How Boards Can Prepare for Quantum Computers

Quantum computing is being driven by applications that process massive calculations for big data. That includes developing new pharmaceuticals, performing financial modeling, developing next-generation communications capabilities for terrestrial and extraterrestrial applications, optimizing logistics, and running finite element analysis, as well as everyday applications in healthcare, manufacturing, and critical infrastructure.

But when the promise of quantum computing is finally realized, it will disrupt more than just high-performance computer systems (HPCSs); it will turn classical cybersecurity on its head. Today's unbreakable, hardware-based cryptography systems will be child's play for quantum computing algorithms, warn cybersecurity experts, who caution that the level of compute power from quantum computers will dwarf today's.

Here's some of what enterprise executives and board members need to consider when preparing for the upcoming migration to the new computing environment.

What Is the Quantum Computing Threat?

Jérémie Guillaud, chief of theory at French quantum computer manufacturer Alice & Bob, says companies should identify which systems and data eventually could be vulnerable to an attack. He suggests planning to have to defend against an attacking machine with 1 million qubits. That provides a starting point: setting a goal to migrate vulnerable systems to a quantum computer with more than 1 million qubits.

To put this in perspective, in December, IBM's Condor quantum computer had 1,121 qubits. That baseline offers organizations somewhere to start their planning. Despite the progress made in the past 15 years of quantum computing development, the threat to enterprises is likely still a decade away, Guillaud estimates.

While qubits, like classical bits, are either positive or negative, superpositioned qubits, called cat qubits, can be both positive and negative, existing in two quantum states concurrently. Today there are no defenses against a cat qubit attack, although various organizations are experimenting with new approaches.

"Things that we don't do today can have a massive impact on the future, particularly around the concept of organizations that are harvesting data today, data that's in transit, with our idea of being able to be decrypted at a later stage," says Trevor Horwitz, founder and CISO of TrustNet, a provider of managed security, consulting, and compliance services. "It's not just about the risk of things happening today; it's being able to predict what risks we're going to be facing."

The effort, commonly called "harvest now, decrypt later," makes current highly secure data not as secure in the long term as the enterprise thinks. Boards need to begin their efforts now to secure data for a future that effectively is still unknown.

The Board's Role With Quantum Computing

If boards wait until quantum computers are in commercial production, it will be too late to start planning network and system upgrades, which could take up to a decade to fully implement, says Lisa Edwards, executive chair of Diligent Institute, the governance think tank and global research arm of Diligent Corp.

"The way that I think about it is this has moved from being a physics problem to being an engineering problem, and it's very rapidly becoming an operations problem," she notes. "I do think it's the appropriate time for boards to start becoming more knowledgeable about it, becoming conversant about it. The role of the board is not to tell the CISO which lattice-based encryption they should use. The role of the board is to ask the question: 'What are we doing? Are we prepared if this were announced tomorrow? What would happen?'"

Tom Patterson, managing director of emerging technology security at Accenture, agrees. Corporate boards should recognize that while the threats are real, they do not need to be quantum physicists to develop defenses — although they will need to listen to those who are in order to succeed, he says.

While boards have other cybersecurity concerns, they need to start planning for the future, Patterson adds. For example, boards can require that new infrastructure device purchases, such as routers and firewalls, have quantum-resistant or upgradable firmware. Since these purchases are often already scheduled as part of network maintenance, there are no unanticipated purchases.

As Patterson notes, one major vulnerability of classical computing is that firmware is hard-coded. That means hardware needs to be replaced rather than upgraded, since the firmware is permanent. As attackers find new ways to breach systems, new approaches are needed to improve firmware.

One approach, called cryptographic agility, allows organizations to update and rewrite firmware by automatically rotating algorithms at the press of a button. Such a system was demonstrated on low-Earth orbit satellites in 2023. Crypto agility could kill the need for hardware replacements when firmware is compromised, which would make a board look smart indeed.