We invite you to either listen to the article or read the below.
As the world races toward usable quantum technology, the transformative potential of quantum technology has emerged as a game-changer comparable in significance to the invention of the atomic bomb or the rise of artificial intelligence.
While quantum technology advancements promise significant benefits, they also introduce unprecedented risks – particularly for Australian national interests, defence, AUKUS partnerships, and critical infrastructure security. For critical infrastructure entities, quantum technology presents both an opportunity and a threat, with its potential to redefine how information security and operational resilience are approached in a rapidly evolving global landscape.
The recent Foreign Affairs article, ‘The Race to Lead the Quantum Future’, highlights the intensifying competition among nations to dominate this revolutionary technology.
With nations racing to dominate this revolutionary technology, should Australian critical infrastructure companies act now to mitigate quantum-era risks, or is the future still too uncertain to determine the right course of action and investment?
The Global Quantum race
Quantum technology is reshaping the global power dynamic. The United States, China, and Europe are investing billions of dollars into quantum research, totalling more than $40 billion worldwide, aiming to unlock quantum’s potential in computing, communication, and sensing.
Quantum technologies could transform sectors such as energy and pharmaceuticals through solving complex computational problems and enabling discovery of novel approaches. However, quantum also threatens to upend cybersecurity, potentially breaking classical encryption systems and exposing critical infrastructure to unprecedented vulnerabilities.
As highlighted in the Foreign Affairs article, the nation that achieves quantum supremacy could gain a strategic edge over it rivals and competitors, with the potential to undermine global financial systems, military communications, and critical infrastructure. This geopolitical driver has placed quantum technology at the forefront of national security strategies.
Quantum threats to critical infrastructure – data protection
Critical infrastructure, including energy grids, telecommunications, and water systems, relies heavily on robust encryption to secure sensitive data and operations. Quantum computing threatens to render these safeguards obsolete, exposing these systems to cyberattacks. While quantum-resistant cryptography is under development, it has not yet been widely adopted, creating an interim window of vulnerability.
One of the most significant quantum-related risks is the “harvest-now, decrypt-later” strategy, where adversaries steal encrypted data today with the intention of decrypting it once quantum computers reach maturity. For critical infrastructure entities, this poses a serious threat, creating long-term exposure of sensitive operational data, intellectual property, supply chain communications, and other critical information assets.
The potential consequences of this approach are far-reaching. Even though large-scale quantum computers capable of breaking current encryption standards are still in development, data stolen today could be decrypted years later, compromising systems and revealing sensitive information. This delayed threat underscores the critical importance of data protection measures, including the transition to quantum-resistant cryptography, to safeguard information over its entire lifecycle.
Organisations must also scrutinise outsourced systems and third-party providers, ensuring that data protection measures align with quantum-resistant standards across the entire supply chain.
Protecting data now is not just about maintaining current security, it is about future-proofing sensitive information against the disruptive capabilities of quantum technology. Proactively adopting quantum-safe encryption protocols and implementing robust data protection strategies will ensure that adversaries cannot exploit today’s vulnerabilities with tomorrow’s quantum tools.
For Australian critical infrastructure entities, prioritising data resilience today will protect the nation’s most vital systems and assets for years to come.
Lessons from the Colonial Pipeline attack
The Colonial Pipeline ransomware attack offers a cautionary tale. In May 2021, Colonial Pipeline, one of the largest fuel pipeline operators in the United States, was forced to shut down its operations due to a ransomware attack by the cybercriminal group.
Colonial Pipeline supplies approximately 45% of the U.S. East Coast’s fuel, including gasoline, diesel, jet fuel, and home heating oil. The attack, which lasted for six days, caused severe fuel shortages, price spikes, and widespread panic buying across several states. This incident not only disrupted the fuel supply but also exposed significant cybersecurity vulnerabilities in the broader supply chain.
When automated systems were disrupted, operators relied on manual operations – a challenging but critical response that ultimately averted a greater catastrophe. Remarkably, this transition required calling back retired employees who possessed the hands-on experience necessary to manage manual processes that had largely been phased out.
Their expertise proved invaluable in ensuring that the pipeline could continue functioning, even under severe constraints. While the shift to manual operations caused delays and cascading effects on the fuel supply chain, it underscored the importance of retaining institutional knowledge and planning for contingencies where human skill and adaptability play a critical role.
This incident serves as a reminder of the importance of planning for worst-case scenarios, particularly as quantum-era threats loom on the horizon that may render ICT-based systems useless. By addressing potential vulnerabilities now, preserving human expertise, and ensuring readiness for manual operations when needed, organisations can build stronger defences and maintain operational continuity in the face of unprecedented challenges.
These lessons, inspired by the Colonial Pipeline attack, underscore vulnerabilities that quantum-era threats could exploit. Addressing these gaps now will strengthen resilience against future disruptions.
Building quantum resilience through the SOCI Act
Australia’s Security of Critical Infrastructure (SOCI) Act 2018 provides a framework for managing risks relating to critical infrastructure.
Could the SOCI Act help address quantum risks, even if those risks seem distant and vague? If so, how should companies adapt their frameworks to ensure resilience against such emerging threats?
Although quantum technology is still immature, establishing robust enterprise-level security and risk management systems – and integrating them into broader business management systems – is essential.
The Pentagram team believes that the SOCI Act provides a solid foundation for organisations to incorporate quantum resilience into their risk management frameworks, extending beyond a purely cybersecurity perspective.
Key steps include:
- Managing risks at the enterprise level: Adopting a holistic approach that incorporates quantum risks into broader enterprise risk management frameworks, ensuring alignment with strategic objectives.
- Threat and security risk assessments: Identifying emerging threats, including quantum-enabled risks, and assessing their potential impact on critical infrastructure and, hence, informing possible mitigations.
- Role of the Boards and Leadership: Ensuring Board-level accountability and leadership engagement to drive quantum-resilient practices and integrate them into decision-making processes.
- Critical Infrastructure Risk Management Program (CIRMP): Developing and maintaining a comprehensive CIRMP in compliance with the SOCI Act, tailored to address the evolving quantum threat landscape.
- Protecting data and systems: Implementing robust measures to safeguard business-critical data, as well as the systems used to store and process it, whether managed in-house or outsourced.
- Personnel security: Strengthening pre-employment screening and continuous suitability assessment processes to mitigate insider risks, particularly those linked to sensitive roles and critical positions.
- Supply chain security: Mapping dependencies, assessing third-party vulnerabilities, and transitioning to quantum-resistant cryptography to secure supply chain communications.
- Fostering a security culture: Building a security-conscious culture across the organisation, with a focus on awareness, training, and the implications of quantum advancements.
- Enhancing resilience: prioritising resilience through robust incident response plans, operational continuity strategies, and scalable frameworks that adapt to new threats.
- Testing and contingency planning: Conducting regular testing of manual operations, contingency plans, and quantum-specific risk scenarios to ensure preparedness for worst-case events.
- Continuous monitoring: Implementing real-time monitoring systems to detect and respond to threats promptly, ensuring ongoing alignment with evolving risk environments.
- Adopting the Plan-Do-Check-Act (PDCA) model: Applying this iterative approach to continually improve risk management processes, including quantum-related measures, by planning actions, implementing them, evaluating results, and refining strategies.
By addressing these areas, organisations can build a forward-looking approach to quantum resilience, positioning themselves to navigate the complexities of an evolving threat landscape while meeting the requirements of the SOCI Act.
Conclusion
The quantum revolution presents both opportunities and challenges. By adopting proactive measures – such as having a process of scanning for relevant threats, investing in robust critical infrastructure risk management programs, securing supply chains, enhancing contingency plans, and mitigating insider threats – organisations can not only safeguard their assets but also ensure operational resilience in a rapidly evolving technological landscape.
While quantum technology is still developing, its implications are already shaping the future of national security and economic stability. The decisions made today will not only protect Australia’s critical infrastructure but also position the nation as a leader in addressing quantum-era challenges.
Australia’s ability to lead in quantum resilience will not only protect our national interest and critical infrastructure but also position Australia as a global leader in navigating the quantum era. The time to act is now.