Quantum Computers Will Break the Internet, but Only If We Let Them

Because quantum computers on this scale don’t exist yet, their true potential is unknown. But one popular prediction is that they will excel at simulating chemistry. Chemists may be able to use these computers to better understand how molecules behave and interact. This could lead to the development of new drug treatments, vaccines, and other scientific discoveries. The computers will also likely be crucial for applications of artificial intelligence and machine learning.

Although this unprecedented computing power could be used for good, researchers are wary of its potential threat to modern communications infrastructure. Because quantum computers are predicted to be able to factor large numbers very quickly, they could break the cryptographic codes that currently protect our data.

“When we use the internet, we assume that all of our communications are secure and guarded from an attacker reading or seeing them,” said Michael Vermeer, physical scientist at RAND and lead author of the report. “That is because cryptography—sort of a ‘black box’ to most people—is in the background, securing everything we do. But the public-key cryptography we use now will be vulnerable to quantum computers in the future.”

If hackers are ever able to crack public-key cryptography, then all information connected to the internet could be compromised.

Fortunately, these quantum computers, which experts call “cryptographically relevant,” are unlikely to emerge for another decade or more. That means there’s still time to prevent the worst from happening.

Prevention Is Possible
While engineers race to develop the first advanced quantum computer, cybersecurity experts are racing to roll out a new form of cryptography that would defend against quantum hacks. This is known as post-quantum cryptography, or PQC.

Experts are currently developing PQC solutions, but these will need to be standardized and widely adopted. That could take years or even decades. The U.S. government recently took steps to accelerate quantum research and development, including the passage of the National Quantum Initiative Act. The law mandates new funding, human capital, and congressional oversight of quantum advancement. This is a great first step, the RAND researchers said, but there’s room to do more. And the clock is ticking.

“Post-quantum cryptography is the best solution,” said Vermeer. “It’s just a matter of getting it done in time.”

Compounding this risk is what researchers call the “catch now, exploit later” threat. Nefarious hackers might intercept secure messages today and then hold onto them until tomorrow, whenever quantum computers are advanced enough to decrypt them.

“This is why we need to push for the adoption of post-quantum cryptography as early as possible,” said Evan Peet, associate economist at RAND and coauthor of the report. “Some encrypted communications don’t lose their value over time.”

Simply put, the longer that PQC is not in place, the greater the amount of today’s encrypted information that is at risk of being exposed tomorrow.

No One Knows When Quantum Computers Will Arrive
RAND researchers interviewed a cadre of quantum computing and cryptography experts from both private-sector and academic backgrounds. This diverse group included a quantum hardware lead at Google and an information security officer from the financial services sector.

The RAND team asked the group to estimate when advanced quantum computers might be developed, when a standardized PQC security suite might be implemented, and whether these two timelines might overlap. On average, the experts suggested 2033 as the most likely year for the creation of a quantum computer that could break public-key cryptography. But focusing on that date may not be the best way to think about this looming threat.

With so many factors up in the air, Vermeer said that a better approach is to weigh informed estimates to get a better sense of the likelihood and scale of all possible scenarios. “How likely will a quantum computer be created at this date? How likely is it that the PQC standard will be ready at this date? How long is it likely to take? We don’t honestly know,” Vermeer said.

Peet described the uncertain timing of the quantum-computing threat as “Y2K meets climate change.” He compared it to Y2K because the challenge is unfolding in the digital world and to climate change because the risk will grow over time the longer we delay action.

And just as with threats from climate change, the unfixed time horizon of this potential quantum nightmare makes it easier to drag our feet instead of running toward a solution.

“The human nature of procrastination, plus the uncertain deadline around quantum computing, means we really need to get people to understand the threat and overcome that procrastination nature,” said Peet.

How to Stop a Quantum Attack
The research team surveyed consumers and learned that public awareness of quantum computing and its potential risks is low. With consumers not likely to be vocal drivers of change, it’s important for policymakers to take the lead. If policymakers start working today as if quantum computers really are coming for our data tomorrow, then we can avoid these threats.

In the report, the researchers recommend actions that the executive branch, Congress, and individual organizations could take now to minimize the harm that quantum computers may cause.

For example, the White House could mandate PQC transition for government agencies, critical infrastructure, and other organizations. To exercise oversight and help increase public awareness, lawmakers on Capitol Hill could hold hearings on the risks of quantum computing. And organizations of any type can prepare for the quantum future by taking inventory of all instances of public-key cryptography in their own processes, as well as the processes of partners and suppliers. This will help ensure that the organization is ready for the transition to PQC, once a standard is available.

The bottom line: It’s not all doom and gloom for Future You and your bank account. Quantum computers could break the internet. That much is true. But whether that actually happens is entirely up to us.

Marissa Norris is Digital Producer at the RAND Corporation. This article is published courtesy of RAND.