Jesper Olsen, Palo Alto Networks’ Chief Security Officer EMEA North, discusses the urgent need for quantum-ready security strategies in every sector
Quantum computing is set to transform the technological landscape, but it also introduces significant new cybersecurity threats.
In this interview with Technology Magazine, Jesper Olsen, Chief Security Officer EMEA North at Palo Alto Networks and former NATO adviser, shares his insights on why “harvest now, decrypt later” attacks are already a pressing concern.
Drawing on 25 years of leadership in technology and security, Jesper discusses how prepared organizations are for these emerging risks, identifies the types of data most vulnerable to quantum threats, and outlines practical steps businesses can take to safeguard themselves in the post-quantum world. He also offers guidance for leaders looking to stay ahead of the rapidly evolving quantum challenge.
Quantum computing is poised to revolutionise technology — but it also brings unprecedented cybersecurity risks.
In this Q&A with Technology Magazine, Jesper Olsen, Chief Security Officer EMEA North at Palo Alto Networks and former NATO adviser, explains why the threat of “harvest now, decrypt later” attacks is already a reality.
Drawing on 25 years of leadership in technology and security, Jesper discusses how prepared organisations are for these emerging risks, identifies the types of data most vulnerable to quantum threats and outlines practical steps businesses can take to safeguard themselves in the post-quantum world.
He also offers guidance for leaders looking to stay ahead of the coming quantum challenge..
How real and immediate is the threat posed by “harvest now, decrypt later” attacks? What evidence are you seeing that cybercriminals and nation-states are already collecting encrypted data for future quantum decryption?
“Harvest now, decrypt later” is a threat that’s already in motion.
Encrypted data is being stolen today with the expectation that it will be readable tomorrow.
The analysis of our Unit 42 Threat Intelligence teams supports this, as we are seeing clear evidence of data exfiltration and replication.
“If I can think it today, someone will be doing it tomorrow.” That’s a phrase I’ve used often to describe how cybercriminals operate.
If I can identify what has value to them, I can also gauge how they’d go about obtaining the data before monetising or exploiting the data later on.
The level of involvement of nation-states is an interesting aspect of this.
Looking at it through a practical threat lens, if I were operating as a foreign government seeking strategic advantage in a particular industry, would I take the direct approach and risk exposure? Probably not.
It would be far more effective to let others do the dirty work, then gain access to the data later.
We’ve seen technical evidence supporting this approach. Take Border Gateway Protocol (BGP) hijacks, for example — numerous media reports over the years have documented incidents where internet or mobile traffic was deliberately rerouted.
The question is, why reroute traffic if not to intercept or harvest the data flowing through it?
How prepared do you think organisations are — both public and private — for the coming quantum era?
From my experience, most organisations aren’t focusing on quantum yet, aside from a handful of individuals with a personal interest in emerging tech.
Therefore, the current level of preparedness is not at the standard where it should be.
That said, we’re starting to see more organisations and business leaders take a closer look at encryption and how it’s implemented.
Hopefully, the next step is understanding where it's implemented, how critical those areas are to the business and whether any data isn’t encrypted that should be.
That’s what will give them a realistic sense of their exposure and risk when "Q-Day” — the unofficial term for the day a Crypto-Relevant Quantum Computer (CRQC) is available — hits.
On the political front, this conversation is only just beginning.
Several countries are running quantum-related tests, like Quantum Key Distribution.
This shows there is some attention being paid, which is a great start. However, we need to quickly increase awareness and knowledge levels.
What types of data are most at risk from quantum-enabled attacks?
Anything involving IP or PII is at risk of quantum-enabled attacks. In particular, data held by organisations in sectors like defence, high tech and pharmaceuticals is already a prime target for foreign governments looking to use their quantum capabilities.
If an intelligence agency could decrypt and access that information, it would be a major strategic win.
Right now this is where most of the interest lies, but as we get closer to the day when a commercially viable CRQC becomes available, the scope will broaden significantly.
At that point, any data with business value — whether for competitive advantage or broader industry and national espionage — will be at risk.
What practical steps can organisations take to start preparing for post-quantum security, even if they lack in-house quantum expertise?
Even without deep in-house quantum expertise, there are clear, practical steps organisations can take today to start preparing for a post-quantum world.
Here's where to begin:
- Accept that the development of CRQCs — and the risks they bring — is real. This is happening, whether we’re ready or not.
Second, get clear visibility into where, why and how you use encryption today.
Understand which cyphers and algorithms are in use and how critical they are to your business. - Create a plan for how you would replace your current encryption. You don’t want to be doing this in panic mode when it’s too late.
- Take action now. Look at what can already be done to safeguard existing traffic.
There are solutions available today that implement post-quantum cryptography standards and they’re designed to withstand currently known quantum threats. - Educate, educate, educate. Don’t be the last to catch on.
Cybersecurity teams must understand the threat landscape. Business leaders not only need to understand the risks, they should also explore the huge potential for value creation that comes with emerging technologies like quantum.
