Cybersecurity: PE urged to go post-quantum

An organisation’s data is stolen, but it can’t be decrypted, so the secrets are still safe. The thief patiently waits for a sufficiently powerful computer to be invented. That only takes a few years, and the hack is fulfilled. The organisation has been compromised, possibly fatally so.

This scenario is directly applicable to private equity. Historically the industry’s biggest hacking fears have revolved around drawdowns and other money transfers. But that involves short-lived data accessed almost in real-time. Long-life data are often more sensitive: strategic information built up over years, revelatory patterns of corporate behaviour, past embarrassments that were buried internally.

It's difficult to prove, but long-life corporate data are probably being stolen en masse right now. Traditional computers cannot unlock them, but quantum computers will be able to, and they are coming. Should fund managers be worried?

“Awareness among the stakeholders involved is disproportionate to the size of the problem. I don’t believe there are many organisations that have such short-living data that their shelf life does not intersect with those organisations’ own forecasts of when quantum computers will appear,” said Alexey Bocharnikov, EY’s Asia Pacific quantum technology leader.

“Whether you say five years or 50, that intersection defines the area where you must have post-quantum protection today. There is no option to remain idyl.”

The logic here is straightforward: The more vulnerable long-life data you have and the shorter your estimated timeline for the practical application of quantum computers, the bigger your problem. For almost any organisation that thinks in decades, the risk is significant.

Furthermore, it’s possible that short-life data can also be an important vulnerability if intercepted and accumulated in large quantities.

The retrospective decoding of share trading and investment transaction statistics can reveal weaknesses. Strategies and the design of proprietary decision-making algorithms can be exposed by masses of seemingly ephemeral or innocuous data points – even if they’re encrypted.

The most important point about defending against the quantum cybersecurity threat is that quantum computing technology is not required. Sufficiently robust protections – often referred to as “post-quantum” encryptions – can be delivered with traditional computing. Quantum-resilient math needn’t be the product of quantum calculations.

The magic key

Nevertheless, quantum computing is increasingly being integrated into post-quantum cybersecurity. Earlier this year, UK-headquartered Quantinuum launched what it called the first-ever commercially available cryptographic key generation tool using “quantum computing-hardened” cyber protection. The product is designed specifically for device-level security.

Quantinuum, majority owned by Honeywell and backed by IBM Ventures, claims to be the biggest quantum computing company globally. Last May, it signed a deal with HSBC to explore near and mid-term developments around risk management and fraud prevention. Quantum-hardened cryptographic keys are part of the programme.

Financial institutions are also among the first adopters of quantum key distribution (QKD), a method of safeguarding the encryption keys sent between counterparties via an otherwise unsecure channel. JPMorgan Chase, for example, is trialling the technology in partnership with Toshiba.

“You can use classical software with new mathematics to show that something is quantum-secure for now, but you cannot guarantee that these classical algorithms will not be broken in the future,” said Chune Yang Lum, CEO of SpeQtral, a Singapore-based start-up developing QKD technology in partnership with Toshiba.

“In the US, there’s a standardisation process going on to find the next encryption algorithm that is resistant to quantum computing. They shortlisted four, and within one week, one got broken. It’s always a cat-and-mouse problem.”

SpeQtral has raised USD 10.2m across two rounds from the likes of Golden Gate Ventures, Shasta Ventures, and SGInnovate. The company is currently working on integrating QKD into the operations of a US financial institution with a global footprint. Lum describes the technology as immune to quantum eavesdropping. “That’s guaranteed by physics,” he said.

The case for private equity adopting QKD comes back to the point that even non-confidential data or data with short-term sensitivity can be compromising when accrued in pattern-revealing quantities. But it is telling that for PE-backed companies such as SpeQtral, some of the most significant traction has been in government-linked programmes.

Private investment in quantum start-ups globally reached a record USD 2.3bn in 2022, according to McKinsey & Company. This is only marginally higher than 2021, but it represents a parabolic spike. Annual investment was about USD 750m in 2020 and didn’t surpass USD 300m until 2017.

All this is dwarfed by the public sphere, where investment crossed USD 36bn in 2022 and is projected to hit USD 42.4bn by 2027, according to industry researcher Qureca. China is the runaway leader, having invested USD 15bn into the segment last year. It was followed by the UK (USD 4.3bn), the US (USD 3.7bn), Germany (USD 3.3bn), and France (USD 2.2bn).

Early-stage momentum?

Only a marginal amount of start-up funding is going into security-related themes, however, with Qureca estimating that out of about 600 quantum companies globally, only 5% are dedicated to security. This is despite survey feedback from EY that indicates 72% of telecom companies and 61% of advanced manufacturing companies say cryptography is their top priority in exploring quantum technology.

There is evidence that there could be a shift on this front in the years to come. The portfolio of SGInnovate, which is owned by the Singapore government, appears to suggest that as the quantum hype cycles settles into realism, cybersecurity’s more feasible near-term applications could bring it to the fore. Of its five quantum start-ups, two, including SpeQtral, are focused on post-quantum security.

SGInnovate’s thesis identifies quantum technology as an inevitable convergence point in computer science, albeit a slightly underripe one. As the development of practical quantum hardware rolls out across a potentially un-investible timeframe, prevailing themes around corporate and national competition will support medium-term plays in areas like security.

“A lot of countries are putting money into quantum technology not because they think it’s going to be the next technology to reduce compute power needed for industry but more because they fear the ability of other countries with that technology to be able to hack their cybersecurity systems,” said Hsien-Hui Tong, an executive director of investments at SGInnovate.

“Once you have a general quantum machine, it could solve a host of problems, but at the same time, it creates its own issues because new cyber systems need to be set up to protect them from this new processing power. At this point, based on the current technology and the limited vision we have, we don’t see any processing technology beyond quantum. We see it as the endpoint.”

• Tweet  
• Facebook  
• LinkedIn  
• Google plus  
• Save this article  
• Send to  

• Topics
• Southeast Asia
• Technology
• Advisory
• Early-stage
• Cybersecurity
• quantum computing
• professional services
• SGInnovate