The road to quantum safety runs through the IT department and supply chain

The window to implement cybersecurity that protects against the misuse of quantum computing is shrinking, said IBM Quantum Safe and Security Research’s Chief Technology Officer, Michael Osborne, at the Milipol TechX event on April 30 in Singapore.

For years, the threat of quantum computers being used to break traditional cryptographic encryption seemed like a theoretical construct.

Now, that assumption is under pressure, he noted.

Unlike traditional computers which test combinations sequentially, quantum computers can check a massive, parallel search space, drastically reducing the time required to break encryption.

Osborne’s presentation underscored a critical shift in the future threat landscape: recent optimisations to Shor’s algorithm have drastically lowered the quantum computing threshold required for adversarial actors to compromise public-key cryptography.

He noted that projected run times to break traditional cryptography have dropped from days to minutes.

Logical qubits (quantum bits), which refer to fundamental units of quantum information needed to launch an attack, was also cut by half with this algorithm.

“This is pulling the timeline by which we need to have migrated a lot of cryptography forward,” he noted, to an era of post-quantum cryptography.

Osborne added that global regulatory bodies are bringing the date forward to prepare for such attacks.

IBM’s own quantum roadmap puts 200 logical qubits by 2029, as a meaningful threshold to for these quantum algorithms run quantum algorithms to battle these quantum threats. The roadmap targets scaling that to around 2,000 logical qubits by 2033.

“Quantum is moving from laboratories to data centres,” he added, highlighting that IBM operates quantum data centres today with systems being rolled out to research institutions globally.

Not a cryptographer’s problem, but the IT department’s

The instinct is for governments to hand the quantum security responsibility to cryptographers. Afterall, it needed cryptographers to develop new quantum resistant algorithms.

Noting this as the wrong strategy, Osborne highlighted that public agencies need to instead to focus on updating software, upgrading libraries, and reconfiguring systems.

“The people who need to lead that work sit in risk management and IT operations; 95 per cent of everything that everybody has to do has nothing to do with cryptography”, he added.

The harder challenge is understanding what needs to be changed and when an update is available. Most governments do not know where cryptography lives across their own systems.

Over decades, hardware, networks, and applications have been built without a clear map of cryptographic dependencies, Osborne said.

He suggested starting with mapping dependencies, which would allow organiations to understand which systems relied on what protocols, which vendors supplied what, and what the sequencing constraints were.

While “not everything will be ready at once”, understanding the critical paths is what will determine whether an agency manages this cryptography transition or scrambles through it, Osborne said.

A particular challenge for Singapore

For Singapore's highly connected public sector, the picture is more complex and more urgent than in many other countries.

“Being more connected is actually more difficult when it comes to needing to migrate,” Osborne highlighted.

A change in one protocol can have downstream effects across agencies, financial institutions, and regulatory systems.

This is why regulatory authorities need to step up their game as orchestrators, helping to coordinate migration across these interdependencies rather than leaving each organisation to navigate them alone, he said.

Last year, the Cyber Security Agency of Singapore, (CSA) launched two quantum computing-related resources.

One of which was the Quantum Readiness Index, a self-assessment tool for organisations to gauge their level of readiness for quantum threats to chart their migration journey towards quantum-safe systems.  

The second was the Quantum-Safe Handbook to guide organisations, particularly Critical Information Infrastructure (CII) owners, to prepare for the transition to quantum-safe cryptography.  

AI improving AI

Artificial intelligence (AI) is seen as both a security threat and a practical tool to manage the cryptography transitions at scale, according to Osborne.

Calling it “AI improving AI”, he said that AI could be used to automate the governance, access controls and security checks.

With the advent of AI agents, he also called for a shift towards short-term digital identities for agents, which were temporary credentials created for a specific task and then destroyed, thus dramatically reducing the window of vulnerability.

“The full potential of AI can only be realised if it has access to all the data it requires,” he said.

When asked about talent, Osborne was optimistic that AI can partially address the shortage of cybersecurity professionals in the region.

“You need a slightly different perspective on talent simply because AI makes already talented people very efficient,” he said.

He also pointed to AI’s role in bridging the gap between expert knowledge and real-world implementation.

Cryptographers who previously had to translate their ideas through developers could now do so directly by “knowing what you want and how to ask for it.”

The imperative for public sector leaders

“You want to surf on the coming waves, or you're going to be swimming after them. It's a lot easier to surf,” said Osborne as the takeaway.

For governments, that means acting on three fronts: mapping dependencies across agencies and vendor chains jointly as an ecosystem; reframing quantum migration as an IT operations supply chain challenge; and investing heavily in AI and automation to deliver agility at scale.

While core cryptographic standards are now set, the IT protocols and vendor products implementing them will roll out at varying speeds over the next few years.

Consequently, tracking vendor and dependency roadmaps is a critical priority for your migration planning.

But what remains is for public sector leaders not to treat this as a future problem, but as an operational priority to be managed today.