Worse by far than Y2K
A lesson from the past can help us prepare for the quantum cyber threat
Originally published January 18 2023
The dullest statutory holiday I ever celebrated was without a doubt Saturday, January 1, 2000.
I had recently returned to working at IBM Canada, and was on a contract at one of the big five Canadian retail banks. There, my team and I had spent the prior two years modernizing their network of branch servers. Part of our work included ensuring that the entire middleware and application software stack was Y2K-ready. We had gone through seemingly endless rounds of testing and verification and were highly confident in our work; yet, when the critical date arrived, the bank’s IT director asked all team members to be on-site just in case. Bleary-eyed we showed up at the office at 8:00 a.m. and spent the next six hours staring at our incident dashboards, watching absolutely nothing happen. In the early afternoon we were released to go home for the remainder of the holiday. By all accounts, our experience was not unique. Globally, the number of serious Y2K incidents could probably have been counted on the fingers of one hand.
Y2K, for the benefit of the younger generation, is the nickname given to the ubiquitous computer issue of the mid to late 1990s—that many older programs and databases used only two digits to store the year as part of a date field, under the assumption that it could be prefixed with ‘19’ and that surely the code would be replaced long before the year 2000 came along. Of course, everyone underestimated code longevity and all those date fields needed to be fixed before computers would start malfunctioning in unpredictable ways after the turn of the millennium.
What made Y2K such a non-issue? Although it’s possible that the severity of the problem might have been inflated in the industry and public press, it was still pervasive with potentially serious consequences across the entire global economy. I believe there were three main factors that contributed to Y2K’s minimal impact:
1) Widespread public knowledge of, and concern about, the problem. It was easy for the average layperson to understand coding two-digit years versus four-digit years and the impact of computer systems misunderstanding ‘00’ for ‘1900’ instead of ‘2000.’ Such general concern was a strong factor in forcing government and industry to act.
2) Fixing the problem, although it was expensive and time-consuming, was technically not very difficult. Modifying and testing computer code to accommodate a four-digit year field is something most programmers are capable of; in fact, many automated scanning, discovery and remediation tools hit the market in the late 1990s.
3) There was a definite deadline to act. Chaos was bound to ensue if all systems weren’t repaired and tested by December 31, 1999. This deadline allowed everyone to build robust project plans with ample time for design, development, deployment and verification. Everyone was working toward the same goal and collectively got the job done.
Today, the world faces a new threat with consequences at least as severe as those ever envisioned for Y2K. This threat is a consequence of the rapid developments in quantum computing.
Quantum computing has the potential to revolutionize the IT industry as we know it today. Quantum computer hardware based on the properties of subatomic particles can represent multiple values instead of the binary digits, zeros and ones, or bits that underpin all classical computing. How quantum computing works will be the topic of a later post. For now, what you need to know is that the promise of this radical new computer architecture is the ability to solve complex mathematical problems in exponentially faster time than it would take classical computers. Quantum computing will have great applicability for problems in business, science and engineering, such as forecasting large-scale weather systems, researching new pharmaceutical drugs and optimizing complex financial systems or transportation networks.
However, here comes the threat: large-scale quantum computers will be sufficiently powerful to be able to break many encryption algorithms that are in use today to protect sensitive data and online transactions. When realized, this could disrupt if not destroy the foundations of digital commerce and data privacy. Furthermore, this threat does not meet any of the three remediating factors I mentioned above for Y2K.
1) It is not well known to the public. It does not have a catchy name and requires lengthy explanation to be understood. The average layperson sees quantum physics, and indeed quantum computing, as somewhat futuristic science fiction. In addition, cryptography is based on complex mathematical problems and internet security is therefore generally taken for granted. In other words, the severity of the problem is discounted.
2) Fixing the problem, in addition to being expensive and time-consuming, is enormously complicated. In fact, the solution requires highly advanced knowledge of pure mathematics and number theory to develop new quantum-safe encryption methods. Testing and validating these new encryption methods is also an uncertain process absent any sufficiently powerful quantum computers available today. Deploying new encryption algorithms into production will require a great deal of work within organizations and across the public internet.
3) There is no fixed deadline for when the remediation needs to take place, nor even when the threat will materialize. Most industry experts expect that large-scale quantum computers will be commercially available in the next five to ten years, at which point encryption vulnerabilities will be exposed. This timeline is based on the major technical hurdles still to be overcome in quantum computing; however, new innovations are also emerging at a rapid pace that may collapse the timeline. Therefore, although the urgency of the problem is real, it is also still somewhat vague.
I would add a fourth consideration. The Y2K problem was, essentially, an accident. Its root was in software developers’ legitimate quest to make their code more efficient by storing dates with a two-digit year. With goodwill and effort all around, the industry rallied to correct the problem before it was too late. The quantum threat to encryption, by contrast, will be realized by cyber-criminals and possibly hostile nations deliberately acting against the public interest. In fact, some are harvesting data now and storing it with a view to decrypting it years later in the hope of extracting useful information. Our defence will take more than just goodwill and effort—it will require constant vigilance and involvement, if not supervision, from global law enforcement agencies.
This vulnerability of current encryption methods to quantum attacks has been nicknamed “Y2Q.” Next, we’ll look at how encryption works, the root of the Y2Q vulnerability and its consequences for privacy and online safety.