You don't have to wait for quantum computing to prepare for it
Rapid7 CSO Jaya Baloo on how to tackle this potential looming tech
RSA Conference 2023 AI was all the rage at RSA Conference this year, though there was another tech buzzword that managed to make its presence felt: quantum computing, and the security threat those systems may or may not someday pose.
Jaya Baloo, now CSO at Rapid7 and previously CISO at Avast, gave a talk at RSAC on pragmatic preparation for a possible quantum-powered future, and sat down to talk with us about what organizations can do today.
"This isn't a niche message," Baloo told us, adding it really doesn't matter if we don't know right now what the quantum computers of the future might look like or the algorithms they run. Rather than assuming quantum computers won't ever be a threat, it's safer to assume they might be, and that the data you're collecting, encrypting, and retaining now may already be in a position to be compromised in the future by some powerful machine.
You can replay our chat below.
"There are hostile parties and government agencies making copies of internet traffic and communication" in bulk, Baloo told us. Whoever is able to do that has a wealth of unencrypted and encrypted data at their disposal, and it's potentially just a matter of time before that information is completely unlocked by whoever holds it. That could be achieved using quantum computing assuming that the tech works as anticipated.
- You can cross 'Quantum computers to smash crypto' off your list of existential fears for 30 years
- Quantum computing: Hype or reality? OVH says businesses would be better off prepared
- India gives itself a mission to develop a 1000-qubit quantum computer in just eight years
- Eric Idle tells infosec world to always look on the bright side of life
What can a business do now? Exercise judicious caution, says Baloo. She urges organizations to keep up on the important stuff, such as patches, endpoint security, and other best practices. Even more importantly, she says, is for organizations to understand every nuance of their own cryptographic and cybersecurity environments.
Know the encryption algorithms you're using, know if they are or could be upgraded to quantum-resistant alternatives, know the data you're retaining, know why you're collecting it, and only then figure out what's at potential risk, and how best to reduce that risk, and then implement that. No panic, no fear, no fuss.
"That's the hardest thing for organizations to truly do, is to know thyself," Baloo said. ®