* Editor's Note: If you would like to submit a question to Alan Grau, please post it in the comments section below or email it to David (at) ien.com. Questions will be answered in a follow-up Q&A.
Our five-part Quantum Computing/Quantum Apocalypse series was such a hit that we asked Alan Grau, VP of IoT and Embedded Solutions with Sectigo, to come back and answer some questions from the audience, including whether or not this crisis is any different than the Y2K scare twenty years ago.
Y2K was a problem computer systems in the 1990s had in distinguishing the year 2000 from 1900 -- many programs used two digits to represent the year instead of four.
Many software engineers worked very hard to create safeguards to prevent Y2K from causing chaos, while others did very little. In the end, the crisis seemed like little more than a creation of the media, and the story fizzled out. So, is the quantum apocalypse a similar scenario, and is it better to be safe than sorry?
According to Grau, the public didn't see any significant issues when we hit the Y2K rollover because many people put great effort into the most critical systems and had the most known problems.
The widespread concern was deeply embedded systems controlling the power grid and other critical systems. The systems were upgraded and experienced a few issues, but stresses that "we didn't get lucky." The computing industry did a lot of work to address those problems.
Unlike Y2K, quantum computing doesn't have a start date. The rollout will be more of a gradual progression, and, over time, quantum computers will be able to crack critical computers. However, we may see a similar result. Grau emphasizes that quantum computing fixes won't be as clean as the Y2K update as cybercriminals are already storing information to attack when quantum computing is realized. Businesses have to consider the data's lifetime and determine how long it needs to be protected.
Some small businesses feel that protecting against the quantum apocalypse is too costly and have considered an air gap to keep equipment wholly isolated with no external connections. In theory, air gaps can provide protection. However, Grau states that the security rarely holds up in practice.
According to Grau, small businesses won't bear the high cost of the updates; the companies will likely rely on their supply chain. While companies might have to update systems, the heavy lifting will be done by larger technology providers who can make that investment.
Grau says air gap systems are more a myth. For example, the air gap typically lasts until the security engineers leave the building and someone plugs a computer into the network to access it remotely. Maintaining a genuinely air-gapped network is difficult, particularly when it comes to software upgrades.
Air gaps provide a high level of protection but require a lot of discipline to maintain. Businesses relying on an air gap need to be very careful with external hardware, with USB drives creating the most vulnerabilities. USB drives need to be carefully scanned for malware. Grau has seen malware jump across air-gapped networks with nothing more than a USB stick.
It's challenging to build a bulletproof system, but cybersecurity experts are working tirelessly to make it much more difficult to compromise these systems.