Data center cybersecurity managers have been getting warnings for years that quantum computing was on its way and it would break all existing encryption.
With quantum computing now on the verge of becoming real and early versions of these next-generation computers already available to the public and to governments, the time to take action is now.
Fortunately, there are steps that data centers can take, including evaluating new quantum-ready encryption algorithms and talking to vendors about their post-quantum encryption plans.
Quantum Computing Is Just Around the Corner -- and Encryption Is in the Crosshairs
If you think of a classical computer as a bunch of coins on a table, heads and tails, ones and zeros, a quantum computer is what happens when you toss all the coins up in the air at once and watch them spin.
It turns out that quantum computers are particularly good at doing certain kinds of calculations -- such as factoring large numbers. Coincidentally, the difficulty of factoring large numbers is one of the cornerstones of Internet encryption.
Once factoring becomes easy, most current-day encryption will become instantly obsolete.
There are several companies making quantum computers now, including IBM, Google, Fujitsu, HPE, IonQ, Rigetti, Xanadu, and D-Wave, among others, but practical, real-world benefits are yet to be felt.
“A few vendors are experimenting but most companies are not yet there to build a quantum computer that demonstrates advantage over a classical computer,” Gartner analyst Alan Priestly told Data Center Knowledge.
Instead, we've mostly seen proofs of concept and research projects that show what quantum computers will be capable of — someday. When they have enough qubits, and those qubits stay entangled long enough, and when the error rates come down.
How Close Are We to Quantum Computing?
Depending on how much of a vested stake someone has in a quantum computing company may be as long as ten or twenty years in the future and data center managers have nothing to worry about just yet.
"We may reach quantum value at some point in the next five years," said Forrester analyst Brian Hopkins. "But people who aren't invested in the vendors say it will take ten to 20 years before we get something valuable."
What about the possibility of quantum computers breaking today's encryption? Data center cybersecurity managers "should be aware of it and appropriately concerned, but not going off the deep end," he said. "It will require 10 million-plus qubits in a universal gate model computer. Today, the best number of qubits we have is less than 200."
Meanwhile, researchers are already working on next-generation, quantum-safe encryption algorithms, he added.
"Before quantum computers can threaten our data, we’ll have ways to protect the data," he said.
And yes, malicious actors may already be scooping up data in hopes of breaking the encryption on it at some point in the future.
"But I don’t know how much of that data is still going to be valuable in ten years, given how fast things change," he said. "If there’s data now that you are sending over wires that you think in 10 to 15 years, will still be useful or harmful if decrypted, you need to think about how to encrypt that — or not send it at all. But is it something your average business is going to care about? No."
In fact, there are plenty of other things to worry about before most data centers will need to start worrying about quantum computing, according to SANS Institute fellow and cybersecurity expert Eric Cole, who is also an advisory board member at Theon Technology and the CEO of Secure Anchor consulting, as well as an author of several books about cybersecurity.
"Today, so many data center managers still have data not properly encrypted," he said. "They are still using a single key for all of their records within a database and the keys are still stored plaintext with the encrypted data. This is the problem that needs to be focused on, not worrying about something that might or might not even happen in the foreseeable future."
People have been talking about quantum computing for 25 years now, he said, and it still hasn't happened.
"The real irony is companies are worried about quantum making all of their data public, but the reality is their data is essentially public because they are not protecting the keys," he said. "This is evident based on every major breach in which the encrypted data was accessed with ease and simplicity."
Instead of worrying about quantum threats, data center managers should be taking care of the basics such as fixing their key management issues.
But other experts disagree.
The Quantum Decryption Threat May Be Very Imminent
Given today's pace of development and the fact that quantum computing resources are now accessible to anyone via the cloud, some expect nation-state attackers and other heavyweights to be using the technology within the next two to five years.
According to Skip Sanzeri, co-founder and COO at QuSecure, a company focusing on quantum-proof encryption, it will only take 4,099 qubits to break the popular RSA-2048 encryption algorithm.
"And you've got Google and Rigetti and others all working on quantum computers, talking about having 1,000 qubits by 2024," he told Data Center Knowledge.
And that's just using one possible decryption method, using something called Shor's algorithm. There might be other algorithms, yet to be invented, that will need fewer qubits to do the same task, he said.
Meanwhile, there's also been progress made at linking multiple quantums computers together into one large, virtual, quantum computer.
"Over in China, they can now take quantum computers and entangle them," said Sanzeri. "Now you only need ten 400-qubit computers that you entangle together."
And he's also dismissive of the idea that nobody is going to care about decrypting old data.
"Look at banking information," he said. "How often do you change your bank account number? Not often. Or your social security number. Health care information lasts for 75 years, according to HIPAA. Government secrets, nuclear, military -- these things have a minimum of 50 years that they want to protect them."
He suggests that data centers should already be looking at quantum-safe encryption.
One place to start is the NIST standards, which released its first four post-quantum encryption algorithms this past summer.
But these algorithms are a work in progress.
In fact, one of them was cracked the same month it was released by a couple of researchers with a single-core Intel processor in about an hour.
"We expect these things to fail," said Sanzeri. "So make sure you're cryptographically agile."
That means being able to switch out encryption as needed, including re-encrypting old stored data when old algorithms become obsolete.
"Think in terms of resilience, not perfection," Sanzeri said.
But they don’t have to do it all themselves. Data center managers should also be talking to their vendors. All companies that include encryption in their hardware, software or services should have a plan to upgrade to quantum-proof algorithms.
"Data center managers clearly should be quizzing their tech providers about what they're doing to be quantum ready or quantum proof," said Rik Turner, principal analyst for emerging technologies at Omdia.
And data center managers who hold particularly sensitive data may go a step further, he added.
"They might also like to consider actions such as splitting up their encrypted data for storage in different places, and even using different encryption algorithms on the different bits of it to make it more difficult and costly for attackers to steal all the bits and decrypt and reassemble them down the road," he said. "This is one way of addressing the pre-quantum harvesting issue that should go some way to mitigating the problem, even if not completely solving it.
And while hardware security modules could help, data centers might consider diversifying their HSMs, and using different keys in different places to make attacks more complex and costly, he added.
