Most of us remember Y2K, the panic that consumed the closing years of the last millennium. The whole world feared that when the clocks changed from 1999 to 2000, the digital systems that governed our lives would collapse, with catastrophic results. Of course, a true merger was avoided, thanks to the collective action of software engineers around the world, and decisive action by Congress, which dedicated $3.4 billion to update critical “Y2K-proof” government and industry code and systems.
The crisis was averted 22 years ago, but now we have to dodge another one.
Call it “YQK,” except this time, the “Q” stands for “quantum.”
Quantum computing is an incredible and nascent technology that relies not on binary code, the now familiar 0’s and 1’s, but on properties of subatomic particles, such as entanglement, in order to compute. Quantum computers have computational properties that could soon solve complex problems that today’s computers can’tthat will revolutionize fields from drug and materials discovery to finance.
But exponential computing power also means that, in the wrong hands, quantum systems could brute-force their way through even our strongest digital walls. Right now, most encryption is similar to a very large combination lock. If our current computers wanted to break through, they would have to try every possible combination, a task that could take a century. However, future quantum computers could solve that combination in days, perhaps even hours.
So what would YQK, a quantum computing catastrophe, look like in practice?
Imagine that the algorithms that protect corporate and government data are compromised. Financial markets are negatively affected. Power grids and defense grids are disrupted. There is a massive wave of identity theft.
Here, though, is the good news: It’s completely preventable, with the technologies we already have, including cutting-edge techniques like lattice-based cryptography (protocols based on extremely difficult and historically unsolvable mathematical problems) and fully homomorphic encryption. (which allows someone to work with encrypted data while it’s still encrypted).
In Washington, there is discussion and activity going on about how we can deploy these safety nets to prevent YQK. The National Institute of Standards and Technology (NIST) recently announced protocol standards involving these technologies, including CRYSTALS-Kyber public key cryptography protocol, which was one of the last four protocols developed by IBM scientists and collaborators. When adopted, they will protect various computer systems from quantum hacking.
Congress can help ensure these tools are rolled out across industry and government before it’s too late.
Organizations of all kinds should start implementing these protocols immediately, especially those that have sensitive data, such as government agencies. It is true that quantum systems will not be able to crack current encryption for many years. But the “black hat” hackers are not waiting. They are already collecting encrypted data. At the moment, those numbers are encrypted. But once quantum technology matures, they can be cracked in moments. It’s like a criminal robbing a safe today, knowing the combination will be turned over to him in a few years.
Federal agencies can prevent this “harvest now, hack later” problem by upgrading their encryption protocols. But that’s a little easier said than done. It will take time, dedicated staff and, above all, a whole-of-government strategy. It will likely never happen if various federal agencies are left to haphazardly adopt secure quantum technologies in their own way, at their own speed.
This month, the House passed a bill that captures this reality: the bipartisan law Quantum Computing Cybersecurity Preparedness Act. Among other measures, it asks the director of the Office of Management and Budget to examine executive branch systems, determine which ones are most vulnerable to a quantum attack, and prioritize their migration to post-quantum cryptography. This, the bill says, must be done within a year, along with an estimate of how much it will cost. It also requires regular updates on how federal agencies are adopting quantum security standards. If we want to avoid a YQK, the Senate needs to send this bill to President Biden’s desk as soon as possible.
My hope is that YQK will ultimately be like Y2K: a manageable event. But that didn’t happen by accident back then, and it won’t happen without a lot of hard work this time either. Many of the world’s best engineers and software companies invested resources to make sure Y2K didn’t happen. We must do the same today.
The biggest difference? Since we don’t have a nice round number like “2000” as a finish line, we must assume that time is of the utmost importance. When it comes to adopting quantum security protocols, tomorrow is better than next week and today is the best of everything.
Dario Gil is Senior Vice President and Director of Research at IBM.