Ever since Google and Cloudflare announced that they were going to accelerate their “post-quantum” preparation dates from the US government’s currently recommended 2030/2035 dates to 2029, the world has realized that quantum “Q-Day” is soon to be upon us.

Will your organization be prepared?

Q-Day refers to the day when the world publicly learns that some entity has achieved a sufficiently-capable quantum computer that is capable of cracking most of today’s asymmetric (private/public key) cryptography, like RSA, Diffie-Hellman, ElGamal, and Elliptic Curve Cryptography.

That cryptography is embedded in almost every piece of software and electronic device we own. The Internet runs on it. Our wireless networks run on it. Our cell phones run on it.

And because of Q-Day the quantum-susceptible cryptography it uses needs to be replaced before Q-Day, if not sooner.

What’s so special about quantum computers?

Everything only works because of quantum physics. Even our current computers only work because of quantum physics. It’s the way the world works, you, me, and our current computers and devices.

What is different is that quantum computers and devices work using sub-atomic particles (known as elementary particles) that cannot be further broken down into any further constituent parts. Elementary particles include electrons and photons, the elementary particles most used by quantum computers and devices.

Today’s convention computers, known as classical computers, use millions of elementary particles to indicate a binary digit (bit), such as a 1 or a 0). For example, it might take a million electrons to make enough of a voltage charge for a classical computer to register that voltage as a 1.

In contrast, a single electron can indicate a 0 or a 1 in a quantum computer or device. And those single quantum particles have properties that allow for some incredible types of computing that just are not possible using classical computers.

For example, a sufficiently-capable of quantum computer can crack an asymmetric encryption key in seconds to minutes that would take a classical computer billions and billions of years to do, if it ever could.

We’ve been anticipating Q-Day ever since Dr. Peter Shor released his quantum algorithm back in 1994 (years before the first quantum computer existed), showing that with sufficiently-capable quantum computers, the world’s secrets protected by the most popular cryptography could be easily and quickly broken.

Since then, quantum experts have been debating when Q-Day would come. For the last 5 or so years, most experts and the US government have said you need to be fully converted to “post-quantum” cryptography (PQC) by 2035.

But lately, the world’s largest and most knowledgeable vendors and a slew of other countries have been moving up the Q-Day preparation date.

These days the most common Q-Day preparation dates (the date when you should have moved all your quantum-susceptible cryptography to post-quantum cryptography (not thought to be susceptible to quantum attacks) is moving up to 2029 or earlier.

Some countries have said that critical data and infrastructure should be converted by 2027 (just months away).

No one knows when Q-Day will truly happen, but you should already be working to move your organization to a post-quantum cryptography state.

A summarized post-quantum plan for any organization

Here are the basic major steps any organization can follow to get post-quantum:

• Educate senior management about Q-Day and the need to become post-quantum.
• Create an official “Post-Quantum” (PQ) project, with executive sponsorship, a dedicated project leader, resources, and funding. Your PQ project is likely to be among the most expensive and extended IT projects your organization will undertake. You need to get going now.
• Do a data protection inventory, where you identify where critical data is stored, processed, and transmitted, and inventory what cryptography is used to protect it, and what the maximum cryptography is (e.g., type, key size, etc.) that can be configured without needing upgrades or replacements.
• Analyze the collected data to determine what systems will need to be removed, upgraded, or replaced.
• Implement the decided-upon actions.

There will be many systems, both software and hardware, that will need to be upgraded and replaced. When quantum-susceptible systems and data are identified, they will need to be mitigated in some way. Here are the eight PQ mitigations that can be used to remediate involved systems:

• Delete Unneeded Data
• Physically Isolate Critical Data From Eavesdropping If Worried about Adversaries Stealing Today
• Strength Symmetric Key Sizes (256-bits+, if necessary)
• Implement Post-Quantum Cryptography
• Consider Implementing Quantum Key Distribution
• Implement Hybrid Defenses (traditional/quantum/etc.)
• Implement Quantum Cryptography (when available, likely 10+ years from now)
• Use Quantum Random Number Generators (as they become widely available and cost-effective) Over Non-Quantum Random Number Generators

If you haven’t started your post-quantum project yet, you need to begin right away! 2029 or 2030 is going to come faster than you think.

The sooner you start the cheaper and better your project will be. If you wait until the last minute, it will interrupt your organization’s daily processing more, cause more operational interruption, and likely decrease revenue flows into your organization as it has to deal with a growing emergency.

The world’s biggest vendors are preparing for Q-Day? Are you?

We've featured the best endpoint protection software.

This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today.

The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit

CISO Advisor at KnowBe4.