Yahoo! Marriot International. My space. Under armor. eBay. LinkedIn. What do these big companies have in common? The answer, as you may have guessed, is that these six companies have fallen victim to the biggest data breaches of the 21st century, with the number affected ranging from 117 million executives (LinkedIn in 2012) to a staggering 3 billion users (Yahoo in 2013). Such mega virtual intrusions can cost companies hundreds of millions of dollars, but even standard data breaches can be expensive, especially when loss of reputation and customers are taken into account.
As scary as that may sound, the past may have been just the prologue. Since the 1970s, the RSA cryptosystem, which uses very large prime numbers to create public keys that serve as the basis for the security protocol for data communicated between Internet applications, has proved relatively effective. Although Peter Shor of Bell Labs a paper showed in 1994 that a quantum algorithm could crack the RSA cryptosystem, no machines have yet been developed that can execute such an algorithm. It has therefore been possible to develop larger public keys faster than computers have accelerated, keeping the RSA crypto system working.
It is unlikely that it will remain that way for much longer. Scientists are to come closer developing a quantum computer, a new kind of system that can perform calculations in minutes that would take hundreds of years on the world’s fastest conventional supercomputers. These machines allow hackers to decipher public keys and breach the security of almost any encrypted device or system. When exactly a quantum computer-induced Cyber Doomsday will arrive is unclear, but it could happen in just 10 years.
Research into quantum computing hardware is growing rapidly; BCG analyses show that approximately 75% of the $1.3 billion in private equity investments in quantum computing since 2018 is related to hardware development. In addition, since 2013, governments have announced more than $20 billion in investments to develop quantum systems. As a result, the speed at which breakthroughs are taking place in quantum hardware development has accelerated in recent times.
In the not-too-distant future, mega data breaches will become frequent. Quantum computers will also revive the risks of past breaches, as hackers can use the hardware to decipher data they’ve already stolen. Both B2B and B2C customers will demand post-quantum data security, and companies that can’t provide it are likely to miss out on the license to operate. This impending threat has triggered a countdown: Years to Quantum of Y2Q.
In fact, the Cloud Security Alliance has a Y2Q countdown clock, arbitrarily specifying April 14, 2030 as the deadline by which the world must upgrade its IT infrastructure to face the Y2Q threat. It’s reminiscent of the global Y2K project, which catalyzed the replacement of two-digit year codes with four-digit codes by December 31, 1999, to make sure computers didn’t think the year was 1900 and brought the world to a standstill. Y2K and Y2Q differ of course: the timing of Y2Q is unknown, but its impact can be imagined while the timing of Y2K was known, although the impact was not.
Three types of defenses against quantum hackers are already planned:
* Post-quantum cryptography, which refers to the development of new, quantum compute-resistant encryption algorithms.
* Quantum key distribution, which involves using quantum physics to randomly distribute keys between users, while requiring a global network of optical connections.
* Air-gapping or isolating networks from the Internet, which is probably impractical.
Post-quantum cryptography will probably be the most viable option for businesses; it requires smaller changes to the computing infrastructure and replaces existing encryption algorithms. However, the transition will be difficult for business, which will have to learn to navigate a heterogeneous protocol landscape. The challenge will be accentuated by the fact that the transition will take time and require frequent software upgrades.
Business has no choice but to act, but doing so too early in a fluid situation can turn out to be a mistake. CEOs must manage the complex tradeoffs between the risks of not doing enough preventatively and the costs of overspending to insure against a still emerging threat in the future.
The best way to tackle the Y2Q problem is to develop ‘crypto-agility’, the ability to quickly switch between cryptographic standards; implementing the best solutions available at any time; and be prepared for more changes in the future. Only crypto-agility can help businesses ease the transition by protecting against quantum attacks; minimizing their impact; and help you recover faster. It will also enable companies to minimize the costs of addressing the problem, which will range from the operational losses caused by cybersecurity vulnerabilities to investments in the replacement of vulnerable equipment and protocol upgrades, all of which can amount to hundreds of billions of dollars in various industries. †
Companies need to take four steps to develop their crypto agility:
† Escalate the Y2Q issue to the board of directors and top management. Businesses must make cybersecurity a business priority. They should assign responsibility for tracking quantum computing developments to a team, led by a senior leader such as the CIO or CISO, who reports regularly to the board of directors and top management. This ensures that the focus is on corrective, not organizational, problems when quantum computing arrives. This will be critical in industries such as finance, where risks are greater due to the nature of the business and its reliance on data. For example, GDP and JPMorgan Chase are already working with quantum computing companies on mitigation methods, while Nomura Group made one global organizational structure to deal with security in a post-quantum world.
† Identify priorities and create roadmaps. Every company should map its Y2Q risks by developing an inventory of connected assets, periodically evaluating the value of its data pools, and evaluating its exposure to new crypto standards. It must balance the value of the data collected and the cost of protecting it, and develop a roadmap of its priorities. For example, the United States Department of Homeland Security has the template for such a road mapalong with other resources, on its website.
† Plan, pilot and test crypto agility† Organizations need to simulate Y2Q scenarios, such as the impact on their P&L, and develop countermeasures. They should conduct these exercises in conjunction with their business units to ensure the entire organization understands the challenge ab initio† In addition to developing pilots, executives should stress test them to learn more about the issue and measure their crypto agility. Digital giants like google† IDQand Toshiba have developed modifications to Transport Level Security that any organization can use to test its readiness against a quantum attacker, so companies would do well to take advantage of these simulations.
# Collaborate with rivals and the ecosystem. Y2Q will not discriminate between companies, so leaders need to take a collaborative approach to developing crypto agility, working with peers and involving stakeholders such as academia, government and digital startups. This approach allows companies to share development costs; get to grips with the changing landscape faster and develop better Y2Q plans; and make credible policy recommendations. For example, in September 2021, 24 Japanese companies came together to form an industry council, Q-starto understand, influence and help companies tackle the Y2Q problem.
†
It won’t be easy for businesses to deal with cybersecurity once quantum computers see the light of day. CEOs have no choice but to think about how to deal with an unavoidable threat. As long as business leaders act decisively and early, they are likely to find ways to survive the Y2Q problem. However, they must remember that the quantum clock is already ticking.
Read other Fortune columns by François Candelon†
Francois Candelon is a managing director and senior partner at BCG and global director of the BCG Henderson Institute†
Maxime Courtaux is project leader at BCG and ambassador at the BCG Henderson Institute.
Vinit Patel is project leader at BCG and ambassador at the BCG Henderson Institute.
Jean-François Bobier is a partner and director at BCG.
Some of the companies in this section are former or current customers of BCG.
The opinions expressed in Fortune.com’s comments are those of their authors only and do not reflect the opinions and beliefs of Fortune.
This story was originally on Fortune.com