In the digital society, modern cryptography protects state secrets, banking and health information alike. The development of quantum computing can crush current security methods and expose our society to serious threats. Transition to quantum-safe methods takes time; that's why we have to start preparing right away.
Quantum computers can solve enormous challenges, but their unlimited computing power can be misused as well. The most significant threats have to do with state actors: a quantum machine in the hands of a hostile state threatens the national security of other states. This also applies to Finland.
China, for example, is investing tens of billions of euros in the development of quantum technology. Russia has also stated its goal to develop a quantum computer for military national defense, although the country's economic situation weakens its possibilities for the development of quantum technology.
Public key encryption methods particularly vulnerable
Currently, information is encrypted using either symmetric i.e. secret key methods or public key methods. Public key methods are particularly vulnerable to quantum threats. These methods are used in electronic signatures, for example. Many encryption methods widely used on the Internet, e.g. TLS (Transport Layer Security) and PGP (Pretty Good Privacy) are also based on public key encryption.
The possible future attacks enabled by quantum computes require action. Current symmetric encryption can be strengthened and protected from these attacks by increasing the length of the encryption key. Public key methods, on the other hand, require completely new algorithms. These new methods already exist, and their standardization will be completed in 2024. We must start preparing their implementation, so that the security of critical data and systems can be guaranteed in the future as well.
The transition takes time, money and resources
Transition to quantum-secure encryption methods requires extensive cooperation between public administration, companies, research communities and regulatory authorities. This work must have enough resources and budget. The transition includes the following steps:
- Data inventory. The most critical data sets that are encrypted and need encryption are inventoried and documented.
- System inventory. All current systems using encryption technologies are inventoried and documented.
- Mapping out the use of public key methods. Data sets and systems that use public key encryption methods are identified. They are particularly vulnerable to quantum threats.
- Prioritization of vulnerable data sets and systems. The most urgent need is to re-encrypt the information that must be encrypted for a long time either due to the legal requirements or the risks associated with the disclosure of the information. In addition, systems using public key methods are updated.
- Planning the implementation of new encryption methods. Data re-encryption and systems update are planned. The plan must cover e.g. schedule, measures, responsibilities and budget.
- Updating guidelines. Guidelines that require updating are identified and their update is planned.
- Preparation for disclosure of information. Measures are planned for a situation where the entity that previously has stolen information decrypts and publishes it or hands it over to a third party.
The year 2030 is the limit
The transition to quantum-safe systems may not be possible without legal reforms, but there is no time for a slow legislative process either. In the USA, the law already requires government organizations to have a plan for transition to quantum-secure encryption during 2023. This way, the work can start as soon as the standardization of the methods is completed.
In the United States, the deadline for the transition is 2030: that’s the earliest when a quantum computer capable of breaking current encryption methods could be ready. Finland should aim for the same schedule. This requires inventory and prioritization of data sets and systems by the end of 2024 and implementation of the transition between 2024 and 2030.
Finland is a pioneer in the development of quantum computers, and we can also be that in quantum security. We have the know-how, but we need to take action. On the other hand, even quantum-safe protection is not enough if the management and implementation of current encryption solutions is in bad shape – the overall situation is what matters.