Think you can ignore quantum computing? Think again.

“It’s been known since the 1990s that a large-scale quantum computer will be able to break many of the crypto systems we rely on for security,” says Dustin Moody, leader of Post Quantum Cryptography (PQC) at the National Institute for Standards and Technology (NIST) in Maryland.

In 1994, American mathematician Peter Shor developed quantum algorithms to factor integers and solve the discrete logarithm problem. When run on a big enough quantum computer, these algorithms will be able to crack all the public key crypto systems we rely on today for privacy. This includes anything based on RSA, Diffie-Hellman, and elliptic curve cryptography — all of which are NIST standards that have been adopted and trusted by governments and companies around the world.

While the current generation of quantum computers can only run Shor’s algorithms for trivial cases, many experts predict that in five to 15 years, they’ll be big enough to break all of today’s public key crypto systems.

Prepare now for the quantum cryptography threat

To counter the threat well ahead of time, NIST launched in 2016 an international call for algorithms that will protect data even once large quantum computers become available. After a long selection process, NIST announced its intention to standardize four of the PQC algorithms this summer.

The impact will be felt globally. While NIST standards are developed for use by agencies of the US government, they tend to get adopted by other governments and companies around the world. Many public and private organizations use these standards and require their partners to do the same.

According to Moody, several countries — including the UK, Germany, France, and the Netherlands — have already announced their intentions to use the four PQC solutions approved by NIST, and the International Standards Organization (ISO) will add them to their own list of norms. Moreover, many of the big companies that worked with NIST on the selection process are already preparing to use the new standards.

Even before the algorithms are officially approved this summer, CIOs should start taking steps. Moody recommends they start by doing a cryptographic inventory to see which public key crypto systems they and their partners use. This isn’t easy, but several vendors are developing tools to help with that process.

CIOs can also ensure they assign somebody to lead in the transition, and that they have the funding and expert staff they need. Organizations can also start testing the algorithms in their environments and check their supply chain partners are doing the same.

Jeff Wong, global chief innovation officer at EY, says even if they’re not yet required to make a change, CIOs can already start planning NIST-approved algorithms into their cybersecurity upgrades. “Companies often have three-to-four-year cybersecurity upgrade cycles,” he says. “If there’s a possibility quantum computing can crack keys within five years, and your upgrade cycle is three to four years, you have to start taking action in a year or so.”

Another thing CIOs should do is protect against “store-now, decrypt-later” attacks. Hackers may be collecting encrypted data already that they can decrypt once quantum computers become big enough and reliable enough to run Shor’s algorithms. Some industries are more affected than others, such as healthcare, financial services, and higher education, where medical records, financial information, and academic records need to be protected for a lifetime. But virtually all sectors should be concerned with personal identifiable information (PII) that needs to be protected indefinitely.

According to Wong, CIOs should consider securing data in transit to protect against these kinds of attacks, especially for government-related contracts. “Companies may not be talking about it out loud,” he says. “But we’re hearing through our friends in the ecosystem that government suppliers and companies in industries including financial services are already planning to encrypt their communications for this very reason.”

But some organizations in financial services have been very open about getting a head start. “We’re keeping a close eye on the work of NIST as they standardize PQC protocols,” says Philip Intallura, global head of quantum technologies at HSBC. “Preparing for this new type of cryptography is a core part of HSBC’s quantum program.”

In April 2022, the bank formalized their quantum technologies program with a dedicated research team of in-house PhD scientists to explore opportunities. “As part of our portfolio of work, we look at use cases linked to both defense and compute,” says Intallura.

The NIST standards figure prominently in the defense side of their work. “We have several use cases in progress that will help us understand how PQC may be adopted to specific applications,” he adds. “Given the scalability of PQC, we expect it to feature in our future cryptography landscape, considering our presence in 62 markets around the world.”

Understand the opportunities

“On the compute side, we’re exploring quantum technologies for emerging commercial opportunities,” says Itallura. “The types of models we run in the bank every day are closely matched to the types of models a quantum computer can consume.” The quantum technologies team at HSBC works with different business lines and functions to explore and test real world use cases including portfolio optimization, quantum machine learning, and financial simulation.

Once quantum computers are big enough for industrial use, they’ll change the nature of competition in financial services and other industries very rapidly. Everyday examples of problems that might be solved include distributing electricity, finding the best routes in transportation networks, and determining the best mix of allocations in a financial portfolio. Quantum computing can also be used to simulate molecules, an essential technique to develop new drugs and catalysts — and for chemistry research and materials science in general.

According to Ville Kotovirta, lead for the quantum algorithms and software team at the Technical Research Center (VTT) in Finland, quantum computing could also be used for machine learning (ML), which will affect virtually every industry. ML is a good example of a use case that will require a hybrid arrangement. “Because quantum computers can’t handle large amounts of data yet, a supercomputer can hold the data and perform some of the operations,” he says.

Data stored on a supercomputer is encoded into quantum information and handed off to the quantum machine, which does the processing. Then the circuits are measured to obtain the results, which are then translated back to classical data. The supercomputer might do some post-processing of the output to mitigate errors in the computation.

The two systems also work together to adjust parameters. “There are algorithms called variational algorithms where you have free parameters in the quantum circuit that need to be optimized using the classical computer,” says Kotovirta. “For example, gate rotations are free and need to be optimized by multiple repetitions of this process. The circuit is evaluated on the quantum computer and the parameters are adjusted on the classical computer. It takes several repetitions of this back-and-forth to get the right setting. As quantum computers get bigger, the optimization task will require more classical processing power.”

Gauge readiness

Kotovirta says that while quantum computing is already easily available, so far it’s only solved trivial problems. But even in its current state, the market is already over $1 billion, according to IDC. That includes development of devices, software for controlling the hardware, cloud services, and application development.

“The whole world is in rehearsal, learning how to build these devices, how to develop applications, and how to apply them,” says Kotovirta. “People are building quantum readiness because once the technology starts providing benefits over classical devices, things will happen very fast.”

One question CIOs need to think about is who should access these services — managers, in-house experts, or external consultants. “You need to understand your use cases, and think about where you can get the expertise, whether it’s in-house or through consultants,” Kotovirta adds.

In some sectors, there’s no need to start using quantum computing right away, so IT leaders can afford to wait until some of the kinks have been ironed out. As CIO of online retailer Partner.co, Troy Hiltbrand finds that while people in retail should take steps to address PQC this year, they’re in no hurry to apply quantum computing to gain a competitive advantage. Opportunities are less immediate than in industries like financial services.

According to Hiltbrand, shortly after quantum computing becomes ready for industry, there needs to be a simple interface that allows for its consumption by even the least technical people at the executive level. “Then it will rocket into the forefront just like gen AI has done today,” he says.