Quantum computing is advancing rapidly. Whilst there is potential for ground breaking developments in technology, such as quantum sensing in the medical field, this new era also brings significant risks, particularly for data security. Quantum computers (QC) threaten to render many of our current cryptographic methods obsolete. The unparalleled processing power of QC will lead to decryption of data protection by traditional cryptographic measures.

The challenges that quantum computing will bring necessitate a proactive approach to safeguarding sensitive information. Cryptography, while a crucial line of defence, is just one of many strategies that must be employed to protect data in the face of quantum advancements.

1. What risks do quantum computers pose to protection of data?

Regular computers currently use cryptographic algorithms to protect personal and other data. These cryptographic algorithms which we all use for authentication across the internet, such as passwords and digital signatures, are at significant risk of being easily hacked or forged by the power of quantum computers. While it may be years from now that quantum computers gain the processing power to be able to do this, it is crucial that preparation begins now.

Quantum computing poses significant risks to data security, particularly because cyber criminals and rogue nation states are known to be carrying out "harvest now, decrypt later" attacks (also known as "store now decrypt later" attacks) whereby they steal vast amounts of encrypted data today, anticipating that future quantum computers will have the power to decrypt it.

This strategy exploits the fact that quantum computers, which work fundamentally differently to classical computers, could easily break current encryption standards. As a result, sensitive personal data, financial information, and national security secrets could be harvested now and decrypted and misused later, leading to severe privacy breaches and security threats to huge organisations.

There is some uncertainty as to when that threat will become a reality and whether, by the time it does, that data will still be as confidential/sensitive as it was when it was harvested. However, uncertainty as to timelines should not be a reason to stall in preparing for what seems an eventual inevitability.

2. Take action now

The Information Commissioner's Office (ICO) has worked to identify the privacy and data protection implications of emerging technologies which will enable innovators in the quantum space, and organisations processing personal data, to consider and strive for data protection in a post-quantum world. The ICO are working with the National Cyber Security Centre (NCSC) to address challenges posed by quantum computing.

The ICO recommend that financial institutions and digital service providers start to prepare for a post-quantum world by identifying and reviewing their at-risk information, systems and cryptography. All organisations should ensure that their systems are secure against existing risks and keep their cybersecurity policies up to date.

2.1 What is Post Quantum Cryptography (PQC) and PQC Standards?

One of the approaches to addressing the risk is PQC which is being explored by cryptographers globally. PQC is the term given to cryptographic techniques designed to remain secure even in the presence of powerful quantum computers. It has been endorsed by the NCSC and will ensure that data at rest cannot be decrypted by quantum computers in the longer term, protecting particularly against "harvest now, decrypt later" attacks.

The National Institute of Standards and Technology (NIST) is playing a significant role in the standardisation of the algorithms being developed to be resistant to quantum computing attacks. NIST released the first three PQC standards in August 2024 which are the final set of encryption tools designed to withstand attack through a quantum computer.

The next step for NCSC and NIST is to introduce protocols which will assist with the objectives and means to ensure compliance of organisations with the standards in place. NCSC are currently working on a whitepaper which will include guidance to help organisations start to think about PQC.

NCSC suggests that the biggest priority for near term for organisations processing and controlling data is to understand their estate and the data holding that they have. They advise that all new IT should either use PQC or be capable of being upgraded to PQC.

2.2 What preparations should be taken for data protection in a post-quantum era?

Training: Provide education to stakeholders on the NIST PQC standards, including how they can be implemented and what PQC means for data protection.

Assessment of processes: Access all current cryptographic systems to identify areas that need upgrading to a PQC system and begin to develop a detailed transition plan that includes timelines, resource allocation, and risk management in preparation.

Pilot Testing: Implement pilot tests to evaluate the performance and security of the new encryption standards (PQC) so that any necessary adjustments can be made prior to the introduction of quantum computers.

Collaboration: Work with industry partners and cybersecurity experts to gain valuable insights and to ensure a smooth transition.

Gradual Implementation: Begin with less critical systems and gradually move to more critical ones within the organisation. The phased approach assists in managing risks and ensures that no operations are hindered during the implementation process.

Monitoring and Maintenance: New PQC systems need to be continuously monitored so that the necessary updates and improvements can be made. Regular maintenance is crucial to address emerging threats and vulnerabilities within the technology.

3. What do the experts say?

Sitehop is a cybersecurity technology startup based in Sheffield, UK, focused on advancing network security and performance for a quantum-enabled future. They develop both hardware and software solutions aimed at revolutionising data movement through faster, better, and greener encryption.

Their flagship product, the SAFEcore 1000 Enterprise solution, offers ultra-low-latency hardware-enforced encryption and decryption for secure communications. SAFEcore 1000 is quantum-resistant and can work with any third-party encryptors already in an organisation's network to meet a wide range of security needs. Sitehop's mission is to provide innovative networking and cybersecurity solutions that help businesses enhance their online presence and protect their digital assets.

Sitehop acknowledges that the risks posed by quantum computers are a current concern and should not be deferred until quantum computers of sufficient power are developed. That is why they have released PQC products to transition to quantum secure networks. They say that PQC will solve the two key issues which have been explored in this article:

i) regulatory compliance and;

ii) "harvest now, decrypt later" attacks, because it will be resistant to quantum computers in a way that current algorithms are not.

The issue now is one of transition of complex networks to PQC and how to design systems that can evolve (using crypto agility) as we understand better what quantum computers do. Sitehop are developing cryptographically agile systems enabling existing cryptographic mechanisms, algorithms and key management practices to be replaced with new post-quantum alternatives effectively and without disruption to any existing infrastructure.

If you'd like more information on how to protect your business and your customers, get in touch with Amber StricklandPatrick Arben or a member of our team.