Thereโs a ticking clock in the world of cybersecurity and itโs counting down to what experts call Q Day โ the day when quantum computers will theoretically become powerful enough to break some of today’s cryptographic methods, and render many existing encryption methods obsolete.
Or at least thatโs the theory. In truth, nobody can predict with absolute accuracy when, or even if, quantum computers will reach the level of sophistication and practicality to manifest this threat. But that doesnโt mean businesses shouldnโt be thinking about it.
While some are hearing the tick of the Q Day clock, others remain unaware. So, what is Q Day, is it a big deal, and what do businesses need to know to prepare?
Field CTO and Strategic Advisor at Splunk.
Do businesses need to be aware of Q Day?
The short answer is yes. The potential threat that quantum computers could pose to current cybersecurity methods cannot be understated. What was once academic theory, akin to technology youโd see in a science fiction novel, is making strides towards reality.
Big companies like IBM and Google, as well as governments and startups, are racing to build more powerful quantum machines. These computers are still in the early stages, but theyโve already grown from handling a few quantum bits (or โqubitsโ) to managing hundreds, and theyโre getting better at solving complex, specific problems.
While quantum computers canโt yet break the encryption software and protocols that protects the internet, experts seem to be reaching a consensus that the day that this could be a reality is about 10-15 years away. This is the so-called Q Day.
Aside from the obvious threat that breaking current encryption poses, businesses also need to be aware that the rise in quantum technology is being taken seriously by governments and regulators alike.
Agencies like the National Institute of Standards and Technology (NIST) have standardized post-quantum cryptographic (PQC) algorithms, while Europeโs ENISA is focused on standardizing the implementation and certification of PQC through schemes such as EUCC, all in preparation for Q Day.
When is Q Day?
Unfortunately, as with all things quantum, answering when Q Day will be is not simple, because no one knows for sure. Itโs all dependent on when (and if) the technology reaches a specific level of capability and practicality. And itโs not only about the number of qubits.
However, the speed at which quantum computing is moving forward has prompted agencies like the UK National Cyber Security Centre (NCSC) to put timelines in place.
The NCSCโs timeline for migrating to a quantum safe method of encryption has three phases: discovery and planning by 2028, early migration by 2031, and full migration by 2035.
That gives businesses a maximum of six years to plan and prepare to migrate their critical assets. But again, this timeline is not set in stone โ Q Day could come sooner than 2035, later, or it could never come.
Itโs difficult because we are talking about technology that hasnโt realized its theoretical potential yet, and no-one has a crystal ball. Quantum computers donโt follow Mooreโs Law; they scale non-linearly, and quality matters more than quantity when it comes to qubits.
What do businesses need to do to prepare?
Staying calm should be step number one. Quantum technologies can sometimes be subject to scaremongering, pushing people to make premature or misinformed decisions. And I hate this FUD; it doesnโt lead to the best security outcomes.
Of course the threat is theoretically coming, but it isnโt imminent. Even if quantum computing does eventually break common encryption methods, itโs unlikely that everything will change in the blink of an eye โ there will be time to prepare.
However, the time to prepare is now, not when the first quantum-powered breach makes headlines. And that starts with getting your basic digital hygiene sorted.
Organizations should begin by auditing their IT estate with two aims: the first being to identify what IT assets they have, because you canโt update or protect what you donโt know you have. The second is to identify which of those assets are most at risk, especially those dependent on public-key encryption or requiring long-term data confidentiality.
This is great security practice anyway – building a decent asset inventory will bring you gains beyond just post-quantum migration planning.
The next step is to prepare the inventory; decide what needs to be end-of-lifed, and prioritize what you have to migrate. Itโs a short sentence to write, but a very long exercise. Good luck. Annex A of this ETSI standard has a very helpful set of questions to help.
If you want to follow the latest standards, hereโs a quick update on where we are. NIST has published 3 PQC standards: FIPS 203, 204 and 205, with two more on the way: FIPS 206 in draft and a new fifth algorithm recently announced.
The mathematics is there, but weโre lacking the integration into protocols and widely used technologies. Instead of tracking NIST now, Iโd recommend the best group to follow is ETSIโs Quantum Safe Cryptography Working Group focuses on the practical implementation of quantum safe primitives, and the IETFโs PQUIP group, which summarizes all the post-quantum efforts in internet standardization today.
When should businesses prepare for Q Day?
The NCSC timelines are very clear: prepare and plan by 2028, so that you can migrate by 2031. But the uncertainty on when/if Q Day will arrive complicates this slightly.
Prepare too early and you risk adopting immature technologies and standards, potentially increasing vulnerabilities. Wait too long and you may leave critical systems exposed.
The key is finding the timing thatโs just right โ itโs what I call the Goldilocks Theory and again, it comes down to preparedness: making a good asset inventory, while staying on top of the latest post-quantum standards.
Q Day may be uncertain, but your preparation shouldnโt be. Start planning now โ not out of fear, but out of foresight.
We list the best software asset management (SAM) tool.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
Leave a Reply