• AI for Good
• Cyber security
• Regulation

Written by Jo Miller, Board Advisor, Digital Leaders

Securing our information and our technologies has become critical in this shifting and uncertain geopolitical context. Even more so as we contend with the sheer computing power of quantum, and what this in turn means for our national security. Of course, the need to keep our information and our devices safe and secure is not a new challenge but how we do so must change as we head into an era of quantum-enabled computing. 

Securing, and breaking the security that protects our information – that is not new. We know that amongst the ancient Greek city-states, the Spartans were well-practised in surveillance; the Ephors were the state supervisors, with secret police (the Crypteia) and numerous officials used to monitor the physical activity of Spartan women and youth, and to conduct market surveillance. Gorgo herself, the Queen of Sparta, is often cited as the world’s first crypt-analyst; decrypting steganography used to conceal secret messages about the pending Persian invasion of Sparta in 480 BC. According to historical accounts, a messenger had arrived in Sparta carrying an apparently innocuous and blank wax tablet – an encrypted warning to Sparta about Xerxes’ pending invasion, written on a wooden tablet and then covered with wax. And no one was able to guess the secret – no one besides Gorgo, who astutely reasoned that it was likely a secret message and that if the wax were scraped off, they would find the inked message on the wood beneath.

Gorgo paved the way for pre-modern and modern cryptography – in 2nd century BC Egypt, non-standard hieroglyphs were used to obscure meaning and a century later, in Rome, Julius Caesar popularised the Caesar cipher, shifting letters by a fixed amount.

Fast-forward through the cryptanalysis of the Arab scholars in early-AD, the mechanical and wartime cryptography of the 19th and 20th centuries (computers – initially women, then analogue, and then digital), to the Public Key revolution in the 1970s which signalled a turning point for civilian cryptography. 

And it was in that period, that cryptologic (keeping secrets) and cryptographic (breaking secrets) capabilities became commonly available, outside of Governments and security agencies, and rapid developments in classic computing turbo-charged modern encryption – and decryption.

So, what has changed, or what will change? What does this shift in cryptography demonstrate; from the post-Gorgo cryptography throughout history, to the post-quantum cryptography that we are now on the cusp of? 

We know that sufficiently powerful quantum computing, which uses the principles of quantum physics to process information in a fundamentally different way to today, will shift how we protect our data and our information. Potentially rendering obsolete our current methods. Data will be processed at a greater scale and pace than we have ever experienced before, meaning that encryption will be broken within seconds (less even) rather than months or years. From an adversarial perspective we know the practise of “harvest now, decrypt later” where adversaries harvest encrypted data at scale now, on the basis that quantum computing power will enable them to decrypt that data, and make sense of it, later; likely using AI. 

And so, we can see how security, quantum safety, and AI adoption all go hand-in-hand – we must secure our data, our devices, and our infrastructure *and* we must adopt AI throughout our cyber defence chain *and* we must make this shift to PQC. 

All of this fundamentally puts at risk the security, confidentiality, and the integrity of the data and digital infrastructure that underpins our economies and our societies, and how we live our daily lives. And so, quantum safety, transitioning to quantum-safe cryptography or PQC (post-quantum cryptography) is critical to our future security. However, given that capabilities such as quantum computing are not predicted to emerge before the 2030s, at least, why is quantum safety important now? And the answer is that, for many, the extraordinary leaps forward that we all saw in publicly-available AI in 2022 came as a surprise. 

Those large-language models introduced to society the sophistication of machine learning and predictive capabilities that had, before that point, been the privilege of frontier AI labs and national Governments that could afford the levels of investment required to generate those tools – the research, the resource, the skills, the energy, and the high-performance computing power. And that leap forward, in 2022, introduced this meta-innovation (LLMs) to society with little to no indication of the impact it would have and its use – and misuse. 2023 then became rather exciting, and chaotic, as a result. And so, this is why we are talking about quantum safety now. It’s critical that we start introducing language now about PQC and our transition to it, in a helpful way, that means we, Boardrooms, society, businesses, won’t get caught out by quantum capabilities, and their consequences, in quite the same way as we collectively were with publicly-available generative AI.

Similar to the seismic shift that generative AI represented (still represents) in technological development in our lifetimes – and its security implications – quantum computing will shift, at an unprecedented scale and speed, how data is processed. Including in machine learning and pattern recognition, reshaping how models are trained, computation will become probabilistic, meaning that algorithms can run many times in parallel to extract patterns. It will also shift how we do cryptography and data security – this is one of the most concrete and disruptive changes that quantum computing represents meaning that secure data storage, transmission, and identity systems must migrate to PQC. 

This poses a significant security and safety challenge because fundamentally we do not want to get caught out; we want to be prepared. This also poses a significant opportunity to do things differently, to rid ourselves of our legacy systems. We know that cyber risks come in large part from poorly managed technology programmes and not transitioning effectively and systematically will only exacerbate those cyber risks and technological legacy challenges. We can act now, to minimise the costs and risks that will otherwise be shored up for the future.

And so how do we tackle this? Here are 5 steps to ready you and your Boards for the transition to PQC (post-quantum cryptography):

1. Understand the national PQC timelines for the regions in which you operate – these timelines have been set based on the development of international standards and the availability of foundational PQC components, ensuring that the supporting cryptographic ecosystem is in place, before wide-scale global transition to PQC.
2. Conduct an enterprise-wide inventory of where and how you depend on cryptography. This is not a new practice and should build on your effective lifecycle management of your assets – what versions of what software are you running on what hardware, and what of that will be impacted by quantum computing.
3. Start to budget for this transition. Make the case to your Board if you have not done so already for PQC transition.
4. Take the opportunity that PQC brings to transition away from legacy IT and systems – deliberately include this in your PQC planning.
5. Work out your external dependencies (your vendors, suppliers, and partners) so you can plan to move as a system – engage them now. 

Read More Cyber Security

Comments are closed.