Don’t get caught off-guard by quantum threats

The quantum revolution is already presenting some crucial questions for organizations, such as: how can they protect data that could be decrypted ten years from now, do they need to invest now in post-quantum cryptography that is still a work-in-progress, and who takes responsibility for making such fundamental decisions? As the number of national and European initiatives rises, post-quantum cryptography is becoming a matter of sovereignty, financial stability, and resilience. The time has come to anticipate, experiment, and join forces.

Although it is receiving increasing media attention, the quantum threat is still difficult for CISOs to address. Five to ten years from now, computing progress could undermine the solidity of the algorithms on which much of the security of financial transactions is founded. At the same time, the regulatory environment—through legislation such as DORA—requires massive investment in cybersecurity and in strengthening operational resilience, which further complicates decision-making for CISOs. Awareness depends heavily on companies’ ecosystems and on how well-informed senior management is. Although 73% of businesses recognize that quantum computing poses a threat to conventional encryption methods, 61% are yet to determine their post-quantum strategy. However, that threat exists as of now. By 2026, the number of quantum bits (qubits) [executive summary only available in French] is likely to be ten times higher than the 400 or so qubits achieved by the end of 2022, which will considerably increase quantum computers’ processing capacity and enable them to solve increasingly complex problems.

While it may still be difficult to assess the scale of the threat, everyone is now aware that it exists. The fact remains that senior executives are finding it difficult to make significant investments to keep information systems secure, given that no technology is yet able to break encryption algorithms. Which is why it is now necessary to make strict requirements once again the focus of concerns to address the quantum threat. To raise the C-suite’s awareness of the quantum threat, it has to take a tangible form. Some data being stored now will still be sensitive even in decades to come, and could be decrypted later using a quantum computer. Attacks known as Harvest Now Decrypt Later are no longer the stuff of science fiction, and should alert companies holding strategic and highly confidential data. In response, Orange Business and Toshiba Europe recently announced the launch of the very first commercial quantum-safe network service in the Paris region. Baptized Orange Quantum Defender, the service is based on the Quantum Safe Networking technology developed by Toshiba, which combines quantum key distribution (QKD) and post-quantum cryptography (PQC) to offer enhanced protection for sensitive communications. Designed to address the cybersecurity challenges that result from the emergence of quantum technologies, this secure quantum network is intended to protect organizations from future threats. Especially since, at the national level, investment in PQC is booming. The French Minister of the Armed Forces unveiled an ambitious plan to accelerate and support the quantum revolution, explaining that “this is precisely the state’s role—particularly, and historically, in defense, including private industry groups: to provide leverage, to build trust, and to drive momentum.” And driving momentum for an entire ecosystem is very much the challenge the sector’s manufacturers will have to meet. The Ministry of the Armed Forces has committed a total of €250 million through to 2030 to fund quantum technologies.

Some organizations have already grasped the scale of the challenge and so are now able to provide valuable feedback to other entities in their sector. A number of years ago, the national bank, Banque de France, realized that besides the technological challenges, there are also financial impacts. “In the area of payments—which today relies on symmetric and asymmetric cryptography mechanisms, including to secure card transactions—the challenges posed by post-quantum technology are particularly significant. Collectively, there is an opportunity to treat this as more than a purely technological issue. For our part, we are approaching it from the perspective of impact: how these technological advances directly affect our mission, starting with large-scale financial stability. A second aspect, more recent but increasingly a core concern, is the geopolitical dimension: in the current context, these questions are also becoming matters of sovereignty,” explains Valérie Fasquelle, Head of IT at Banque de France.

A number of measures can be taken now to prepare for the transition that is underway. PQC migration will be a lengthy process, built on tests and experiments, and this is exactly the approach adopted by the Banque de France.   “We have conducted a series of experiments internally, with other central banks in Europe, and also with Singapore. These experiments have given us a better understanding of the technology and an appreciation of the responses available as regards post-quantum cryptography. Like all stakeholders, we must adapt our information system and deliver a maximum level of security and resilience, given the overarching nature of the role we perform. We are also acting as educators, and issuing recommendations, including to the payment provider sector which is particularly exposed to this threat. We have recommended starting with mapping your information system to understand its exposure to risk and assess its vulnerabilities, and then considering which technological responses are to be implemented to strengthen your defenses”, Fasquelle explains. Furthermore, working alongside other stakeholders—including academics—and drawing on their combined experience is a useful addition. “We have also joined forces with a spin-off from the Sorbonne university to work on this subject. It is by pooling our expertise, blending academic, corporate and operational approaches, that we will make real progress”, the Banque de France’s Head of IT continues.

Although PQC products and services are gradually emerging from French manufacturers, a lasting market will emerge only through joint efforts. “Hence the benefit of sharing, cooperating and experimenting together, to find solutions in an environment that still lacks certainty. That being said, we remain constrained. But ultimately, we have no choice and this investment is necessary, for without it, our value proposition no longer holds true. The timescale is also vital, with talk of a 2035 deadline, and guidelines are already in place on the American side. Algorithms that are not resistant to quantum attacks are still permitted, but this situation will not last”, points out TheGreenBow CEO, Mathieu Isaia, which is a member of France’s quantum resilience project, RESQUE. The aim of this project is to develop a post-quantum encryption solution within two years to protect the communications, infrastructure, and networks used by local authorities and businesses from the threats that future quantum computers could pose. The recipient of €6 million in funding from Bpifrance, the project has governmental support as part of the France 2030 plan, and EU support through the France Relance – Next Generation EU plan. Supported by a consortium comprising the private firms Thales, TheGreenBow, CryptoExperts, and CryptoNext Security, plus the French National Cybersecurity Agency (ANSSI), and the French National Institute for Research in Digital Science and Technology (Inria), RESQUE is concentrating on two strategic use cases, namely the development of a hybrid post-quantum VPN, guaranteeing secure, resilient, and straightforward access to information systems, and the design of a high-performance post-quantum hardware security module (HSM), delivering complete security and able to be incorporated into other hardware.

The first certifications of PQC-enabled solutions will inevitably accelerate adoption. Some companies have already implemented initial versions of post-quantum algorithms in their information systems. The final factor that will push adoption of PQC technologies is French and European regulations. Similarly to the GDPR and NIS 2, which both created a common framework by harmonizing practices for all stakeholders, regulation is set to play an important role in the migration of companies and organizations to PQC technologies. While some sectors, such as banking, are already ahead of the pack in considering the challenges that quantum threats pose, this is not always the case for their service providers or subcontractors, who often remain more vulnerable. And attacks are increasingly directed at supply chains. European regulations could play a key role in this respect by requiring a level of alignment from all parties, thereby strengthening overall security and establishing a genuine framework of trust. “Post-quantum cryptography will not solely be a question of technological anticipation. Sooner or later, it will become a matter of sovereignty, trust, and competitiveness, so the shift to PQC might as well happen now, before it’s too late,” is the conclusion Mathieu Isaia has reached.