‘Q Day:’ What Midmarket IT Leaders Need To Do To Prepare Now

Concerns about hackers accessing quantum computers are being raised by cybersecurity experts, despite post-quantum cryptography encryption.

“Q Day” is coming, and IT leaders should take note.

At least that is according to several cybersecurity experts who recently spoke with MES Computing.

Q Day is used by security insiders to refer to the time when hackers will use quantum computers to break encryption.

Lest anyone think this is a one-day potential tech doomsday scenario as was the fear of Y2K in 1999, it is not, said cybersecurity veteran John Young.

“Y2K compared to Q Day was a small, definable problem. Q Day, on the other hand, is 25 years later and at that time there was no integration of people’s digital life with their normal life in the way that we didn’t do online banking. There was no Facebook. Our digital integration has exponentially increased,” said Young, who has been in the IT and cybersecurity business for over 40 years in roles at McDonnell Douglas and IBM.

When Is Q Day Happening?

While there is no specific time frame for Q Day, some industry analysts say it is likely to occur by the end of the decade, said Lance Smith, co-founder and CEO of Cy4Data Labs in an emailed statement to MES Computing.

The speed at which quantum computers can perform the complex mathematics to break encryption has also become of concern to the government.

Last year, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) released its finalized post-quantum encryption standards. Post-quantum cryptography (PQC) encryption is designed to resist quantum computing cyberattacks.

There are those in the security space who think that eventually most businesses and organizations will pivot to PQC encryption. But IT leaders need to be proactive.

PQC Is Not A Security Guarantee

“To some degree, we believe the migration to PQC architectures will come naturally. NIST-approved PQC algorithms are now available, and as applications are updated with appropriate encryption algorithms, IT professionals must deploy these critical upgrades, and software vendors must ensure their clients are aware of the threat and prepared accordingly,” Smith said.

If the industry trend continues to shift to PQC encryption, then some may ask why are some security professionals still raising alarms about Q Day?

For one reason, while quantum computers are currently beyond the budgets of an average organization, bad actors will be able to “rent” quantum computing capabilities, Smith said.

He also broke down other security concerns.

“It’s also important to note that there is no standard for programming a quantum computer. All quantum computers have their own program language—all different. The U.S. government, academia and the wider technology industry all need to better understand the implications of quantum computing in order to stay ahead of other nation states,” he said.

“Also, PQC solutions are still evolving. Fear of the unknown is a big factor here. We just don’t know what a clever person or people are going to do with a quantum computer,” he added.

Advice From Security Professionals

IT executives should definitely keep Q Day in mind; however, quantum computer encryption hacking isn’t likely to have an immediate impact on most organizations.

“While Q-Day will be a major issue for highly sensitive data, most companies will likely not be immediately affected. There are also quantum-resistant encryption algorithms that will be useful even after Q-Day,” said Danny Jenkins, co-founder and CEO of ThreatLocker in an emailed statement.

Jenkins said most organizations are still struggling with other cybersecurity concerns such as “enforcing multifactor authentication, restricting administrative privileges, controlling applications in their environment ... and even stopping basic phishing attacks.”

But he added: “While preparing for a post-quantum future is important, it’s even more critical to strengthen your security posture today.”

There are some other actions security experts advised taking in preparing for Q Day.

“As architectures and software applications are retired or replaced, they should be replaced with the best available PQC-enabled solutions. Officials can further prioritize the most critical applications to the least,” said Smith.

“Quantum-resistant encryption algorithms must be selected, and a road map for implementation must occur very soon, as the consequences are devastating,” Pete Nicoletti, global CISO of the Americas at Check Point Software Technologies, advised in an emailed statement to MES Computing.

“The goal is to not impact users when transitioning to PQC, but every indication is that it is expected to be expensive, chaotic and disruptive. Messaging apps that are used in a singular walled garden like Apple’s PQ3 are relatively easy to deploy and manage. Consider the chaos when your corporate firewall or cloud provider does not support a certain PQE algorithm with a partner or a customer, and you can’t communicate securely. Your vendors of browsers, email, routers, security tools, database encryption and messaging all need to be on notice and on the same protocol page,” Nicoletti added.

And above all, be aware of the potential devastation bad actors can wreak.

“What hackers are doing right now is a methodology called ‘harvest now, decrypt later,’” Young said. “And you can imagine a farmer who’s harvesting their crops, they’re putting it in storage in a silo knowing that they can’t sell it right now, but as prices go up or customers come to them then they’re able to sell it. And that’s basically what these hackers are doing. They’re harvesting now, knowing that they’re not going to be able to read [harvested data] because it’s encrypted. But when they have quantum computer access, they’re going to be able to read it in plain text like it’s nothing. That’s a major, major issue. Every digital secret possibly in the world would be vulnerable at one point or another,” he added.