"Quantum should be considered a material risk from 2035"

The clock is ticking for businesses and governments to put in place measures to secure their digital infrastructure from the encryption risks posed by quantum technology, according to Zygmunt Lozinksi from IBM’s Quantum Safe Networks team, speaking to senior risk professionals at the Global Risk Summit, sponsored by Airmic.

Powerful quantum computers have the potential to solve certain problems at a speed and scale that is impossible for regular computers and opens previously unimaginable opportunities in fields such as drug discovery, transportation, financial services and aircraft design.

However, their ability to solve extremely complex algorithms also risks undermining the encryption systems much of today’s society is built on. This means encrypted data, digital signatures, banking systems and secure communications that are safe today could potentially be broken by future quantum attacks.

First wave of advantage

While quantum computing is in its infancy, “this year we are going to see the first wave of quantum advantage,” according to Lozinski, adding that for now, it will remain limited in scope and application. In financial services, for example, some institutional investors are using quantum technology for trade optimisation.

However, while the advantages of quantum are evolving at pace, so are the associated risks, and in particular its ability to undermine the encryption systems that secure the world’s digital infrastructure:

“Those systems that we can use to help us with financial services or scientific discovery can also be used to break the security of financial systems, of our mobile networks, and of the internet,” he warned.

For example, quantum technology can be used to forge so-called access tokens which authenticate users, devices and applications, potentially allowing attackers to gain unauthorised access to protected systems.

“That means you can’t trust your IT infrastructure, you can’t trust the integrity of the software in your electric vehicle and you can’t trust the integrity of the software in your aircraft,” he said.

No one knows when the risks will materialise, but experts believe it could happen within the next decade: “You should consider this a material risk from 2030 through 2035 onwards," Lozinksi warned.

Post-quantum cryptography

The good news is that cyber security experts have developed post-quantum cryptography that is secure against both the classical system and the quantum system and can run on everyday technology likes phones and computer servers.

These new cryptographic methods are designed to remain secure even against attacks from powerful quantum computers and are being developed and standardised to replace current encryption.

Transitioning to quantum-safe digital systems should be considered an urgent business priority given the size and complexity of the undertaking, urged Lozinski, warning that it is too late to wait until the quantum risk materialises to act.

Encrypted data is already being targeted by cyber criminals who recognise its potential future value, he noted. “If you have high value information like the design of a new drug with a capital value of three million euros and an economic life of 20 years, then someone can copy that now and decrypt it in five years’ time.”

The sectors that are most advanced in adopting quantum-safe cryptography are those with the highest long-term data sensitivity and regulatory pressure, such as financial services and banking, government and defence, telecoms, technology and cloud providers.

However, sectors with large amounts of legacy technology and a poor track record on cyber security, such as manufacturing, are considered more vulnerable.

Insurers should issue guidance

Regulators, governments and business leaders must be proactive in driving the necessary change, Lozinski said. Quantum risk should sit at board level and all firms must map their vulnerabilities and develop plans for updating their entire IT infrastructure, operational technology and technology supply chains, he advised.

Insurance companies will play a key role, he believes. “Those of you that underwrite cyber policies need to be asking yourselves how we can ensure that the policies we write deal with this risk and that we give appropriate guidance to the firms that we are underwriting on what measures they need to be taking.”

Globally, the US, Europe, UK and Japan are setting the direction in regulatory terms and publishing guidance on post-quantum cryptography. Last year, the EU published a roadmap urging critical sectors to begin transition activities immediately, while the UK’s National Cyber Security Centre has published guidance for businesses that can be read here.

Zygmunt Lozinksi was speaking at the Global Risk Summit, part of the inaugural London Risk Week that took place between 11-15 May.