Quantum computing will require massive software updates. Doing that securely will be its own challenge.

The tech industry is scrambling to implement new “quantum-resistant” algorithms — which could be a “significant source” of security vulnerabilities — years before the arrival of quantum computing.


The tech industry is gearing up for a "post-quantum" scenario.

Illustration: Chor muang/iStock / Getty Images Plus

No matter how long it takes to reach commercialization in the enterprise, quantum computing could have major consequences for the world of cybersecurity well in advance of the technology going mainstream.

To date, most of the security discussion around quantum computing has focused on the possible implications for data encryption. The most common scenario: Someday — maybe in five, 10 or 20 years — mega-powerful computing systems that harness the very weird properties of quantum mechanics could achieve the unthinkable, and obliterate the current methods of encryption that the internet depends on for security.

On the other hand, maybe this will never happen at all. No one can say for sure.

It's very clear, however, that the tech industry is gearing up for this so-called "post-quantum" scenario. Software will be updated on an epic scale to accommodate new methods of quantum-resistant cryptography that are being advanced by the government and researchers.

That means while nobody can be certain if quantum computing will ever really pose a security risk itself, the preparations surely will: It's inevitable that we'll see a large number of security vulnerabilities unintentionally introduced into software as the process plays out, said Jonathan Katz, a cryptography expert and IEEE member. Any time software is changed on a large scale — particularly when it’s happening quickly — vulnerabilities will tend to creep in.

"We know how to design mathematically secure algorithms," said Katz, who’s also a professor of computer science at the University of Maryland. "We're not quite as good yet at implementing them in a secure way."

That’s a challenge the tech industry will have to figure out. If the hackers of, say, 2032 get their hands on a quantum computer that could break encryption, it would put much of the world's data at risk. (That includes, by the way, encrypted data that threat actors might be collecting today and storing away for a decrypting opportunity in the quantum future, according to experts.)

We can thank the efforts of cryptography specialists working in tandem with the National Institute of Standards and Technology for helping the industry prepare for this threat. Back in 2016, the agency helped get the ball rolling on post-quantum cryptography by launching a process for soliciting the algorithms needed to do the job.

In July, NIST presented the fruits of that six-year process, announcing four algorithms that the agency aims to use as the basis for the new quantum-resistant method of encryption. The algorithm that will provide secure web access is known as CRYSTALS-Kyber (some experts refer to it as Kyber). The three remaining algorithms will come into play for identity verification during digital exchanges.

While NIST says it expects to finalize the algorithm choices in "about two years," the vendors whose technology underpins the functions of the internet have already begun exploring how to implement them — particularly Kyber.

Make it work

Since there are a number of different ways to implement Kyber, the industry now has to settle on which type of implementation to embed into the TLS protocol, which is what enables HTTPS secure web browsing.

"The industry is now in the mode of, 'OK, we know what the algorithm is going to look like — how do we actually deploy it into systems? And what are the troubles and pitfalls of that?'" said Nick Sullivan, head of research at web security and performance vendor Cloudflare.

Software developers, however, have had decades to figure out how to properly deploy existing forms of encryption, such as RSA. "That time has allowed people to learn from their mistakes," Katz said. "And many mistakes were made along the way."

Now, we may have the same situation occur again, with the implementation of largely untested new algorithms that are based on different techniques, he said. Rather than facing an underlying issue with the algorithms, he believes it's more probable we'll see a variety of flaws in the code introduced during the software engineering process.

We know how to design mathematically secure algorithms. We're not quite as good yet at implementing them in a secure way.

Buffer overflow issues — a common bug in software code that can enable an attacker to access parts of memory they shouldn't be allowed to — are among the types of vulnerabilities that are likely to pop up a lot in a situation such as this, Katz said.

How could this happen? For one thing, there will be a learning curve involved for software engineers.

To some degree, they "will need to understand what's going on under the hood," Katz said. The complexity of the algorithms could present bigger difficulties than understanding existing methods, however.

Meanwhile, as the saying goes, speed is the enemy of security. And there's going to be a lot of new software being written as part of these post-quantum preparations, and written quickly, Katz said.

All in all, the implementation of the new algorithms is sure to become a "significant source of vulnerabilities in the five years after these things are first widely deployed," he said.

Counting down to quantum

For better or worse, the tech industry feels a lot of urgency around implementing the post-quantum algorithms. In part, that's because "nobody knows" when the threat to encryption might emerge, said Nelly Porter, Google Cloud's lead product manager for technology areas including encryption and quantum computing.

"Everybody assumes that it will take many, many years. But I think in the world of cryptography, we are much more paranoid," Porter said.

When is the earliest she thinks it could happen?

"I would say [as soon as] three years for very advanced adversaries to make it usable," Porter said. "We have time to get ready. But we don't have too much time."

Other experts have predicted longer time frames before the performance of quantum computers would be able to break encryption (specifically, what’s known as “asymmetric” encryption, or public-key cryptography).

Chris Monroe, a quantum computing pioneer and Duke University physics professor, believes it will take 10 years or more to get there. In the meantime, early quantum computing applications — for instance, optimization of delivery routes or financial models — will likely be commercialized in a shorter time frame, said Monroe, who is also co-founder and chief scientist at quantum computing vendor IonQ.

However, it'll take longer for quantum computers to break encryption because the problem sizes are so big, he said. In other words, breaking encryption will probably not be the first thing that happens when it comes to real-world usage of quantum computers.

Once technology vendors have done their part to implement the quantum-resistant algorithms, that's when the work for businesses will begin. And that will probably be the hardest part of all, experts told Protocol.

Hardware, operating systems and software will all need updates to enable the new quantum-proof encryption methods.

"There's a big patching and replacement exercise that's going to go on here — which is complicated, time-consuming and important," said Tim Callan, chief compliance officer at Sectigo, a major provider of digital certificates that are used in the encryption process.

We have time to get ready. But we don't have too much time.

The process will require taking an inventory of everything they use that leverages encryption. That’s no small task for any organization, but it will be especially daunting for those with workers, data centers and edge devices scattered around the globe.

"They're going to need to look at every system. And they're going to need to say, 'Is this system post-quantum-ready or not?'" Callan said. "'And if it is not, how do I feel about that?' They're going to have to prioritize."

Businesses that rely heavily on cloud infrastructure will have less to worry about, since a lot of the updates will happen behind the scenes, said Cloudflare's Sullivan. Those who still have a lot of physical machines in their operation will need to figure out if their devices can even be updated, or if they'll need to be replaced, he said.

One of the big questions for businesses will also be whether their existing PC fleets will be able to handle the compute requirements of the new algorithms.

While NIST included a requirement that the new algorithms would not be significantly more compute-intensive, that doesn't mean that every PC will be able to run them, said Stel Valavanis, founder and CEO of managed security provider onShore Security.

In the same way that the shift to work-from-home and videoconferencing forced many businesses to upgrade their PC fleets, the arrival of post-quantum encryption could be the "next ceiling" that businesses run into in terms of device performance, Valavanis said.

Quantum divide

While it's still too early to know for sure, there's certainly a chance we could be heading into a "haves and have nots" scenario with quantum-resistant encryption, said Keith McCammon, co-founder and chief security officer at managed detection and response vendor Red Canary.

"We're probably going to run into questions of access: Is this thing equally accessible to everybody?" McCammon said.

On the other hand, there's also a chance that some businesses will not put a priority on quantum-proofing their systems at all.

Due to the uncertain and potentially long time frames — and all of the more immediate threats that businesses are dealing with on a daily basis — there's "always that risk" that some businesses will just ignore the issue, said Boaz Gelbord, chief security officer at Akamai Technologies.

In the short term, there might seem to be no consequences of inaction, said Joseph Steinberg, an independent information security consultant. But in all likelihood, we're never going to get much of an advanced warning about when encryption will be at risk, he said.

"The Chinese government doesn't announce what they're doing. We don't really know what the current capabilities are" for quantum computing, he said.

Ultimately, "we're talking about something catastrophic," Steinberg said. "And if we're wrong — and this hits sooner than expected — we have a problem."


Climate startups' secret weapon to meet their missions

Climate tech startups are embracing the public benefit corporation, a formerly niche way of incorporating, as a way of holding themselves accountable.

An increasing number of mission-driven companies are incorporating as PBCs.

Illustration: Christopher T. Fong/Protocol

Nearly every company today claims to be mission-driven. But the quest for profits and shareholder demands can often get in the way of more altruistic goals.

A new wave of climate-focused startups is trying to mitigate those competing interests using a wonky and somewhat dry piece of business incorporation status that’s existed for more than a decade: the public benefit corporation. Ultimately, PBCs are just one attempt — albeit a still untested one — to better align the capitalist system with combatting the climate crisis.

Keep Reading Show less
Michelle Ma

Michelle Ma (@himichellema) is a reporter at Protocol covering climate. Previously, she was a news editor of live journalism and special coverage for The Wall Street Journal. Prior to that, she worked as a staff writer at Wirecutter. She can be reached at mma@protocol.com.

Sponsored Content

How cybercrime is going small time

Blockbuster hacks are no longer the norm – causing problems for companies trying to track down small-scale crime

Cybercrime is often thought of on a relatively large scale. Massive breaches lead to painful financial losses, bankrupting companies and causing untold embarrassment, splashed across the front pages of news websites worldwide. That’s unsurprising: cyber events typically cost businesses around $200,000, according to cybersecurity firm the Cyentia Institute. One in 10 of those victims suffer losses of more than $20 million, with some reaching $100 million or more.

That’s big money – but there’s plenty of loot out there for cybercriminals willing to aim lower. In 2021, the Internet Crime Complaint Center (IC3) received 847,376 complaints – reports by cybercrime victims – totaling losses of $6.9 billion. Averaged out, each victim lost $8,143.

Keep Reading Show less
Chris Stokel-Walker

Chris Stokel-Walker is a freelance technology and culture journalist and author of "YouTubers: How YouTube Shook Up TV and Created a New Generation of Stars." His work has been published in The New York Times, The Guardian and Wired.


Red tape is holding back the EV transition

Charging infrastructure is getting held up by local bureaucracy, creating a conundrum for would-be EV drivers.

Lengthy administrative processes are causing significant delays as EV charging companies and local businesses seek to provide access to charging.

Photo illustration: Kena Betancur/VIEW press/Getty Images; Protocol

Building out charging infrastructure as quickly as possible has never been more critical to getting people in electric vehicles.

Yet as states and the federal government embark on ambitious plans to transition from gas-powered to electric vehicles, local government bureaucracies often stand in the way. From acquiring multiple permits to zoning requirements, lengthy administrative processes are causing significant delays as EV charging companies and local businesses seek to provide access to charging. That could slow down EV adoption at a time when the climate crisis depends on getting more of them on the road.

Keep Reading Show less
Kwasi Gyamfi Asiedu

Kwasi (kway-see) is a fellow at Protocol with an interest in tech policy and climate. Previously, he covered global religion news at the Associated Press in New York. Before that, he was a freelance journalist based out of Accra, Ghana, covering social justice, health, and environment stories. His reporting has been published in The New York Times, Quartz, CNN, The Guardian, and Public Radio International. He can be reached at kasiedu@protocol.com.


Proximity bias is real. Here's how Prezi is fixing it.

Going back to the office isn’t the answer, but better virtual meetings could be.

"As simple as that sounds, creating that sense of place and purpose with a digital workspace and branding, those are the key things that we do internally and that we've productized for our customers."

Photo: Prezi

Jim Szafranski, CEO of presentation software company Prezi, started developing video meeting and presentation software Prezi Video as a “hobby project” toward the end of 2019. Then the pandemic hit.

“What was typically thought of as a presentation company suddenly was involved in the virtual work world,” Szafranski said.

Keep Reading Show less
Nat Rubio-Licht

Nat Rubio-Licht is a Los Angeles-based news writer at Protocol. They graduated from Syracuse University with a degree in newspaper and online journalism in May 2020. Prior to joining the team, they worked at the Los Angeles Business Journal as a technology and aerospace reporter.


Why Microsoft needs to drag Call of Duty into the future

Microsoft’s biggest challenge with Call of Duty has nothing to do with Sony. It’s about modernizing the franchise for a cross-platform and subscription future.

Call of Duty: Modern Warfare II premiered the biggest entertainment advertisement ever at the port of Los Angeles in May 2022.

Photo: Jerod Harris/Getty Images for Activision

Microsoft and Sony have been waging an increasingly bitter battle over Call of Duty. Over the past two weeks, the feud has spilled out into the public through regulatory filings in countries like Brazil and New Zealand, which, unlike the U.S., publish such documents for all to see.

Microsoft’s goal is to convince regulators worldwide that its landmark acquisition of Call of Duty parent Activision Blizzard for close to $70 billion should get the greenlight. Sony's goal, on the other hand, is to raise the alarm about its primary gaming rival owning one of its biggest cash cows, and whether the PlayStation playbook of platform exclusivity might be turned against Sony if Microsoft decides to make Call of Duty exclusive in some way to Xbox or its Game Pass subscription service.

Keep Reading Show less
Nick Statt

Nick Statt is Protocol's video game reporter. Prior to joining Protocol, he was news editor at The Verge covering the gaming industry, mobile apps and antitrust out of San Francisco, in addition to managing coverage of Silicon Valley tech giants and startups. He now resides in Rochester, New York, home of the garbage plate and, completely coincidentally, the World Video Game Hall of Fame. He can be reached at nstatt@protocol.com.

Latest Stories