Quantum computing will require massive software updates. Doing that securely will be its own challenge.

The tech industry is scrambling to implement new “quantum-resistant” algorithms — which could be a “significant source” of security vulnerabilities — years before the arrival of quantum computing.


The tech industry is gearing up for a "post-quantum" scenario.

Illustration: Chor muang/iStock / Getty Images Plus

No matter how long it takes to reach commercialization in the enterprise, quantum computing could have major consequences for the world of cybersecurity well in advance of the technology going mainstream.

To date, most of the security discussion around quantum computing has focused on the possible implications for data encryption. The most common scenario: Someday — maybe in five, 10 or 20 years — mega-powerful computing systems that harness the very weird properties of quantum mechanics could achieve the unthinkable, and obliterate the current methods of encryption that the internet depends on for security.

On the other hand, maybe this will never happen at all. No one can say for sure.

It's very clear, however, that the tech industry is gearing up for this so-called "post-quantum" scenario. Software will be updated on an epic scale to accommodate new methods of quantum-resistant cryptography that are being advanced by the government and researchers.

That means while nobody can be certain if quantum computing will ever really pose a security risk itself, the preparations surely will: It's inevitable that we'll see a large number of security vulnerabilities unintentionally introduced into software as the process plays out, said Jonathan Katz, a cryptography expert and IEEE member. Any time software is changed on a large scale — particularly when it’s happening quickly — vulnerabilities will tend to creep in.

"We know how to design mathematically secure algorithms," said Katz, who’s also a professor of computer science at the University of Maryland. "We're not quite as good yet at implementing them in a secure way."

That’s a challenge the tech industry will have to figure out. If the hackers of, say, 2032 get their hands on a quantum computer that could break encryption, it would put much of the world's data at risk. (That includes, by the way, encrypted data that threat actors might be collecting today and storing away for a decrypting opportunity in the quantum future, according to experts.)

We can thank the efforts of cryptography specialists working in tandem with the National Institute of Standards and Technology for helping the industry prepare for this threat. Back in 2016, the agency helped get the ball rolling on post-quantum cryptography by launching a process for soliciting the algorithms needed to do the job.

In July, NIST presented the fruits of that six-year process, announcing four algorithms that the agency aims to use as the basis for the new quantum-resistant method of encryption. The algorithm that will provide secure web access is known as CRYSTALS-Kyber (some experts refer to it as Kyber). The three remaining algorithms will come into play for identity verification during digital exchanges.

While NIST says it expects to finalize the algorithm choices in "about two years," the vendors whose technology underpins the functions of the internet have already begun exploring how to implement them — particularly Kyber.

Make it work

Since there are a number of different ways to implement Kyber, the industry now has to settle on which type of implementation to embed into the TLS protocol, which is what enables HTTPS secure web browsing.

"The industry is now in the mode of, 'OK, we know what the algorithm is going to look like — how do we actually deploy it into systems? And what are the troubles and pitfalls of that?'" said Nick Sullivan, head of research at web security and performance vendor Cloudflare.

Software developers, however, have had decades to figure out how to properly deploy existing forms of encryption, such as RSA. "That time has allowed people to learn from their mistakes," Katz said. "And many mistakes were made along the way."

Now, we may have the same situation occur again, with the implementation of largely untested new algorithms that are based on different techniques, he said. Rather than facing an underlying issue with the algorithms, he believes it's more probable we'll see a variety of flaws in the code introduced during the software engineering process.

We know how to design mathematically secure algorithms. We're not quite as good yet at implementing them in a secure way.

Buffer overflow issues — a common bug in software code that can enable an attacker to access parts of memory they shouldn't be allowed to — are among the types of vulnerabilities that are likely to pop up a lot in a situation such as this, Katz said.

How could this happen? For one thing, there will be a learning curve involved for software engineers.

To some degree, they "will need to understand what's going on under the hood," Katz said. The complexity of the algorithms could present bigger difficulties than understanding existing methods, however.

Meanwhile, as the saying goes, speed is the enemy of security. And there's going to be a lot of new software being written as part of these post-quantum preparations, and written quickly, Katz said.

All in all, the implementation of the new algorithms is sure to become a "significant source of vulnerabilities in the five years after these things are first widely deployed," he said.

Counting down to quantum

For better or worse, the tech industry feels a lot of urgency around implementing the post-quantum algorithms. In part, that's because "nobody knows" when the threat to encryption might emerge, said Nelly Porter, Google Cloud's lead product manager for technology areas including encryption and quantum computing.

"Everybody assumes that it will take many, many years. But I think in the world of cryptography, we are much more paranoid," Porter said.

When is the earliest she thinks it could happen?

"I would say [as soon as] three years for very advanced adversaries to make it usable," Porter said. "We have time to get ready. But we don't have too much time."

Other experts have predicted longer time frames before the performance of quantum computers would be able to break encryption (specifically, what’s known as “asymmetric” encryption, or public-key cryptography).

Chris Monroe, a quantum computing pioneer and Duke University physics professor, believes it will take 10 years or more to get there. In the meantime, early quantum computing applications — for instance, optimization of delivery routes or financial models — will likely be commercialized in a shorter time frame, said Monroe, who is also co-founder and chief scientist at quantum computing vendor IonQ.

However, it'll take longer for quantum computers to break encryption because the problem sizes are so big, he said. In other words, breaking encryption will probably not be the first thing that happens when it comes to real-world usage of quantum computers.

Once technology vendors have done their part to implement the quantum-resistant algorithms, that's when the work for businesses will begin. And that will probably be the hardest part of all, experts told Protocol.

Hardware, operating systems and software will all need updates to enable the new quantum-proof encryption methods.

"There's a big patching and replacement exercise that's going to go on here — which is complicated, time-consuming and important," said Tim Callan, chief compliance officer at Sectigo, a major provider of digital certificates that are used in the encryption process.

We have time to get ready. But we don't have too much time.

The process will require taking an inventory of everything they use that leverages encryption. That’s no small task for any organization, but it will be especially daunting for those with workers, data centers and edge devices scattered around the globe.

"They're going to need to look at every system. And they're going to need to say, 'Is this system post-quantum-ready or not?'" Callan said. "'And if it is not, how do I feel about that?' They're going to have to prioritize."

Businesses that rely heavily on cloud infrastructure will have less to worry about, since a lot of the updates will happen behind the scenes, said Cloudflare's Sullivan. Those who still have a lot of physical machines in their operation will need to figure out if their devices can even be updated, or if they'll need to be replaced, he said.

One of the big questions for businesses will also be whether their existing PC fleets will be able to handle the compute requirements of the new algorithms.

While NIST included a requirement that the new algorithms would not be significantly more compute-intensive, that doesn't mean that every PC will be able to run them, said Stel Valavanis, founder and CEO of managed security provider onShore Security.

In the same way that the shift to work-from-home and videoconferencing forced many businesses to upgrade their PC fleets, the arrival of post-quantum encryption could be the "next ceiling" that businesses run into in terms of device performance, Valavanis said.

Quantum divide

While it's still too early to know for sure, there's certainly a chance we could be heading into a "haves and have nots" scenario with quantum-resistant encryption, said Keith McCammon, co-founder and chief security officer at managed detection and response vendor Red Canary.

"We're probably going to run into questions of access: Is this thing equally accessible to everybody?" McCammon said.

On the other hand, there's also a chance that some businesses will not put a priority on quantum-proofing their systems at all.

Due to the uncertain and potentially long time frames — and all of the more immediate threats that businesses are dealing with on a daily basis — there's "always that risk" that some businesses will just ignore the issue, said Boaz Gelbord, chief security officer at Akamai Technologies.

In the short term, there might seem to be no consequences of inaction, said Joseph Steinberg, an independent information security consultant. But in all likelihood, we're never going to get much of an advanced warning about when encryption will be at risk, he said.

"The Chinese government doesn't announce what they're doing. We don't really know what the current capabilities are" for quantum computing, he said.

Ultimately, "we're talking about something catastrophic," Steinberg said. "And if we're wrong — and this hits sooner than expected — we have a problem."


How GM plans to make its ambitious EV goals reality

The automaker's chief sustainability officer is optimistic that GM is well-positioned to rapidly scale up the EV side of its business.

"I think everything that’s been put in place to support the transition will be a real positive for the industry and for the country."

Photo: Eva Marie Uzcategui/Bloomberg via Getty Images

Automakers are on the cusp of an entirely new era.

The transition to electric vehicles is quickly becoming more than just theoretical: More models are coming onto the scene every day. This week, the Inflation Reduction Act was signed into law, enshrining a new structure for EV tax credits and offering a boost to domestic critical mineral mining. The transition isn’t coming a moment too soon, given that the transportation sector makes up the largest share of greenhouse gas emissions in the U.S.

Keep Reading Show less
Lisa Martine Jenkins

Lisa Martine Jenkins is a senior reporter at Protocol covering climate. Lisa previously wrote for Morning Consult, Chemical Watch and the Associated Press. Lisa is currently based in Brooklyn, and is originally from the Bay Area. Find her on Twitter ( @l_m_j_) or reach out via email (ljenkins@protocol.com).

As management teams at financial institutions look for best practices to make part of their regular toolkit, they are reaching most for the ones that increase the speed and reduce the risk of large-scale change.

That forward-thinking approach can lead financial institutions to leverage AI technology, which can help give decision-makers trusted tools to solve integral challenges vital to the health of the business. One of the leading providers of AI and machine-learning software, DataRobot continues to attract clients in financial services who want to de-risk their AI investments and rapidly scale AI to almost every part of their operations, resulting in improved productivity and higher customer satisfaction.

Keep Reading Show less
David Silverberg
David Silverberg is a Toronto-based freelance journalist, editor and writing coach. He writes for The Washington Post, BBC News, Business Insider, The Toronto Star, New Scientist, Fodor's, and several alumni magazines. He also writes for brands such as 23andme, Shopify and Bold Commerce. He has served as editor of B2B News Network, Canada's only B2B news magazine, and Digital Journal, a leading pioneer in citizen journalism. Find more about him at www.davidsilverberg.ca

How Embracer Group bought ‘Lord of the Rings’ rights for a bargain

The Swedish holding company, known best for its gaming acquisitions, bought the rights to “The Lord of the Rings.” But the deal is much more complicated than it seems.

Who really owns LOTR's rights?

Photo: New Line/WireImage

A new stakeholder has entered the complex licensing web of “The Lord of the Rings,” and the landmark deal has further complicated the already messy media empire surrounding author J.R.R. Tolkien’s fantasy epic.

The buyer, the acquisition-hungry Swedish gaming conglomerate known as Embracer Group, has purchased Middle-earth Enterprises, and with it the associated film, video game, board game, merchandise, theater production and theme park rights to the core LOTR book trilogy and “The Hobbit'' from its previous owner, The Saul Zaentz Company. Formerly Tolkien Enterprises, Zaentz’s holding group has held onto the rights since purchasing them from United Artists in 1976. (Tolkien initially sold them to UA in 1969, four years before his death.)

Keep Reading Show less
Nick Statt

Nick Statt is Protocol's video game reporter. Prior to joining Protocol, he was news editor at The Verge covering the gaming industry, mobile apps and antitrust out of San Francisco, in addition to managing coverage of Silicon Valley tech giants and startups. He now resides in Rochester, New York, home of the garbage plate and, completely coincidentally, the World Video Game Hall of Fame. He can be reached at nstatt@protocol.com.


Upstart has a new plan to sell Wall Street on its loans

The AI-powered lender will hold some loans on its balance sheet as it seeks partners for long-term capital.

Despite the current struggles, Upstart views the marketplace model as the best way to write to keep its loan business growing.

Photo: Upstart

After a revenue drop its CEO called “unacceptable,” the leadership at fintech lender Upstart is making a bet on the strength of its ability to underwrite loans with AI.

The San Mateo company is planning to leave some loans on its balance sheet that investors do not want to buy, as concerns about the economy shift Wall Street away from backing riskier consumer debt. Rather than pull back on its lending in response, the company said it will hold some loans as it seeks longer-term capital partners.

Keep Reading Show less
Ryan Deffenbaugh
Ryan Deffenbaugh is a reporter at Protocol focused on fintech. Before joining Protocol, he reported on New York's technology industry for Crain's New York Business. He is based in New York and can be reached at rdeffenbaugh@protocol.com.

Does your boss sound a little funny? It might be an audio deepfake

Voice deepfake attacks against enterprises, often aimed at tricking corporate employees into transferring money to the attackers, are on the rise. And at least in some cases, they’re succeeding.

Audio deepfakes are a new spin on the impersonation tactics that have long been used in social engineering and phishing attacks, but most people aren’t trained to disbelieve their ears.

Illustration: Christopher T. Fong/Protocol

As a cyberattack investigator, Nick Giacopuzzi’s work now includes responding to growing attacks against businesses that involve deepfaked voices — and has ultimately left him convinced that in today's world, "we need to question everything."

In particular, Giacopuzzi has investigated multiple incidents where an attacker deployed fabricated audio, created with the help of AI, that purported to be an executive or a manager at a company. You can guess how it went: The fake boss asked an employee to urgently transfer funds. And in some cases, it’s worked, he said.

Keep Reading Show less
Kyle Alspach

Kyle Alspach ( @KyleAlspach) is a senior reporter at Protocol, focused on cybersecurity. He has covered the tech industry since 2010 for outlets including VentureBeat, CRN and the Boston Globe. He lives in Portland, Oregon, and can be reached at kalspach@protocol.com.

Latest Stories