Right now, the US Department of Commerce wants businesses to transition to the new encryption tools it has designed to withstand cyberattacks from quantum computers.

The So What

As the power of quantum computers advances, they will have the compute power to quickly decode the current encryption methods that keep 98% of electronic data safe.

There is a 50:50 chance of quantum computers being able to do this by 2031, according to BCG analysis in conjunction with the Institute for Quantum Computing.

And although this is a future threat, hackers could be downloading data now to decrypt it later.

“The risk is real and the risk is now, and that’s why these new tools have been launched preemptively,” explains BCG’s Managing Director and Partner Matt Langione, an expert in quantum computing.

Quantum computing has the potential to drive huge progress in areas such as drug discovery, optimization of logistics networks, machine learning to detect fraud, and securing government data. And BCG estimates that it will create value totaling $450–$850 billion by the time the technology matures.

Despite this huge potential, quantum computers also threaten two types of encrypted data:

• Data in transit, for example emails, or financial transactions.
• Data at rest, for example employee health records, state secrets, or product roadmaps.

Given the risk of data at rest being downloaded now to decrypt later, the US Department of Commerce’s National Institute of Standards and Technology (NIST) is encouraging computer system administrators to begin transitioning to the new standards it has designed as soon as possible.

NIST has spent eight years working with the private sector and academics around the world to develop the new tools—or cryptographic algorithms.

“These new algorithms are an important milestone because NIST typically sets the standard for common adoption,” Langione says.

“The key question is whether companies will act soon enough to protect themselves against something which might not seem a clear and present danger.”

Now What

In the past, cryptographic upgrades have taken about 20 years, although 7–10 years is considered an optimistic minimum today. And even NIST suggests that the transition may well be expensive and disruptive, albeit highly effective.

Here are some initial steps for companies to take:

Inventorize all hardware, firmware, software, operation systems, and applications that use the current algorithm for encryption. Automated discovery tools can help here.

Prioritize the components that need to be migrated first based on risk management methodology that assess the sensitivity of the data and the potential impact of the attack. This will provide a roadmap for action.

Integrate and test the new standards. Detailed instructions for incorporating the new tools into products and encryption systems will be needed. And they should then be tested to ensure they are functioning correctly and securely, without too much of a negative impact on performance.

Train key security personnel and equip them for ongoing monitoring and updating. There should also be collaboration with vendors to ensure they are adopting the new standards too since many attacks happen with software from a third party.