Tag Archives: quantum computing

Navigating Security in the Remote Paradigm

Summary 

The current remote work situation has brought to light a three-part problem around security. First, it has created challenges in defending against traditional threats – both physical and information security. Second, emerging technologies promise new threats that will be all the more difficult to counter in remote settings. Third, the body of regulations mandating security measures vis-à-vis personal data is growing. Liability for breaches does not abate due to the current circumstances. The inherent vulnerabilities of the remote situation paired with likely advances in adversary tactics and threats from emerging technologies will challenge organizations to meet their regulatory security obligations. In this article, I will give an overview of these problems in isolation and discuss how they might combine. Finally, I will suggest some measures to take to begin to deal with this predicament. 

Introduction

At its core, a security program’s goals are the protection of life and the maintenance of the confidentiality, integrity and availability of information. 

The recent widespread shift to off-premises work has two primary distinguishing features from a security perspective: It expands or eliminates the organization’s physical perimeter and necessitates remote access to corporate networks as well as a far higher degree of dependence on information systems for communication between employees. These factors upend an entity’s normal process of security assessments and controls and create fertile ground for both traditional and emerging threats. With unsupervised personnel and data dispersed to uncontrolled locations, using various means to access organizational networks, numerous varieties of threats abound.

Categories of vulnerabilities and threats for which there were standard controls and processes in the traditional setting require rethinking in this new reality. Likewise, emerging technologies pose novel threats. We can expect adversaries to continue to adapt to changing conditions of work by capitalizing on physical vulnerabilities and developing increasingly sophisticated and clever implementations of both existing and new technologies. 

At the same time, targeted organizations and individuals continue to bear the costs and liabilities of adversary actions. Victim entities may suffer direct losses from attacks. In addition, cybersecurity requirements related to privacy and penalties for failure to comply grow with each new law without regard to the remote work situation. This creates a difficult bind for defenders and all types of enterprises and individuals who control the data of others. 

There are, however, steps that can be taken to address these concerns. Now, more than ever, defenders will see the advantage of relying on skilled security personnel and cross-disciplinary leaders and teams as well as adopting an approach to security that recognizes that cyber and physical security are intertwined.  

While the long-term status of the recent shift to work-from-home remains unclear, inherent vulnerabilities of the remote paradigm combined with threats based on new technologies present an opportunity for reflection on the status of future contingency plans and demand the attention of executives, counsel, security professionals and insurance providers now. 

How the Remote Paradigm Interacts With Security for Traditional Threats  

Effective security programs apply technical, physical and administrative controls or countermeasures to assessed vulnerabilities, threats and risks. While not always uniformly or well-applied, and noting that threats are continually evolving, standards are generally well-developed in the context of traditional workplaces and often in the case of small groups of workers who require remote access, such as members of sales teams and business travelers. 

The remote paradigm expands or eliminates the physical perimeter and forces remote access and communication, with serious significant consequences for security controls. 

In very general terms, an expanded perimeter leads to: 

  1. Less physical control over information systems and data
  2. Technical/physical vulnerabilities (e.g., potential adversary access to residential Wi-Fi) 
  3. Less physical security over personnel (e.g., threats to their physical safety) 
  4. Less supervision over staff 
    1. complicating application of administrative controls such as job rotation 
    2. greater potential for problems from insider threats – both witting and unwitting 

In equally general terms, remote access and communication means: 

  1. Inherent technical vulnerabilities to data – both at rest and in transit 
  2. Proliferation of endpoints and lack of control over these 
  3. Reliance on communication between remote users and the need for out-of-band communication
  4. Communications involving proprietary data (e.g., trade secrets) and sensitive activities (e.g., engineers working on live systems) that normally occur in controlled settings and may now be conducted remotely
  5. Increased reliance on, and accelerated migration to, the cloud 

Organizations have established processes for addressing traditional threats in the context of the status quo. The remote paradigm entails significant changes to the security process. Categories of vulnerabilities, threats and risks that are relatively well-managed in an on-site setting must be reconsidered when the whole enterprise is operating remotely. Adversaries are left to their imagination in ways to overcome whatever security measures may (or may not) be in place in the many home offices from which employees operate. 

Beyond considerations around configuration management, security professionals must be aware of the potential presence of Internet of Things devices such as smart appliances and smart speakers that may have implications from both a technical and physical security perspective.

In addition, two newly established threats can have significant potential ramifications in a remote environment. In “Zoom bombing,” someone who is not supposed to be involved in a meeting can disrupt it, eavesdrop or alter the message. In other words, the person can interfere with the confidentiality, integrity or availability of information. Secondly, a well-made deep fake can be very damaging to an organization if, for example, it falsely portrays an employee acting in a way that runs counter to the entity’s interests. These threats are particularly problematic in remote settings because communication and public messaging is complicated and potentially interfered-with. 

See also: Getting Back to Work: A Data-Centric View

Emerging Threats 

At the same time as the remote paradigm complicates existing threats, new threats are on the horizon with emerging technologies. As with traditional threats, emerging threats will pose more of a problem in the remote environment. Here, we will consider some potential malevolent applications of quantum computing, artificial intelligence/machine learning (AI/ML) and real-time deep fakes. 

Both quantum computing and AI/ML are broad new technologies with myriad potential beneficial implementations as well as malevolent uses by adversaries. 

Practical applications of quantum computing are not yet reported to be in use outside of a laboratory setting. However, there is a quantum arms race underway due in large part to the fact that quantum computing will revolutionize cybersecurity. Quantum computing is predicted to make child’s play of current encryption. Remarkably, it may be possible to apply quantum decryption of current protocols retrospectively. That is, traffic might be recorded today and replayed through future quantum decryption tools to decrypt it later. This could have dramatic implications for organizations to the extent that they rely on current encryption to safeguard sensitive communications that will remain sensitive. The current predicted timeframe for widespread use of quantum technology varies; however, three recent developments suggest it may be accelerating. First, processor power has been improving exponentially. Second, the U.S. Department of Energy recently unveiled a blueprint report to develop a national quantum internet. Third, given the threat of quantum computing to current cryptography, the National Institute of Standards and Technology (NIST) aims to develop a post-quantum cryptography standard by 2022. 

Moving to AI/ML, adversaries are already using the beneficial features of AI/ML in numerous malicious ways. For example, AI/ML can obfuscate an attacker’s location and identity and augment traditional attacks, providing additional power and scale. Malevolent uses will continue to evolve to enable far more sophisticated attacks. Recent developments involving photon-based chips have moved us closer to AI/ML that learns independently at the speed of light.   

Judging anecdotally from the preponderance of articles and developments in both AI and quantum, we may be at a tipping point for both.

Although enabled by AI/ML, deep fakes are a sufficiently rare use case as to merit their own mention. Separate from the pre-recorded deep fakes discussed above, it is now possible to create a deep fake in real time. The primary concern with real-time deep fakes is that an adversary could appropriate the likeness of an employee, infiltrate an internal or external video teleconference, convince an audience of the veracity of the messages and influence outcomes. It is also possible to imagine that a real-time deep fake could falsely portray an individual engaging in some sort of behavior that is damaging to the organization.

Whether in a traditional setting or operating at a distance, these emerging threats are problematic. However, the remote environment continues to provide adversaries with more opportunity due to the expansion or elimination of the physical perimeter and the necessity of remote access and communication. 

Some Scenarios

Having looked at the inherent problems of the remote paradigm and some of the emerging technologies, consider some edge cases. Each of these is presented in its starkest form and capitalizes on weaknesses in a generic remote model. 

The first scenario stems from advanced persistent threats (APTs). APTs are insidious in that they tend to burrow into an information system and lie in wait or operate undetected, frequently exacting a heavy toll. They can benefit from emerging technologies of AI and ML as well as the security shortcomings and potential chaos around the current remote work situation. 

The next general category of threats has to do with physical violence against employees operating away from corporate offices or in settings that are not within a security perimeter managed by the organization. This could range from a kidnapping to a home invasion and assault or murder. Likewise, as in a remote bank robbery, an employee could be forced to take actions against an organization’s interests under duress. 

Next is the new category of real-time deep fakes. The real danger to organizations with this technology is the prospect of a real-time deep fake during an internal or external communication. At a minimum, this could interfere with the confidentiality, integrity and availability of information. At worst, such a tactic could be used as a ruse to outright direct the actions of employees or outside interlocutors. 

Finally, a very serious and dramatic threat is that an adversary could take advantage of the various attack vectors available combined with the weaknesses in the remote paradigm to completely divert the organization’s resources to his or her uses for a time. Far more damaging than ransomware, this could constitute a total takeover. This might involve a mix of physical force and real-time deep fakes as well as other technical weaknesses inherent in remote communications. Further, the attacker could rely on an entity’s lack of out-of-band communication or other successful means of authentication to ensure that he or she is able to carry out the plan. This is admittedly an extreme, worst-case scenario. A far more nuanced possibility would involve an attacker subtly manipulating corporate resources using scaled-down versions of the same tactics. 

Considering these scenarios, readers might be tempted to ask who would do these things and why. 

The potential cast of bad actors and motives is the same as always. It ranges from opportunistic “script kiddies” to activists to common thieves and organized criminals to nation-states. What is different here is that the how becomes easier. Further, bad actors may be emboldened by the lack of traditional security controls and barriers. Simply, someone not otherwise inclined to physically access a system or commit violence in the service of what could be a relatively white-collar crime might make a calculated decision that the risks involved are not prohibitive relative to the rewards. In a traditional environment, corporate security and access control measures would ordinarily discourage the mere consideration.  

Potential Consequences 

These threats can cause a variety of harms – physical harm to people, exposure of private data, financial loss to shareholders and damage to the organization through lost profits, regulatory trouble and reputational harm. 

Regardless of other priorities, any entity’s first concern must be mitigating increased risk to remote employees stemming from their employment. Should harm come to pass, there could possibly be civil liability, but safety is the first priority.   

The next area for concern is data privacy. Nearly all entities hold personally identifiable information (PII) of some sort, even if it is little more than the data of their own employees. If a breach exposes that data, liability to data holders (customers, employees, vendors) or shareholders may ensue. Likewise, chances are that a given entity is bound by at least one of the ever-growing number of industry- or regional-specific regulations addressing cyber security and privacy.

In the U.S. alone, there are multiple regulatory regimes and regulators that address PII and security – the California Consumer Privacy Act (CCPA), the Sarbannes-Oxley Act (SOX), the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability Accountability Act (HIPAA) and the Payment Card Industry-Data Security Standard (PCI-DSS), as well as those falling under the jurisdiction of the New York State Division of Financial Services (NYSDFS), the Securities and Exchange Commission (SEC) and the Federal Trade Commission (FTC) – and the list is growing. Meanwhile, the GDPR has major implications for organizations whose operations have a connection to Europe.

In some cases, the obligations are clear, while in others, what exactly a business is required to do vis-à-vis PII is opaque. For instance, both the FTC and CCPA refer to a requirement to implement “reasonable” data security, without providing much clarity on what constitutes “reasonable.” The sum and substance of these requirements is that even when, or precisely when, they are the victim of an attack, organizations remain obligated to provide a given measure of security over PII. 

Although beyond the scope of this article, organizations might consider potential downstream effects should their systems be used as a launching point for attacks on third parties, as well as impacts on the performance of contracts. 

Finally, the takeover or even meddling with a given entity’s operations is clearly likely to have severe direct consequences to the enterprise itself. For a business, this could include loss of revenue during down time, siphoning of productivity and damage to reputation, among other potential consequences. 

What Organizations Can Do

I hope it is clear that there are some immediate problems that merit attention. In this situation, one of the worst things to do would be to deny the problem and do nothing. 

Moving forward, organizations should start by asking whether the remote situation is temporary or permanent. For any entity that has plans to return to full on-site operations in the very near term, some of these considerations may be less pressing. 

For all other entities, the first concern is how to improve security in the remote situation. The best thing any organization can do is to hire, fund and take the advice of a competent chief security officer, chief information security officer and counsel, who should work together on issues of physical security, information security and administrative controls. Preferably, the CSO and CISO will take a holistic view of security favoring a convergence approach, where appropriate. If an organization does not currently have the benefit of competent or sufficient in-house security personnel, a firm specializing in security may be a viable option in the short term.  

Developing and adjusting security controls to the remote paradigm is a challenge, but it is not insurmountable. What follows is a non-comprehensive list of recommendations that can be taken related to certain key steps. 

From an information and technology security perspective, this starts with knowing the enterprise’s network, what machines are connected to it and the identity and location of the organization’s crown jewels. Organizations must decide whether the risks of allowing certain business functions that may have only historically occurred in dedicated spaces and via hardline connections (such as discussions of trade secrets and access to live/production systems for engineers) should occur remotely. Likewise, organizations must make decisions related to approved devices, means of accessing corporate networks and standardized security procedures (e.g., securing Wi-Fi). Organizations should also decide on remote identity and access management, to include the use of two-factor authentication. Organizations should consider engaging outside security firms to assist with these assessments as necessary, to audit physical and cyber security through penetration testing and, potentially, to conduct employee training. 

Administrative controls are more difficult. Given the variety of harms that can arise directly from human behavior, leaders need to find a way to encourage and maintain a culture of security despite the lack of physical proximity. Witting and unwitting insiders have much more room to cause damage away from supervision and peers. Organizations need to find ways to implement controls such as those related to access management and job rotation, among others. Education and training, particularly around topics such as spear phishing and authorized uses of corporate networks, should be designed with an emphasis on the remote setting. Employees should be given incentives to comply with security. Security managers need to stay abreast of trends in employee malfeasance around remote work as well as emerging best practices in this new area. 

Physical security will also prove challenging. Organizations should consult with counsel to determine their obligations to employees and tailor programs to meet these needs. Just as enterprises assess the sensitivity of their data systems, they should also assess the exposure of their personnel. For certain high-risk employees, it may be wise to consider implementing off-premises physical security measures or, at the very least, training. 

For all types of enterprises, whether they plan to return to on-site operations now or not, there are some common considerations. First, they should consider the possibility that clever and determined adversaries may have taken advantage of this period during which their guard has been down to some degree to access systems and plant malware or establish an unauthorized presence on the organization’s systems. With this in mind, organizations should carefully examine their networks for indicators of compromise. Likewise, they should consider that this has been a period in which insiders have had an opportunity to grow bolder. Security departments should step up their efforts to detect insider threats. 

See also: Keeping an Eye on Consumer Privacy

In the longer term, all organizations can take certain additional measures. This period has proven fortuitous in a number of ways. First, it can be treated as a practical drill. All entities should conduct an after-action review. Leadership at all levels from individual teams to the C-suite and boards should sit down and discuss what went right and wrong. Where business continuity plans and other policies and procedures did not match with reality, they should be rewritten. We’ve been handed a real-world opportunity to improve upon our posture. 

One specific action all sorts of entities should ensure is that they have reliable out-of-band communication and authentication. This is absolutely essential. In the event of a form of takeover such as the doomsday scenario proposed above, an organization needs a reliable and immediate way of verifying information, authenticating its source and enacting contingency plans should it become necessary. 

The various regulatory obligations to provide measures of security over PII imply a responsibility to keep up to date on shifting threats and vulnerabilities that stem from changing environments and emerging technologies. Organizations are on notice that they must begin to find ways to ensure they are meeting their obligations to develop measures to provide security against these threats. In other words, organizations are on notice. The fact that NIST has a public target date for its first quantum security standard provides some saliency around this. Some companies have already taken action along these lines. 

It does not appear as though exceptions will be made for shortcomings in security in the current situation, for example under NYSDFS rules and the CCPA. However, the rules of the road for the remote paradigm are being written as we speak. Organizations should use this opportunity to help write them. They should also develop relationships with law enforcement and regulators. They should join industry ISACs and other relevant security groups. Groups such as the IAPP and SANS also offer a wealth of information for professionals interested in working to improve their processes. In consultation with counsel and security professionals, all enterprises need to consider what constitutes acceptable security measures in the current situation and with awareness of emerging technologies. 

Of course, organizations should consider which forms of insurance are best-suited to the purposes of the scenarios laid out above. Cyber insurance and kidnapping and ransom may apply.

Conclusion 

We are facing three simultaneous game-changers – the remote paradigm, emerging technologies and increasingly prescriptive privacy regimes. At the same time, adversaries are taking advantage of this time to invest in research and development. Victim enterprises continue to bear many of the costs. 

The current remote work situation may continue, we may return to normal or we may find itself somewhere in the middle. Regardless, this time presents an opportunity to look at our approach to remote situations. By extension, it should be a time to examine and adjust business continuity plans, many of which may have been found lacking in this experience. Moving away from the remote setting, this experience highlights many aspects of traditional security that can benefit from fresh work. Again, it calls for a recognition of the increasing interdependence of physical and information security. Further, overall, this period should demonstrate the need for competent security officers and cross-disciplinary teams dealing with security at the highest levels of the organization as well as the need to invest in comprehensive security and exercise plans meaningfully. 

Disclaimer: This article is intended as general educational information, not as security guidance with respect to any specific situation or as legal advice. If the reader needs legal advice, the reader should consult with an attorney.

The Race Is on for ‘Post-Quantum Crypto’

Y2Q. Years-to-quantum. We’re 10 to 15 years from the arrival of quantum computers capable of solving complex problems far beyond the capacity of classical computers to solve.

PQC. Post-quantum-cryptography. Right now, the race is on to revamp classical encryption in preparation for the coming of quantum computers. Our smart homes, smart workplaces and smart transportation systems must be able to withstand the threat of quantum computers.

Put another way, future-proofing encryption is crucial to avoiding chaos. Imagine waiting for a quantum computer or two to wreak havoc before companies commence a mad scramble to strengthen encryption that protects sensitive systems and data; the longer we wait, the bigger the threat gets.

The tech security community gets this. One recent report estimates that the nascent market for PQC technology will climb from around $200 million today to $3.8 billion by 2028 as the quantum threat takes center stage.

I had the chance to visit at RSA 2019 with Avesta Hojjati, head of research and development at DigiCert. The world’s leading provider of digital certificates is working alongside other leading companies, including Microsoft Research and ISARA, to gain endorsement from the National Institute of Standards for breakthrough PQC algorithms, including Microsoft’s “Picnic”and ISARA’s qTESLA.

See also: Cybersecurity for the Insurance Industry  

Hojjati outlined the challenge of perfecting an algorithm that can make classical computers resistant to quantum hacking — without requiring enterprises to rip-and-replace their classical encryption infrastructure. For a full drill down of our discussion, give a listen to the accompanying podcast. Below are excerpts edited for clarity and length.

LW: What makes quantum computing so different than what we have today?

Hojjati: The main difference is that a classical computer is able to digest a single value (single bit) at a time,  either a zero or a one. But quantum computers are storing information in quantum bits or “qubit.” Quantum computers are able to digest 0, 1 and superposition state of both 0 and 1 to represent information. And that’s where their performance excels.

Just how fast a quantum computer can perform is based on the number of qubits.  However, whenever you’re increasing the number of qubits, you introduce the possibility of error, so what you actually need is stable qubits. Another problem is that quantum computing produces a lot of heat. So the problems of errors and heat still need to be solved.

LW: How close are we to a quantum computer than can break classical encryption?

Hojatti: To break a 400-bit RSA key, you would need to have a 1,000-qubit quantum computer, and the closest one that I have seen today is Google’s, which has around 70 qubits. That’s not enough to break RSA at this point. That being said, we’re in a transition period, and we shouldn’t wait around for quantum computers to be available to transition to post-quantum crypto.

LW: What’s the argument for doing this now?

Hojjati: It takes some forward thinking from the customer side. Do you really want to wait for quantum computers to be available to change to post-quantum crypto? For example, are you willing to distribute 10,000 IoT sensors today and then pay the cost down the line when a quantum computer is there to break the algorithm? Or are you willing to push out hybrid (digital) certificates into those devices, at the time of production, knowing they’re going to be safe 20 or 30 or 40 years from now?

LW: Can you explain “hybrid” certificate?

Hojjati: A hybrid solution is a digital certificate that features a classical crypto algorithm, like RSA or ECC, alongside a post-quantum crypto algorithm — both at the same time. It’s a single certificate that, by itself, carries two algorithms, one that allows you to communicate securely today; and the other algorithm will be one that the NIST currently has under review.

Picnic, for instance, was submitted by Microsoft Research and is one of the post-quantum crypto algorithms under NIST review; the other is qTESLA, which was submitted by ISARA Corp. A hybrid digital certificate provides the opportunity for customers to be able to see how a post-quantum crypto algorithm can work, without changing any of their infrastructure.

See also: Global Trend Map No. 12: Cybersecurity  

LW: So you take one big worry off the table as numerous other complexities of digital transformation fire off?

Hojjati: Absolutely. This is one of the elements of security-by-design. When you’re designing a device, are you thinking about the threats that are going to happen tomorrow? Or are you considering the threats that are going to happen 10 or 20 years from now? Solving this problem is actually doable today, without changing any current infrastructure, and you can keep costs down, while keeping the security level as high as possible.

Quantum Computers: Bigger Than AI?

Elon Musk, Stephen Hawking and others have been warning about runway artificial intelligence, but there may be a more imminent threat: quantum computing. It could pose a greater burden on businesses than the Y2K computer bug did toward the end of the ’90s.

Quantum computers are straight out of science fiction. Take the “traveling salesman problem,” where a salesperson has to visit a specific set of cities, each only once, and return to the first city by the most efficient route possible. As the number of cities increases, the problem becomes exponentially complex. It would take a laptop computer 1,000 years to compute the most efficient route between 22 cities, for example. A quantum computer could do this within minutes, possibly seconds.

Unlike classic computers, in which information is represented in 0’s and 1’s, quantum computers rely on particles called quantum bits, or qubits. These can hold a value of 0 or 1 or both values at the same time — a superposition denoted as “0+1.”  They solve problems by laying out all of the possibilities simultaneously and measuring the results. It’s equivalent to opening a combination lock by trying every possible number and sequence simultaneously.

Albert Einstein was so skeptical about entanglement, one of the other principles of quantum mechanics, that he called it “spooky action at a distance” and said it was not possible. “God does not play dice with the universe,” he argued. But, as Hawking later wrote, God may have “a few tricks up his sleeve.”

See also: The Race to Quantum Computers  

Crazy as it may seem, IBM, Google, Microsoft and Intel say that they are getting close to making quantum computers work. IBM is already offering early versions of quantum computing as a cloud service to select clients. There is a global race between technology companies, defense contractors, universities and governments to build advanced versions that hold the promise of solving some of the greatest mysteries of the universe — and enable the cracking open of practically every secured database in the world.

Modern-day security systems are protected with a standard encryption algorithm called RSA (named after Ron Rivest, Adi Shamir and Leonard Adleman, the inventors). It works by finding prime factors of very large numbers, a puzzle that needs to be solved. It is easy to reduce a small number such as 15 to its prime factors (3 and 5), but factoring numbers with a few hundred digits is extremely hard and could take days or months using conventional computers. But some quantum computers are working on these calculations, too, according to IEEE Spectrum. Quantum computers could one day effectively provide a skeleton key to confidential communications, bank accounts and password databases.

Imagine the strategic disadvantage nations would have if their rivals were the first to build these. Those possessing the technology would be able to open every nation’s digital locks.

We don’t know how much progress governments have made, but in May 2016 IBM surprised the world with an announcement that it was making available a five-qubit quantum computer on which researchers could run algorithms and experiments. It envisioned that quantum processors of 50 to 100 qubits would be possible in the next decade. The simultaneous computing capacity of a quantum computer increases exponentially with the number of qubits available to it, so a 50-qubit computer would exceed the capability of the top supercomputers in the world, giving it what researchers call “quantum supremacy.”

IBM delivered another surprise 18 months later with an announcement that it was upgrading the publicly available processor to 20 qubits — and it had succeeded in building an operational prototype of a 50-qubit processor, which would give it quantum supremacy. If IBM gets this one working reliably and doubles the number of qubits even once more, the resultant computing speed will increase, giving the company — and any other players with similar capacity — incredible powers.

Yes, a lot of good will come from this, in better weather forecasting, financial analysis, logistical planning, the search for Earth-like planets and drug discovery. But quantum computing could also open up a Pandora’s box for security. I don’t know of any company or government that is prepared for it; all should build defenses, though. They need to upgrade all computer systems that use RSA encryption — just like they upgraded them for the Y2K bug.

Security researcher Anish Mohammed says that there is substantial progress in the development of algorithms that are “quantum safe.” One promising field is matrix multiplication, which takes advantage of the techniques that allow quantum computers to be able to analyze so much information. Another effort involves developing code-based signature schemes, which do not rely on factoring, as the common public key cryptography systems do; instead, code-based signatures rely on extremely difficult problems in coding theory. So the technical solutions are at hand.

See also: Dark Web and Other Scary Cyber Trends  

But the big challenge will be in moving today’s systems to a “post-quantum” world. The Y2K bug took years to remediate and created fear and havoc in the technology sector. For that, though, we knew what the deadline was. Here, there is no telling whether it will take five years or 10, or whether companies will announce a more advanced milestone just 18 months from now. Worse still, the winner may just remain silent and harvest all the information available.

The Race to Quantum Computers

While much of the media attention has been focused on the race among nations to develop the most powerful artificial intelligence systems, an equally crucial race has been heating up: the race to build the first working quantum computers.

As progress in the field accelerates at an exponential rate, 2018 should see an avalanche of breakthroughs. It is a race for “quantum supremacy,” when a quantum computer demonstrably and markedly outperforms a classical supercomputer for any class of problems.

Booth Google and IBM, two leaders in quantum computing, have laid out plans to achieve this goal. Intel  also has a horse in the race, announcing a new 49 qubit neuromorphic chip designed for quantum computing research.

See also: Digital Transformation: How the CEO Thinks  

The stakes are enormous. Quantum computers promise to set a new paradigm for solving some of the hardest math and computing problems today—problems such as analyzing the interactions of multiple genes in health outcomes, modeling the energy states of chemicals and predicting the behavior of atomic particles. They also might make the internet inherently insecure by quickly cracking modern cryptography used to lock our IT infrastructure and the web.

One thing is for sure: The era of quantum computing is coming on soon, and the world will never be the same.

Put simply, quantum computers use a unit of computing called a qubit. While regular semiconductors represent information as a series of 1s and 0s, qubits exhibit quantum properties and can compute as both a 1 and a 0 simultaneously. That means two qubits could represent the sequence 1-0, 1-1, 0-1, 0-0 at the same moment in time. This compute power increases exponentially with each qubit. A quantum computer with as few as 50 qubits could, in theory, pack more computing power than the most powerful supercomputers on earth today.

This comes at a timely juncture. Moore’s Law dictated that computing power per unit would double every 18 months while the price per computing unit would drop by half. While Moore’s Law has largely held true, the amount of money required to squeeze out these improvements is now significantly greater than it was. In other words, semiconductor companies and researchers must spend more and more money in R&D to achieve each jump in speed. Quantum computing, on the other hand, is in rapid ascent.

One company, D-Wave Systems, is selling a quantum computer that it says has 2,000 qubits. However, D-Wave computers are controversial. While some researchers have found good uses for D-Wave machines, these quantum computers have not beaten classical computers and are only useful for certain classes of problems—optimization problems. Optimization problems involve finding the best possible solution from all feasible solutions. So, for example, complex simulation problems with multiple viable outcomes may not be as easily addressable with a D-Wave machine. The way D-Wave performs quantum computing, as well, is not considered to be the most promising for building a true supercomputer-killer.

Google, IBM and a number of startups are working on quantum computers that promise to be more flexible and likely more powerful because they will work on a wider variety of problems. A few years ago, these flexible machines of two or four qubits were the norm. During the past year, company after company has announced more powerful quantum computers. In November 2017, IBM announced that it has built such a quantum machine that uses 50 qubits, breaking the critical barrier beyond which scientists believe quantum computers will shoot past traditional supercomputers.

The downside? The IBM machine can only maintain a quantum computing state for 90 microseconds at a time. This instability, in fact, is the general bane of quantum computing. The machines must be super-cooled to work, and a separate set of calculations must be run to correct for errors in calculations due to the general instability of these early systems. That said, scientists are making rapid improvements to the instability problem and hope to have a working quantum computer running at room temperature within five years.

And here’s where the confluence of quantum computing and AI looks so promising. As we are seeing the first major impacts of wide-scale artificial intelligence, we are also realizing that classic semiconductor-based computing limits our ability to solve the biggest problems that we had hoped artificial intelligence could tackle. They expect quantum computers to start performing very useful calculations well before they’re ready to leave the freezer.

See also: 7 Steps for Inventing the Future  

Quantum computing promises to step into that breach and provide the rocket fuel needed to solve these grand challenges. Precisely targeted medical treatments, radically cheaper energy production and new types of super-strong materials are all breakthroughs that quantum computing could make possible by performing billions and billions of calculations simultaneously in a relatively small package. Google researchers demonstrated the promise when they used quantum computing to simulate the electron structure of a hydrogen molecule, a key step toward moving chemical design from empirical measurement and educated guesses to more proper engineering and simulation. (This will also work for drug discovery.)

The perils of quantum computing are also real. Quantum computers will be able to easily crack most forms of encryption in use today (although security experts are already at work on creating codes that are not crackable by qubit attack). Should Russia or China, for example, gain quantum computing dominance—which is entirely possible—they could use their advantage for even more sophisticated hacking and decrypting of encoded communications.

Between governments, big companies, startups and university labs, some of the brightest engineering minds are rushing toward quantum supremacy. This literally could shift the global balance of power.

This article was written by Vivek Wadhwa and Alex Salkever.