With new generations of computers capable of breaking most existing forms of encryption potentially only a few years away, there is no time to waste when it comes to future-proofing technology, a computing expert warned attendees at a webinar hosted by the Midwest Reliability Organization.

The MRO webinar focused on the security risks posed by quantum computing, a form of computing based on the properties of subatomic particles that is believed to be capable of performing certain calculations exponentially faster than any other available computer.

Such machines could provide significant benefits in the form of accelerated drug discovery and chemical development, but will also endanger public key cryptography, which accounts for the vast majority of data encryption on today’s internet along with user, device and application authentication.

Although decoding the public keys generated by current methods requires vast amounts of resources and energy under traditional conditions without a mathematically linked private key, experts believe they will be trivially easy to crack with quantum computers.

The primary speaker at the webinar was Garfield Jones, senior vice president of global strategy and research at security firm QuSecure. He quoted recent research from Google indicating cryptographically relevant quantum computers (CRQCs) — the industry term for quantum computers capable of breaking public key encryption — may be easier to achieve than previously thought and therefore available within the next three years, far earlier than most estimates.

“When I first started this [work], we were looking at [the year] 2050” as the date when CRQCs would become a reality, Jones said. “Then we started looking at 2035, and now we’re looking at 2028 [or] 2029. Technology moves really, really fast, so that’s why we have to be up front and actually get aware and prepared for this.”

Adding to the urgency is the fact that digital spies don’t need to wait until CRQCs are available to steal data. Jones and other experts believe many threat actors are pursuing a “harvest now, decrypt later” (HNDL) strategy in which they store stolen encrypted information from target companies in anticipation of the development of CRQCs to decrypt it.

HNDL attacks are aimed at data in transit from one device to another. This kind of data is protected with public key encryption, as opposed to data in use — which is currently being processed in a user’s computer or smartphone and thus cannot be secured — and data at rest, which is kept in a physical storage medium, ideally under symmetric encryption keys.

No Shouting from Rooftops

The good news for electric utilities, Jones said, is that action is underway in multiple sectors to prepare for the world of post-quantum cryptography (PQC). Executive orders issued by Presidents Biden and Trump aimed to prepare the country for a PQC future by directing the Cybersecurity and Infrastructure Security Agency to publicize categories of products in which PQC is available and directing agencies to support quantum-safe protocols by no later than 2030.

Jones also reminded listeners that the National Institute for Standards and Technology in 2024 released a set of encryption tools designed to resist quantum cracking attempts and can be used with current technology. He urged utilities to adopt the new tools as soon as possible to ensure safe transmission of data in the future and to continue to monitor NIST for new algorithms to improve the initial set.

This work will not be accomplished overnight, Jones acknowledged. Utilities must not only adopt PQC in their internal systems after decades of accumulated experience working with traditional methods, but also push their vendors to do so as well. Robust implementation and funding plans will be needed to ensure long-term commitment.

Asked how experts can be sure a nation-state or other adversary does not already possess a CRQC, Jones answered simply, “We don’t.” He clarified that he thought it unlikely that the milestone had been reached because of the resources needed, but also warned listeners not to underestimate the ingenuity of their opponents.

Jones observed that programming advances have reduced the estimated computing resources needed to break public key encryption by a factor of 10 and suggested the advent of quantum decryption is not likely to be publicized.

“I don’t think there’s one right now, but when one does come online — I mean, if I owned it, I wouldn’t shout from the rooftops. I would just start using that [like] we did [in] World War II,” Jones said, referring to the successful efforts by Allied intelligence to break Germany’s Enigma encryption. “Just keep sending that data, and I’ll just keep reading every single thing.”