From improving the chemistry of electric batteries to devising vaccines for new disease and solving complex financial conundrums, quantum computing looks set to solve some of the world’s most complex problems.
However, with new technologies come new attack surfaces and with quantum the risks may be magnified due to the technology’s ability to break down very large prime numbers very quickly.
While quantum computing is still in its nascent stages, it is widely considered that by 2032, a fault-tolerant quantum computer capable of running crypto-analytic algorithms will threaten to break the security of the internet and mobile networks.
About seven years ago, the US and Chinese governments along with various other groups such as the World Economic Forum, identified this challenge and guidelines and now standards are currently being formulated.
The main task has been devising ways to replace RSA keys, public key security and other cryptography standards that most tech and telco companies rely on to keep networks and data safe.
The US standards body working on this, NIST, has already published a new set of recommendations of what the new security systems will look like, with a full set of standards set to follow next year.
In the meantime, the message for all businesses is that they need to start making plans for a ‘quantum safe’ world – and this needs to start now, as there’s a belief that cyber criminals may already be stealing encrypted data today, so it can be stored for retrospective decryption further down the line.
Telecoms however, is one sector that is on the case. Last September the trade body representing the world’s leading mobile operators, the GSMA, set up a post-quantum taskforce, with IBM and Vodafone as initial members to help define policy, regulation and operator business processes.
Shortly before Mobile World Congress this year the taskforce – which now has over 35 members – released a whitepaper of the quantum security threats facing the telecommunications industry.
This paper includes a detailed, step-by-step list of potential solutions to prepare for these threats, including an inventory of all the places that cryptography is used to secure the networks and systems.
To find out more, TechInformed spoke with the author of the telecoms Post Quantum Impact Assessment Whitepaper, Zygmunt Lozinski – who is also IBM’s post quantum telco network industry technical lead.
While quantum computing is developing rapidly it’s true that we don’t yet have large scale machines. But think about some of the data that we’re protecting. Healthcare data has to be kept securely for a person’s lifetime – that’s up to 100 years. Compare that to the progress we’re making in quantum: Seven years ago IBM put the first quantum computer in the cloud and it had five qubits [the quantum version of the classic binary bit] and this year we’ve announced a machine with 233 qubits.
So whether its healthcare data, someone’s financial or pension data – it needs to be kept securely regardless of technological development. So now is the time to start building for quantum secure.
The concern is that you are not going to know. If someone steals a valuable data set they can store now and decrypt later – once they have a large scale quantum computer – if that valuable data has already been taken then you are never going to know that this has happened. Understand that this is a possibility. We don’t want to single any one group out, but it will be all the usual bad actors who have an interest in doing this: ransomware gangs, hostile state hackers, cyber criminals.
The sorts of things you are trying to protect against is people trying to steal customer data and decrypting it in the future; another is the integrity of the network. If you think about the seven billion devices out there; the seven to eight million cell sites and all of the core networks. Every single one of those things, every time you make software updates, you have to validate that these haven’t been corrupted, that the hacker hasn’t patched the software that they are loading into the system.
The way you do that is by signing the code – so that’s the second thing – how do you ensure the integrity of the software updates? And the third thing we’re trying to protect against is transaction fraud on the networks – the deletion of financial records or payment records and the creation of false payments.
There are three we’re typically working with: The CTOs that look after the telco networks – because the networks need to be secure, and they need both products and a set of standards. We are also reaching out to the CIOs – because they are the people responsible for securing customer data and updating their systems and thirdly, we’re in discussions with CISOs who will be implementing identity management within an organisations.
We’re also working with standards bodies and the governments. One of the things we looked at in the white paper is what governments around the world are doing on this, and pretty much the message from all of them was: ‘now is the time to start planning for the transition, building skills and implementing them once the standards are available’.
You are going to see lots of different models for how people implement this, you are going to need consultants who understand the problem who are going to help you make this transition. The people that make the Sims and eSims technology that goes into mobile devices, for instance, need to be part of this ecosystem. So yes, you will see people doing advisory work and specialist security firms making sure that products are already updated and protected.
Yes, and that’s one of the reasons we’re seeing governments saying we need to start planning for this transition. President Biden signed a bipartisan piece of legislation just before Christmas in effect to say the US government has to put a 10 year plan in place to transition all of its systems to be quantum safe by 2033.
The US and Chinese governments have both taken the lead on this to say, ‘ok this is important we need everyone to go and do their part in this plan’.
There’s an existing cyber security skills shortage and not many people are trained to code with quantum. One of the things IBM is doing is reaching out to students at all stages of their education, because the people starting university now – ensuring quantum safety could be their first or second job. The more we can do to encourage new people coming into the industry to specialise in this area the better.
IBM works with universities so they can have access to all of our education and training material and in some cases, there’s at least one university I know of where as part of the physics degree in the fourth year they use Qiskit – a free open source quantum computing tool kit.
It’s really fun to watch the students to come up with solutions’. Some of the solutions I could never have come up with, it’s just really interesting. And that really matters. How we get that thinking into universities and at all levels. STEM education – to get it into schools to inspire people.
Part of the quantum safe task force’s mission is explaining to the industry about what skills they need. And it’s important to note – the transitional skills for quantum safe programmes is an understanding of cyber security and about having an end-to-end view of the telecoms network and the systems involved.
You don’t really need to know the details of quantum computing or quantum cryptography to be able to manage your ID management system or update your security management system. What we need are more cyber security people and people with a general understanding of how telecom systems come together.
Subscribe to our Editor's weekly newsletter
Newsletter
Share
