry-specific services.

It will be the second re:Invent with CEO Adam Selipsky as leader of the industry’s largest cloud provider after his return last year to AWS from data visualization company Tableau Software.

Keep ReadingShow less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.

Image: Protocol

We launched Protocol in February 2020 to cover the evolving power center of tech. It is with deep sadness that just under three years later, we are winding down the publication.

As of today, we will not publish any more stories. All of our newsletters, apart from our flagship, Source Code, will no longer be sent. Source Code will be published and sent for the next few weeks, but it will also close down in December.

Keep ReadingShow less
Bennett Richardson

Bennett Richardson ( @bennettrich) is the president of Protocol. Prior to joining Protocol in 2019, Bennett was executive director of global strategic partnerships at POLITICO, where he led strategic growth efforts including POLITICO's European expansion in Brussels and POLITICO's creative agency POLITICO Focus during his six years with the company. Prior to POLITICO, Bennett was co-founder and CMO of Hinge, the mobile dating company recently acquired by Match Group. Bennett began his career in digital and social brand marketing working with major brands across tech, energy, and health care at leading marketing and communications agencies including Edelman and GMMB. Bennett is originally from Portland, Maine, and received his bachelor's degree from Colgate University.


Why large enterprises struggle to find suitable platforms for MLops

As companies expand their use of AI beyond running just a few machine learning models, and as larger enterprises go from deploying hundreds of models to thousands and even millions of models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

As companies expand their use of AI beyond running just a few machine learning models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

Photo: artpartner-images via Getty Images

On any given day, Lily AI runs hundreds of machine learning models using computer vision and natural language processing that are customized for its retail and ecommerce clients to make website product recommendations, forecast demand, and plan merchandising. But this spring when the company was in the market for a machine learning operations platform to manage its expanding model roster, it wasn’t easy to find a suitable off-the-shelf system that could handle such a large number of models in deployment while also meeting other criteria.

Some MLops platforms are not well-suited for maintaining even more than 10 machine learning models when it comes to keeping track of data, navigating their user interfaces, or reporting capabilities, Matthew Nokleby, machine learning manager for Lily AI’s product intelligence team, told Protocol earlier this year. “The duct tape starts to show,” he said.

Keep ReadingShow less
Kate Kaye

Kate Kaye is an award-winning multimedia reporter digging deep and telling print, digital and audio stories. She covers AI and data for Protocol. Her reporting on AI and tech ethics issues has been published in OneZero, Fast Company, MIT Technology Review, CityLab, Ad Age and Digiday and heard on NPR. Kate is the creator of RedTailMedia.org and is the author of "Campaign '08: A Turning Point for Digital Media," a book about how the 2008 presidential campaigns used digital media and data.

Latest Stories