Government agencies have been instructed to begin preparing for the arrival of quantum computers capable of breaking current encryption systems used to protect sensitive public information and other data.
The move comes amid a global race driven by concerns over what a New Zealand expert describes as “scary” “harvest now, decrypt later” efforts—often abbreviated as HNDL—where encrypted data is collected today with the expectation it could be decrypted in the future once sufficiently powerful quantum computers exist.
“So anything you send now, maybe in five years’ time, might not be secure anymore,” Professor David Hutchinson of Otago University said.
The United States has had legislation in place since 2022 addressing this risk, and the US Federal Reserve recently released a paper warning about a “bad actor” gathering encrypted data now and later revealing “previously obfuscated and confidential data using a sufficiently powerful quantum computer.”
An OECD report published last year also identified HNDL-style attacks as a key reason to begin transitioning protections immediately.
Hutchinson said nearly all current encryption systems would be vulnerable to quantum computing. “So your internet security protocols, your banking, things that keep information safe within government, everything was based largely on a security protocol… based on factorisation of prime numbers, and that’s used ubiquitously through whenever we share information, be that through the internet or when you put your PIN number in at the bank machine.”
He added that banks were already starting to move in response to the threat. At the same time, the Treasury has instructed public agencies to demonstrate progress in preparing for quantum risks.
“Agencies will need to invest in PQC [post-quantum computing] solutions before the first fully error-corrected quantum computer is expected to come online in 2030,” it said in a report last year that briefly mentioned cyber protection investment.
However, the same report indicated agencies were not yet adequately investing in this area.
“Investment proposals demonstrate that agencies are not dedicating enough time and resourcing to address cyber security challenges, adapt to emerging technologies and prepare for future threats,” said the report from the Government Chief Information Security Officer (GCISO) to Treasury.
The National Cyber Security Centre (NCSC) said government agencies were already aware of the issue and that it, along with the GCISO, was working across the public sector to help guide investment decisions and support planning.
It is expanding its list of approved algorithms to include post-quantum options developed by international standards bodies. In the United States, the main standards organisation, NIST, has so far finalised three post-quantum algorithms that are ready for use.
“Aligning New Zealand with international standards ensures that agencies can give suppliers clear technical specifications,” the NCSC said.
Hutchinson said that, when a forum on the issue was held in parliament before the pandemic, awareness was “very poor” among both the banking sector and several military agencies.
“I would say that there’s been a sea change in that.”
“The question is just whether we will roll things out fast enough to beat when someone has a full sort of quantum computer available.”
The OECD paper advised that preparations should begin now, noting that cryptography is so fundamental and that the transition could take up to 20 years because of the huge number of systems, organisations, and devices involved.
Hutchinson also warned that some devices, such as security cameras, may never be fully upgraded to be quantum-resistant.
“One scary element is that there are agencies that we’re aware of that are sweeping up internet traffic,” he said.
“So this is encrypted data that they can’t decrypt now, but they’re just going to store it, and they can decrypt it later.”