Government told to prepare for quantum computers able to break encryption

Government agencies have been told to start to prepare for quantum computers able to break encryption around sensitive public data and lots of other types.

It is part of a global race in the face of what a New Zealand expert says are the "scary" efforts to "harvest now, decrypt later", an effort that already has its own acronym, HNDL.

"So anything you send now, maybe in five years' time might not be secure anymore," said Professor David Hutchinson of Otago University who is on an OECD quantum computing expert advisory panel.

America's had a law on this since 2022, and the US Federal Reserve recently put out a paper talking about a "bad actor" harvesting data "in the fullness of time reveal[ing] previously obfuscated and confidential data using a sufficiently powerful quantum computer".

An OECD paper last year said HNDL attacks were one reason to move now.

Hutchinson said virtually all current systems had encryption that would not withstand quantum computers.

"So your internet security protocols, your banking, things that keep information safe within government, everything was based largely on a security protocol... based on factorisation of prime numbers and that's used ubiquitously through whenever we share information, be that through the internet or when you put your PIN number in at the bank machine."

Banks were moving on this, he said.

And Treasury had told public agencies it wanted to see signs they were getting ready.

"Agencies will need to invest in PQC [post-quantum computing] solutions before the first fully error-corrected quantum computer is expected to come online in 2030," it said in a report last year that briefly mentioned cyber protection investment.

But at the time they weren't.

"Investment proposals demonstrate that agencies are not dedicating enough time and resourcing to address cyber security challenges, adapt to emerging technologies and prepare for future threats," said the report from the Government Chief Information Security Officer (GCISO) to Treasury.

'People know what's coming'

The National Cyber Security Centre (NCSC) told RNZ on Tuesday that agencies were aware and it and the GCISO were working across government to support investment and decision making.

It was widening the list of approved algorithms to include post-quantum ones developed by international standards bodies.

The leading standards-setting tech body in the US, the NIST, so far had three post-quantum algorithms ready to go.

"Aligning New Zealand with international standards ensures that agencies can give suppliers clear technical specifications," said the NCSC.

This would help with the specs when shopping for stronger systems - but not with the cost. Government agencies are already grappling with directives to buy or build fewer bespoke systems in order to try to rein in whopping IT upgrade bills.

Hutchinson said there was "very poor awareness" in the banking sector and various military agencies when they ran a forum on this in parliament before the pandemic.

"I would say that there's been a sea change in that.

"People know what's coming.

"The question is just whether we will roll things out fast enough to beat when someone has a full sort of quantum computer available."

Last year's report to Treasury talked of the GCISO wanting to see how agencies were going with this.

But the watchdog was tight-lipped: "The NCSC will not disclose investments on cyber security of agencies, or any agencies we may focus on.  Investment information is budget sensitive and identification of individual agencies could expose them to additional cyber security risk." 

This suggested that information on how agencies prepared, or even if they failed to, might not be revealed to the public.

The GCISO and Government Digital Delivery Agency were setting the digital 'Target State' for government to help get investments aligned with advice on quantum in the main official cyber security manual, the NZISM, said the NCSC. 

The OECD paper said people should start now because cryptography was so fundamental and because it could take up to 20 years to make the transition "given the vast number of actors and devices involved".

Hutchinson said some devices, such as security cameras, might not be able to be quantum-proofed at all.

"One scary element is that there are agencies that we're aware of that are sweeping up internet traffic," he said. "So this is encrypted data that they can't decrypt now, but they're just going to store and they can decrypt it later."

Reuters in a 2023 report detailed a US versus China "race to shield secrets from quantum computers," and last month reported how "quantum computing is inching closer to its ChatGPT moment" when generative AI suddenly took off.

"I wouldn't say that we're ahead of the game," said Hutchinson of the global efforts.

"I think we're aware of the game and I do, but I do think more work needs to be done."

Sign up for Ngā Pitopito Kōrero, a daily newsletter curated by our editors and delivered straight to your inbox every weekday.