Thursday, February 22, 2024

Quantum Security: A Board Perspective

Defending a corporation from threats posed by quantum computers may seem a tad esoteric for a member of the board of directors. For board members who wish to fulfill their roles as cyber fiduciaries, however, it is prudent to gain a basic understanding of the issue and what can be done address the coming quantum threat.

Being a cyber fiduciary

While most boards designate a committee to take charge of technology and cybersecurity, every board member should consider himself or herself to be a cyber fiduciary to some extent. Think about it like this: You have a fiduciary responsibility to safeguard the shareholders’ assets. In this day and age, corporate assets include intellectual property, corporate data, customer account data, and information systems.

Such data assets may seem intangible, occupying a nebulous place under “goodwill” on the balance sheet, but they are arguably some of the most valuable items in the shareholders’ possession. Board members need to be aware of threats to shareholders’ digital assets. Going further, a major cyber disruption can seriously affect customers’ trust in the business, another factor that often explains the difference between a company’s book value and market value. A threat that can cause the value of these assets to drop is a threat that everyone, not just technical sub-committee members, needs to know about.

Becoming an educated consumer of technical and cybersecurity information

The challenge for board members is to distinguish between different levels of cyber risk. Unfortunately, the security industry tends to specialize in a variety of “hair on fire” sales pitches, designed to cause alarm and trigger generous, sometimes unwarranted spending. This is not helpful. Everyone from board members to vendors and security teams can benefit from becoming educated consumers of technical and cybersecurity information.

That being said, not all cyber risks deserve the same level of attention and investment. I will make an argument, however, that the quantum threat requires immediate focus, and at a minimum some kind of plan.

The quantum threat, explained

Understanding the quantum threat requires learning about two related separate technological processes – quantum computing and quantum attacks. It’s impossible to grasp the latter without first knowing how the former works.

First, what is a quantum computer? A quantum computer is a computing device that utilizes sub-atomic particles and the unique phenomena of quantum physics to perform mathematical operations at a speed many orders of magnitude greater than even the fastest supercomputer in operation today. This may sound like science fiction, but it’s happening a lot sooner than anyone expected.

With this radically faster mathematical processing speed, a quantum computer gains the power to crack even the toughest encryption algorithms. An encryption key that would take a conventional computer a trillion years to break can be unlocked by a quantum computer in a matter of hours.

What does this mean for an organization? Simply put, the quantum threat translates into the very real danger that enterprise systems and data sets that are secured by conventional cryptography can be easily breached. For a bank, this would mean that detailed account data could fall into the hands of digital thieves. For a defense contractor, it would mean that top-secret information could fall into enemy hands. A quantum hack could be an extinction-level event for some organizations.

Why now is the time to address the quantum threat

The idea of the quantum threat is not new. Indeed, most diligent boards have been hearing about it for some time. This is part of the current problem. Until just about a year ago, quantum computing was considered to be a decade or more into the future, with even the most well-informed experts remaining vague on whether such a device would ever even come into existence.

This was a confusing issue for boards, as they were being told about a risk that was far in the future, if it would even happen at all. This has now all changed. Quantum computing is coming, and soon.

Recent advances in quantum computing research, particularly based on massive investments made by foreign nation-states, have put the quantum threat much sooner than most people previously expected. And even though a viable quantum computer may still be a few years off in the future, now is the time to start coming up with a quantum risk mitigation plan.

The quantum risk must be addressed now because malicious actors are actively stealing encrypted data with the intention of decrypting it when quantum technology comes online. They’re breaching financial account records and military secrets, even if the data is unintelligible to them in its current form. That does not matter to these hackers. They are confident they will be able to crack the encryption keys within a few years. At that point, they’ll have access to all our data, and we will be powerless to do anything about it.

The government is taking the quantum threat seriously, and so should Boards. The White House issued a National Security Memorandum dealing with quantum risk this past May which mandated that all federal government agencies begin the upgrade to post-quantum cybersecurity. Bipartisan legislation has been introduced in the Senate that is intended to prepare the U.S. for quantum cybersecurity risks, and NIST (The National Institute of Standards and Technology) recently named the final post-quantum algorithms this past July 5th. It appears likely that quantum threat mitigation will become standard policy for American businesses, especially those that work with the government or must comply with government regulations.

The Board perspective

Board members have sifted through a great deal of information, some of it quite technical in nature. In our view, it should not take a lot of technological savvy to grasp the seriousness of the quantum threat. The potential for irreversible, significant damage to the enterprise should be plain to see. It’s a threat that demands attention today, and solutions have emerged that enable organizations to start the upgrade process to protect against the quantum threat. Now is the time for the Board to investigate post-quantum cyber solutions and drive these initiatives for their organizations