Quantum ComputingPost-Quantum

Quantum Snake Oil

Photo of Marin Ivezic Marin Ivezic Follow on X Send an email October 4, 2001
9 minutes read
Quantum Snake Oil

When Vendors Cry Quantum!

Remember the early dot-com days when every product suddenly needed an “e-” prefix or a “.com” suffix to get funding? Well, here in 2001 we seem to have entered the age of quantum snake oil. Suddenly every security vendor and their mother is peddling “quantum-safe” solutions as if quantum computers are about to bust down our doors. It’s absurd – they’re selling protections against an apocalypse that, as of today, is as realistic as a Death Star.

Let’s decode what’s really happening here: these vendors are invoking the scariest boogeyman they can imagine – a full-blown cryptography-cracking quantum computer – even though such a thing does not exist outside of Sci-Fi. They’re basically selling volcano insurance to us folks living in Switzerland. The pitch: “Our product is resistant to quantum computers!” – oh really? Sure. That’s like claiming your new vault is meteor-proof. Technically true, but is meteors falling a real threat to my bank?

To crank up the FUD, I’ve even heard vendors drop spooky hints about intelligence agency insiders. One guy leaned in and whispered that “a friend at Fort Meade (you know who) says quantum computing is farther along than we think.” Right. Next he’ll tell me he has a bridge to sell me in the Quantum Realm. It’s the oldest trick in the book – name-drop the NSA for instant cred. When agencies like NSA issue warnings, people assume they “know something we don’t” and panic-buy whatever snake oil is on tap. These vendors are exploiting that tendency. “NSA is worried about quantum!” sounds a lot sexier than “Buy our product because… well, just buy it.

Smells Like the Same Old Snake Oil

I’ve seen this hype-cycle before. This isn’t my first rodeo with security snake oil. In the ‘90s, it was “unbreakable cipher” products with secret algorithms – total nonsense. We had vendors slapping labels like “MILITARY-GRADE encryption” on tools that were basically rebranded XOR ciphers. Some even touted “NSA-approved” as if that meant anything (pro tip: it usually didn’t). The more things change, the more they stay the same. Today’s quantum hype is just the new coat of paint on yesterday’s bogus claims.

I distinctly recall a late-90s startup that promised “neural quantum encryption” (a word salad if I’ve ever heard one) that was “mathematically unbreakable.” They babbled about “proprietary multi-dimensional key oscillation” – pure technobabble. Guess what? It turned out to be hot garbage. Fast forward to 2001: now the buzzword du jour is quantum. If your encryption product doesn’t have quantum in the name, you’re not cool anymore. It’s as if adding “quantum” magically makes your VPN or firewall invincible. Spoiler: it doesn’t. Throwing around buzzwords and insider anecdotes is a page from the same old marketing playbook – one that seasoned security folks like us can spot a mile away.

Let me share a chuckle: one vendor’s datasheet claimed their solution was “secured with quantum-perfect encryption, immune even to attacks from theoretical quantum computers.” They might as well have said “powered by pixie dust”. Another boldly asserted “our cipher is so strong, even the NSA’s quantum labs can’t crack it.” – a claim made without evidence, of course. All hat, no cattle.

Reality Check: Quantum Computing in 2001 (Toy Computers in Test Tubes)

Rant over, time to inject some reality into this discussion. What’s the actual state of quantum computing as of 2001? In three words: early lab experiments. Promising and fascinating experiments, yes – but nowhere near the scale needed to threaten modern cryptography. Here’s the truth the marketers gloss over:

Shor’s Algorithm has only been demoed on a toy problem. The crown jewel of quantum scare stories is Shor’s algorithm (which in theory can factor big numbers exponentially faster). But so far it’s been demonstrated on exactly one non-trivial integer: the number 15. Yes, 15 – as in factoring 15 into 3×5. In fact, IBM and Stanford researchers pulled off this feat recently, using a seven-qubit quantum computer built out of molecules in a test tube. They literally had to synthesize a special molecule (a complex liquid with 7 atoms whose nuclear spins acted as qubits) and used a billion billion (1018) of those molecules in an NMR machine to successfully factor 15 . It was a brilliant scientific achievement, no doubt – the most complex quantum computation ever at that time – but let’s put it in perspective: the result was 3 and 5, which any grade-schooler could tell you. Even the researchers described it as a mere proof-of-concept, emphasizing that it was a “toy problem” and “we knew what the answer would be when we set out to factor the number 15“. In other words, quantum computers have proven they can successfully compute ‘3×5’ – pop the champagne.

A few qubits, not millions. That IBM “quantum computer” wasn’t a general-purpose machine; it was a highly controlled molecule with 7 qubits. Seven. For reference, breaking modern RSA or AES would likely require millions qubits (and millions of operations) working in concert. The IBM team itself noted that “thousands of qubits” would be needed to factor large numbers like the ones securing real cryptosystems. Meanwhile, all experimental quantum computers are still in the single-digit qubit range. We’re not talking about a slight gap – we’re talking many orders of magnitude. It’s as if we’ve barely learned to make a calculator bead, and someone’s worrying about that bead becoming Skynet. There’s a long way to go.

Physical limitations abound. Each approach to building a quantum computer has serious challenges. The demo above used liquid-state NMR doesn’t scale well beyond ~10 qubits (you end up needing absurd numbers of molecules and the signal-to-noise tanks). Researchers know this, which is why they’re already looking at other technologies for scaling up. Trapped ions (isolating individual charged atoms and using laser pulses) are a leading candidate – they offer high-fidelity qubits, but only a handful at a time in a vacuum chamber. Superconducting qubits (tiny Josephson junction circuits at millikelvin temperatures) are another path – potentially more scalable in manufacturing, but they’re incredibly finicky. We just barely demonstrated the first coherent superconducting qubit flips in ’99-’00; keeping even one qubit stable (coherent) for longer than a few nanoseconds was big news. Quantum dots, nuclear spins in solids, photonic qubits – all these are being explored as well. But every approach faces the monster of decoherence: the tendency of quantum states to fall apart with the slightest disturbance. Tiny vibrations, stray electromagnetic fields, a lab tech sneezing – everything kills quantum states. Researchers have to isolate qubits from the world more carefully than we isolate radioactive waste. This is not plug-and-play tech.

The bottom line: quantum computers today are lab prototypes, not adversaries in your threat model. They are to classical supercomputers what the Wright brothers’ flyer was to a Boeing 747. Yes, the theory is sound; yes, the progress is real and exciting. But practical, cryptographically relevant quantum computers are many decades away by any sane estimate. We’ll likely need breakthroughs in physics and engineering to even approach the scale required to break something like RSA-2048. Until then, our current encryption isn’t about to be shattered overnight by some magic quantum box.

Don’t just take my word for it. IBM’s own scientists, fresh off factoring 15, stated plainly that commercial quantum computers are many years away and that NMR-type quantum machines are just laboratory experiments for now. To be useful, future quantum computers will require “large numbers of qubits” and significant advances in error correction and engineering. In fact, for the foreseeable future, any practical use of quantum tech might be as a co-processor for very specialized tasks – not as a replacement for classical computers, and certainly not as a tool in a hacker’s arsenal next year. To crack modern cryptography, a quantum computer would need to be astronomically more advanced than anything we have now.

Keep Calm and Tackle Real Risks

So what should we, as a bank security team, focus on? Should we drop everything and spend a fortune on “quantum-safe” solutions right now? Or maybe, just maybe, should we address the very real and present dangers lurking in our systems? I’ll vote for the latter. While vendors are chasing hype, attackers today are exploiting completely un-quantum problems. Let’s list a few things that actually keep me up at night:

  • Key management screw-ups: Losing backup tapes with unencrypted keys, mismanaging who has access to keys, using weak random number generators – these are far more likely to expose our secrets than a future quantum codebreaker. Our cryptography is strong, but how we deploy and store keys is often weak. No quantum voodoo needed – a disgruntled insider or careless admin can compromise a system by simply having the keys or passwords. There’s no point worrying about RSA’s theoretical break in 30 years if someone can steal our private keys tomorrow because they’re sitting on a server unprotected.
  • Side-channel attacks and implementation flaws: You know what’s already been demonstrated? Timing attacks, power analysis attacks… basically, ways to extract secret keys by exploiting how encryption runs in the real world. In 1996, researchers like Paul Kocher showed you could break RSA by measuring how long operations take. That’s a today threat, not a tomorrow one. Are we sure our implementations of cryptography are side-channel resistant? Are we protecting against cache timing leaks, electromagnetic emanations, and the like? A $50 piece of hardware and some clever analysis might defeat our crypto long before a quantum computer can. And let’s not forget plain old software bugs – buffer overflows, weaknesses in protocols – those are holes attackers crawl through daily. Why brute-force 2048-bit encryption (quantum or otherwise) when you can just exploit a sloppy buffer handling in the server that uses it?
  • Insider threats & human error: As an FS CISO, I’m far more worried that Bob in Accounting will click on a phishing email or that an IT admin with an axe to grind will leak data, than I am about Dr. Evil firing up a quantum computer from his secret lair. Humans are the weakest link. Social engineering, phishing, insider misuse – these are happening right now, relentlessly. No fancy physics required. We could implement “quantum-proof” algorithms everywhere and still get owned if an employee emails their password to a spoofed address or if an admin decides to sell customer data. No quantum algorithm breaks the law of human foolishness.
  • Malware and network intrusions: The early 2000s are giving us worms and viruses aplenty (I love you, Code Red). Attackers are finding ways into networks through vulnerabilities in software, misconfigured systems, and sheer negligence. Once in, they don’t need to factor primes; they can install keystroke loggers or trojans and simply read our sensitive data. Why crack encryption when you can steal the plaintext at the source?

Given this very non-exhaustive list, it’s clear our security priorities should remain grounded in reality. We need to shore up access controls, patch our systems, train our staff, rotate keys, enforce least privilege, monitor for intrusions – the unsexy, essential work of security. These tasks won’t get you on the cover of Wired magazine, but they will actually prevent breaches. Investing in those areas will pay off far more than splurging on some premature “quantum-resistant” product that sits idle for 20 years waiting for a problem to materialize.

Quantum Can Wait (Real World Can’t)

Don’t get me wrong – as a techno-geek at heart, I love the science of quantum computing. One day, it will upend cryptography as we know it. We’ll have to transition to new algorithms. That day will come – but it’s not here yet. It’s not even peeking over the horizon. Chasing every quantum-proof snake oil cure now is not just silly – it’s a distraction and misuse of resources.

My advice to fellow CISOs and security professionals: keep your feet on the ground. Approach quantum claims with skepticism. By all means, stay informed about advances in the field – have a roadmap for migrating to quantum-resistant crypto in the long term. But don’t buy into the panic marketing. If a vendor today claims their product is “NSA-grade quantum secure!”, ask them for specifics. In all likelihood, they’re selling vapor. As we’ve seen, even IBM – at the cutting edge of quantum research – openly admits we’re many years away from practical quantum codebreaking. So maybe, just maybe, we should take them at their word and not the vendor hyperbole.

Meanwhile, focus on the threats that are kicking down our door right now.

Photo of Marin Ivezic Marin Ivezic Follow on X Send an email October 4, 2001
9 minutes read
Photo of Marin Ivezic

Marin Ivezic

I am the Founder of Applied Quantum (AppliedQuantum.com), a research-driven consulting firm empowering organizations to seize quantum opportunities and proactively defend against quantum threats. A former quantum entrepreneur, I’ve previously served as a Fortune Global 500 CISO, CTO, Big 4 partner, and leader at Accenture and IBM. Throughout my career, I’ve specialized in managing emerging tech risks, building and leading innovation labs focused on quantum security, AI security, and cyber-kinetic risks for global corporations, governments, and defense agencies. I regularly share insights on quantum technologies and emerging-tech cybersecurity at PostQuantum.com.
Share via
Facebook
X (Twitter)
LinkedIn
Mix
Pinterest
Bluesky
Tumblr
Skype
Buffer
Pocket
VKontakte
Parler
Xing
Reddit
Line
Flipboard
MySpace
Delicious
Amazon
Digg
Evernote
Blogger
LiveJournal
Baidu
MeWe
NewsVine
Yummly
Yahoo
WhatsApp
Viber
SMS
Telegram
Facebook Messenger
Like
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap