The Coming of Quantum
As the development of quantum computing progresses rapidly, cyber experts warn the risks will come before the benefits.
It was a White House bill-signing that went largely unnoticed.
On Dec. 21, 2022, President Biden signed into law the Quantum Computing Cybersecurity Preparedness Act. The act will “encourage the migration of the federal government information technology systems to quantum-resistant cryptography,” among other things. In the bill, Congress recognizes the potential benefits of quantum computers, their rapid progress and, thus, the potential for adversaries to use them against the United States. Today’s encryption protocols rely on classical computers for their cyber security, a situation that Congress considers a potential threat to the country’s national security and economic function.
Encryption protocols rely on classical computers for their cyber security, a situation that Congress considers a potential threat.
Some countries have moved to force preemptive actions based on differing threat assessments.
Encrypted data are already being collected and stored for the day when quantum operations can decode and exploit.
A March 2021 International Monetary Fund working paper, “Quantum Computing and the Financial System: Spooky Action at a Distance,” noted that quantum computing “would also crack many of the current encryption algorithms and threaten financial stability by compromising the security of mobile banking, e-commerce, fintech, digital currencies, and Internet information exchange.”
According to Tony Uttley, president and COO of quantum computing company Quantinuum, the United States isn’t alone in acting on the threats posed by quantum technologies. The European Union, the United Kingdom, Japan and other countries have taken recent action to promote awareness and force preemptive actions based on differing assessments of the future threats. For example, the European Union’s Cybersecurity Act contains a directive on security of network and information systems (the NIS Directive) that provides legal measures to boost the overall level of cyber security in the European Union by requiring member states to be appropriately equipped. (Read the text of this act at https://tinyurl.com/EU-cyber-directive.)
More than just posing a threat, quantum computing has many potential benefits for the insurance industry. But one big question looms: how can the industry protect against the threat and thus reap the benefits that might come later?
The potential for QCs to render much of our current encryption infrastructure obsolete is a specific challenge, as it combines an unknown future date with a potential ‘cliff edge’ impact.
Christopher Lay, president, The Insurance Institute of London
What is Quantum Computing?
Quantum computing (QC) is the use of hardware and software to perform calculations using qubits (quantum bits) and leveraging quantum mechanics.
As explained by the IMF, “While each bit, its counterpart in digital computers, represents a value of either zero or one, qubits represent both zero and one (or some combination of both) at the same time, a phenomenon called superposition. Quantum entanglement is a special connection between pairs or groups of quantum elements, whereas changing the state of one element affects other entangled elements instantly, regardless of the distance between them…. By entangling qubits, the number of represented states rises exponentially, making it possible to explore a huge number of possibilities instantly and conduct parallel calculations on a scale that is beyond the reach of traditional computers. Thanks to superposition and entanglement, adding just a few extra fully functioning qubits can lead to exponential leaps in processing power.”
While “the race to build quantum computers is intensifying,” according to the IMF, the technology is still in the prototype phase. The authors note that many technology companies are working on quantum computers—Google and IBM among them, with Microsoft and Amazon Web Services both having introduced beta versions of quantum computing cloud services. One of the main challenges, however, is building quantum machines with lower error rates in their computing.
“Any external disturbances or noise, such as heat, light or vibrations, inevitably yanks qubits out of their quantum state and turns them into regular bits. Classical computers are also prone to random computational errors, albeit in much lower rates,” the IMF says.
While it will be at least a few years before the technology matures to the point of offering advantages at many tasks, the potential benefit of quantum computing extends across many industries.
According to the IMF, “[Quantum technologies] can transform areas such as energy storage, chemical engineering, material science, drug discovery and vaccines, simulation, optimization, and machine learning…. Beyond computing, quantum technologies give rise to novel ways of data transmission, storing and manipulating…. Another promising venue is quantum sensing devices. Advances have been reported in quantum radar, imaging, metrology, and navigation, which would enable greater precision and sensitivity.”
For the financial services industry, the IMF says, quantum computing can be transformative. Simulating financial scenarios and modeling and pricing risk all have the potential to use quantum computing.
The Quantum Cyber Risk
Besides generating many opportunities, quantum computers create a unique set of risks likely to threaten all kinds of data security. As demonstrated by the Quantum Computing Cybersecurity Preparedness Act, one major concern is the fear of bad actors using quantum computing to break public-key cryptography, which currently protects our online communication. At the risk of oversimplifying it, public-key cryptography (called asymmetric cryptography) requires an attacker to find only a receiver’s private key. According to the IMF authors, “Theoretically, a fully functioning quantum computer can break an asymmetric key in a few hours.”
Many experts assume attackers are already taking advantage of this fact, harvesting sensitive data today which can later be decrypted, as soon as powerful and technologically stable quantum computers become available.
“Quantum computing creates several potentially systemic scenarios which need to be contemplated from the point of insurability,” says Rory Egan, the head of cyber analytics for Aon’s Reinsurance Solutions. “The increased ability to break encryption algorithms faster due to quantum computing could lead to mass incidence of network intrusions and ransomware events, doxing and data breaches.
“Stronger DDoS [distributed denial of service] incidents could be generated by quantum computing and, if aimed at a major cloud service provider in conjunction with other attack vectors, could cause loss of revenue and additional expenses across the economy due to unavailability of cloud infrastructure.
“A zero-day malware incident with self-replicating property and destructive/encryption payload could be targeted and delivered in a more optimized way using quantum computing in order to maximize the number of infections and success rate of the payload delivered.
“These are not necessarily new scenarios for the insurance industry to contemplate but, rather, ones that can be ‘turbo-charged’ due to use of quantum computing.”
The Industry Takes Note
Tom Mason, a senior research analyst for S&P Global Market Intelligence, thinks the good news is that “QC risks have not gone unnoticed by the insurance industry.” Mason cites a June 2022 Swiss Re Institute report that lists the potential impact of quantum computing as “high” over the next three years or more.
“A coordinated QC attack on security protocols would be a catastrophic event for the insurance industry, without question,” Mason says. “There would probably be much debate over whether it was a terrorist act, the degree to which damages are covered by a property policy versus a cyber policy, and whether insurers are on the hook for business interruption claims.”
Regarding if the P&C insurance market should be worried about the risks posed by quantum computing, Egan says, “The status quo will not suffice. Rather, the market must rise to the challenge by (1) improving underwriting processes to take account of the increased risk faced by insureds, (2) working with the cyber-security industry to bring forward the necessary improvements in security and resilience, and (3) understanding the systemic risk potential to broader society and determining how best this should be managed.
“All of these areas are not unique challenges posed by quantum computing but apply for any technological advancement that changes the nature of cyber threats. As a market, we need to constantly evolve to new threats in order to continue to provide a valued product and play a part in improving overall societal resilience via insurance and the risk mitigation actions it encourages,” Egan says.
According to Christopher Lay, president of The Insurance Institute of London, “The potential for QCs to render much of our current encryption infrastructure obsolete is a specific challenge, as it combines an unknown future date with a potential ‘cliff edge’ impact. Comparisons to the Y2K ‘Millennium Bug’ fall short, as the lack of a known Day 0 means it is harder to build a sense of urgency. Equally challenging is the fact, as every security expert knows, that you only need a single weakness in an end-to-end system. Thus, companies cannot resolve this alone but must seek an ecosystem approach.”
Often, what surprises our customers the most is that there are solutions that can be deployed right now that actually take advantage of QC to help harden their existing processes and practices.
Tony Uttley, president and COO, Quantinuum
Risk Management
Experts are encouraging those at greatest risk to start building their defenses now, as the process of transitioning to the necessary, quantum-safe encryption standards “often takes years or decades to accomplish,” according to the IMF.
“Financial institutions should take steps now to prepare for a cryptographic transition,” the IMF says. “They should assess future and retroactive risks from quantum computers, including from information that has already been captured or that may be captured now, stored and exploited years later. Financial institutions should develop plans to migrate current cryptography to quantum-resistant algorithms. As a first step, they should take an inventory of public-key cryptography used within the institution, as well as by partners and third-party suppliers. These will eventually need to be transitioned to postquantum cryptography once standards are available. And finally, they should build cryptographic agility to improve the overall cybersecurity resilience going forward.”
Uttley says he has seen “a number of sectors” take precautions to improve their cyber-security systems in the face of rapidly advancing threats. “Financial services, pharmaceuticals, critical infrastructure inclusive of electrical distribution, energy generation and refining, as well as governments appear to be the most forward-leaning,” he says. “In many cases, the concerns regarding current threats are compounded by the forward-looking concern stemming from future QCs.”
Quantinuum’s customers, Uttley says, are asking for solutions that can be implemented today, as part of a broader, multifaceted, cyber-security resiliency solution. They want to do this, he says, “while maintaining their existing cyber-security infrastructure. Often, what surprises our customers the most is that there are solutions that can be deployed right now that actually take advantage of QC to help harden their existing processes and practices. We are also starting to see the insurance industry take notice of some of these state-of-the-art solutions, particularly when there is evidence that the new approaches are provably superior.”
In one example, Quantinuum has released a product called Quantum Origin, which allows customers to use quantum-computing-hardened encryption keys and certificates in their existing products and services. Quantum Origin uses Quantinuum’s own H-Series quantum computers, powered by Honeywell, to make the product, which can then be deployed into production environments and used for the connected devices that are integral to the industrial internet of things.
The sophistication and experience of cyber underwriting has grown exponentially over the past decade, both in terms of understanding risks and engaging clients in risk mitigation activities. Similarly, the approach by insurers and regulators to understanding and preparing for systemic risk is constantly improving. Underwriters, brokers and cyber experts are increasingly considering the risk from QC-enabled decryption and are beginning to engage clients on the topic. Market engagement has been ongoing since 2021, with events such as webinars and a presentation by the Lloyd’s Market Association and Quantum London to the chief information security officer community. “Without doubt,” Lay says, “being unprepared for the arrival of cryptographically relevant quantum computers would lead to systemic challenges.”
Cyber risk is always a race between controlling threats and responding to a hit. “The insurance industry can help incentivize and support the improvement of defense,” Egan says, “to improve countering the rising threat while providing financial resilience for society for any cyber event.”
