How Y2Q and the Quantum Threat Differs from Y2K
Published 12/21/2022
Originally published by Entrust.
Written by Samantha Mabey, Entrust.
There’s a new term making the rounds: Y2Q. As you might have already guessed, it’s a way of comparing the quantum threat to Y2K. Remember that? Everyone feared computer systems and infrastructures and industries globally would shut down as the calendar year flipped from 1999 to 2000. Well, you might also remember that when the day finally came, nothing of significance happened. (Phew!)
There are some similarities between these two events, but there are also some key differences that are worth highlighting.
Timing
With Y2K, there was a fixed, known, completely immovable date. There was a timer. We had a countdown. The date came and went, and the world kept running.
There is no such date that marks the arrival of a quantum computer capable of breaking traditional cryptography such as RSA. The best guess from experts and academics is that this will occur within the decade, but that’s still incredibly broad and vague. No one knows when that date will come. But it will, and by the time the news is out that RSA 2048 is broken, it will be too late. If threat actors are harvesting data today to decrypt later, organizations should be working today to adopt quantum-safe protocols to ensure they can’t.
What variables are driving the threat
With Y2K, once again this was simple – it was the turn of the millennium. It was dates within computer systems rolling from “99” to “00” and a possible bug where computers couldn’t distinguish the dates correctly.
For the quantum threat, it’s the advancement of quantum computers/technology. It’s progressed significantly over the years and will continue to progress. Not only that, but it’s being backed and funded by deep pockets – from wealthy nations to the biggest technology companies in the world.
What can be done
There were remediation efforts as the Y2K deadline approached. Ultimately that’s why very few issues occurred. Programmers and IT experts knew what had to be done and were able to make the appropriate changes.
There are certainly things that can be done – must be done – to prepare for post-quantum. The main difference is the time and effort required to do it. First, organizations need to catalog and inventory their data and data flows – then they’ll know what needs to be secured. Next, they need to have a full inventory and visibility of all the cryptographic assets in their environment. Then ensure they have implemented crypto agility. From there, organizations can start testing algorithms and transitioning to hybrid cryptography, mixing traditional with post-quantum cryptography to provide protection as they explore PQC.
This won’t be simple, and at a time when organizations are struggling with a skills and resources challenge, it’s important to ensure they’ve got people in place to look at this and oversee the change. It’s critical to have alignment of a number of areas relating to people, process, and technology. Conversations also need to happen with security vendors to ensure they have a PQ roadmap and are able to support the move to PQC.
Once that day arrives, once a quantum computer is able to break RSA and ECC, the transition will be abrupt. We’ll see something we’ve never had to deal with.
Much like in the time between when the potential Y2K bug was identified and the impending date itself, not making the transition to quantum safe computing is not an option. You don’t want to be left behind when the first report comes out that RSA 2048 has broken. Knowing the transition will take several years, if you haven’t yet started your PQ preparedness journey, the time is now.