A thief capable of opening any lock with a universal key? This is precisely the threat represented by a quantum cryptographic computer (CRQC) for encryption.
Since the 1970s, cryptography has played an essential role in protecting exchanges, transactions and sensitive online data. It is based on mathematical problems so complex that they are insoluble for conventional computers. This security seemed unshakable until 1994, when Peter Shor demonstrated that a quantum algorithm could break these codes in record time, thus overwhelming modern cryptography.
More recently, the NSA, the National Agency for Security in the United States, set the security of national defense systems by 2035 with algorithms resistant to quantum attacks, again placing the subject at the heart of the priorities for businesses.
The emergence of quantum threat
$ 400 billion a year: it is the cost of downtime for the 200 largest world companies. In most cases, these incidents are linked to cybersecurity, or to application or infrastructure problems. With the development of post-quantic cryptography, the situation could well complicate more.
Could be able. Because yes, quantum computers already exist, but today they have neither sufficient number of qubits nor the stability necessary to become CRQC. However, this situation could evolve within ten to twenty years, making these machines capable of breaking current encryption systems. This is why it is essential for companies to anticipate this transition now.
In 2024, the ANSSI already highlighted the need to anticipate post-quantic cryptography in a first report on the state of solutions in France. She pointed out that, if these technologies are still under development, this did not justify the inaction. On the contrary, certain transitional measures should be put in place immediately, while others could be deployed gradually in the years to come.
A second report, focused on support and advice services, draws an equally worrying observation. He underlines the lack of initiatives both on the side of companies and providers, the latter explaining that their customers do not yet perceive the urgency to prepare for the quantum threat. The absence of regulations in this area contribute to this wait -and -see attitude.
These observations highlight the urgency of collective awareness and an incentive regulatory framework to propel the transition to cryptographic solutions ready to meet the challenges of the quantum era.
Prepare without giving in to panic
If the boom in quantum computer science arouses many concerns, not all organizations are exposed in the same way. The priority is therefore to assess the real risks to prioritize the actions to be carried out.
The threat depends above all on the nature of the data. Certain information, intended to lose their sensitivity over time, do not require immediate protection. On the other hand, long-term critical data, such as those related to health or strategic infrastructure, must now be integrated into transition planning towards post-quantic cryptography.
What is more, not all forms of cryptography have the same level of vulnerability in the face of quantum attacks, which means that it is still possible to refine priorities. In the same way that it is essential to prioritize the update of systems according to the threat, the severity of the impact and the criticality of the vulnerability, it is also necessary to determine what cryptographic assets to migrate in priority, if a migration is necessary. Some assets will arrive at the end of life, others do not use vulnerable cryptography to quantum attacks, and still others will simply not contain sensitive data.
Preparing for it now remains beneficial. Carrying out an audit of infrastructure and critical data makes it possible to anticipate the transition while strengthening existing cybersecurity. Identify which data is stored, their lifespan and the encryption mechanisms in place is an essential first step.
Paradoxically, many organizations concerned about quantum threat still neglects basic cybersecurity measures, such as regular update of their systems. Louis Naugès, recognized expert in the digital ecosystem, explains it well in this article of Incyber News: “As long as the 999 current digital security priorities are not treated in French organizations, we can hardly focus on the thousandth subject: the risks that quantum IT makes weigh on existing cryptographic solutions. »»
Indeed, an obsolete infrastructure is much more vulnerable to current attacks than a hypothetical CRQC. It is therefore essential to find a balance and to define your priorities well. At least at the beginning, CRQCs will only be accessible to sophisticated opponents capable of collecting and storing enormous amounts of data today, that is to say nation states. And if these malicious actors already steal your data without difficulty – because your systems have not been updated for months, or even years – they will not suddenly change tactics and invest massively in expensive CRQC.
The right approach is to do an assessment now, prioritize assets and be ready for a migration of systems, products and critical data. Then do nothing, except update this evaluation from time to time and concentrate security efforts elsewhere. It may not be the most spectacular solution, but it is good advice on cybersecurity. In any case, having a precise inventory of its assets is a fundamental pillar of many security strategies, so as much to take advantage of the quantum excuse to finally obtain a clear vision of its IT infrastructure.
