What does cybersecurity look like in the quantum age?

Quantum computers promise unprecedented computing speed and power that will advance both business and science. These same qualities also make them a prime target for malicious hackers, according to Swaroop Ghosh, professor of computer science and of electrical engineering at the Penn State School of Electrical Engineering and Computer Science.

Ghosh, alongside Suryansh Upadhyay, who recently received his doctorate in electrical engineering from Penn State, authored a paper identifying several major security vulnerabilities facing quantum computing systems. The paper, published in the Proceedings of the IEEE, highlights the need to develop defense mechanisms covering not just the software and programs running on these systems, but the physical components that power them.

In this Q&A, Ghosh and Upadhyay discussed quantum computing, the security vulnerabilities facing these state-of-the-art machines and how developers can better prepare them for the future.

What makes a quantum computer different from a traditional computer?

Ghosh: Traditional computing works using units of information called bits, which you can picture as a light switch in the "on" or "off" position. These positions are assigned values of one or zero, with one representing on and zero representing off. We program computers by using algorithms or educated guesses to develop the best possible solution for a problem, compiling this solution to generate machine-level instructions—directions specifying which bits need to equal one and which bits need equal zero—that the computer follows to execute a task.

Quantum computers are built on quantum bits, or qubits. These qubits are much more versatile than standard bits, capable of effectively representing one, zero or both at the same time, otherwise known as a superposition. These qubits can also be linked to one another, known as entanglement. By incorporating superpositions and entanglement into decision making, quantum computers can process exponentially more data than bit-powered computing systems, while using an equivalent number of qubits.

This is useful for improving workflows in many industries, since quantum computers can process information much faster than traditional computers. One example is the pharmaceutical industry, where quantum computing can quickly process data and predict the efficacy of potential new drugs, significantly streamlining the research and development process. This can save companies billions of dollars and decades spent researching, testing and fabricating innovative drugs.

What are some of the main security vulnerabilities facing quantum computers right now?

Upadhyay: Currently, there is no efficient way to verify the integrity of programs and compilers—many of which are developed by third parties—used by quantum computers at scale, which can leave users' sensitive corporate and personal information open to theft, tampering and reverse engineering.

Many quantum computing algorithms have businesses' intellectual property integrated directly in their circuits, which are used to process highly specific problems involving client data and other sensitive information. If these circuits are exposed, attackers can extract company-created algorithms, financial positions or critical infrastructure details. Additionally, the interconnectedness that allows qubits to operate so efficiently inadvertently creates a security vulnerability—unwanted entanglement, known as crosstalk, can leak information or disrupt computing functions when multiple people use the same quantum processor.

What are current commercial quantum providers doing to address the security concerns? Can they use the same security methods implemented in traditional computers?

Upadhyay: Classical security methods cannot be used because quantum systems behave fundamentally differently from traditional computers, so we believe companies are largely unprepared to address these security faults. Currently, commercial quantum providers are focused on ensuring their systems work reliably and effectively.

While optimization can indirectly address some security vulnerabilities, the assets unique to quantum computing, such as circuit topology, encoded data or hardware-coded intellectual property systems generally lack end-to-end protection. Since quantum computers are still a relatively new technology, there is not much incentive for attackers to target them, but as the computers are integrated into industry and our day-to-day life, they will become a prime target.

How can developers improve security in quantum computers?

Ghosh: Quantum computers need to be safeguarded from the ground up. At the device level, developers should focus on mitigating crosstalk and other sources of noise—external interference—that may leak information or impede effective information transfer. At the circuit level, techniques like scrambling and information encoding must be used to protect the data built into the system. At the system level, hardware needs to be compartmentalized by dividing business data into different groups, granting users specific access based on their roles and adding a layer of protection to the information.

New software techniques and extensions need to be developed to detect and fortify quantum programs against security threats.

Our hope is that this paper will introduce researchers with expertise in mathematics, computer science, engineering and physics to the topic of quantum security so they can effectively contribute to this growing field.