This is the "Q" I'm worried about
Q is not a conspiracy. Just not the Q that you're thinking of.
🚨 BREAKING PAF NEWS! 🚨 The House of Lords will be debating the PAF liberation amendment TODAY (probably). Tune in to the Lords Grand Committee on Parliament Live from 4:15pm, and look out for amendment number 252. (What’s the PAF? Backstory is here.)
PLUS! Massive PAF news as Francis Maude – Lord Maude of Horsham – has officially backed the amendment! This is significant for a couple of reasons. Firstly, because Lord Maude is a hugely respected former Cabinet minister, and because he was one of the architects of the Government Digital Service during the Coalition years. Having him on board is a clear sign that this is an amendment worth taking seriously.
And secondly it is important because it means that the PAF amendment now has the support of Peers from FOUR major parties: The LibDems (Tim Clement-Jones, LibDem Digital Economy spokesperson), Labour (Former deputy leader Tom Watson who led the original PAF liberation push in 2009), the Greens (former leader Natalie Bennett), and now the Conservatives (former minister Francis Maude).
Will it get through? I’ve no idea but follow me on Twitter @Psythor where I will be attempting to live tweet the debate later today. #FreeThePAF!
Oh, and make sure to subscribe (for free!) as I’ll send an update after the debate.
Now, on with today’s essay, which is about something… completely different.
Perhaps the most underwhelming event this century happened right at the start of it.
No, I’m not talking about Matrix Revolutions, the Nintendo Gamecube, or the search for Weapons of Mass Destruction in Iraq.
I’m talking about the Millennium Bug, of course.
I remember watching 2000 Today, the live BBC special that was broadcast over the new year, which spent 28 hours awkwardly straddling the no man’s land between light entertainment and serious news1.
Every so often, the presenters would turn to Peter Snow, who was standing in front of a large video wall displaying a map – the idea being that he would track the impact of the Bug, and would relay details of the chaos unleashed: The computer systems falling over, the bank vaults swinging open, and the nuclear missiles taking flight.
(Skip to 8:20 in the video above for some classic Peter Snow.)
In the event though, the only thing Snow could do is basically shrug his shoulders. As we know now, despite the hype, basically nothing happened. Millennium Bug? Millennium Dud, more like.
As a result, the Bug is now popularly remembered as a canonical example of a fuss over nothing, and during the early days of the pandemic, it was sometimes cited as an example of a hysterical overreaction.
But this is very much the wrong lesson to take from it.
The reason the Millennium Bug was a damp squib in the end wasn’t an accident – it was only thanks to the diligent work of thousands of IT professionals who upgraded their systems and updated their software to ensure that two-digit dates stored “99” rolling back to “00” would not break anything. The warnings from governments and security professionals were widely heeded. In other words, it was only underwhelming because we did something to stop it2.
And it’s an important parable for a couple of reasons.
First, it’s a story of how we can, collectively, solve big problems. We got the world together to stop the Bug – just as we managed to develop and rollout a Covid vaccine that allowed us to return to normal life. Both are inspiring stories of human ingenuity.
And looking forward, they demonstrate in microcosm why we don’t need to embrace climate doom: If the world can work together, we can re-engineer our energy system so that we can mitigate climate change and improve global standards of living at the same time.
However, there is also a much more literal takeaway from the Millennium Bug story. It’s a reminder that we should proactively care about digital security – and that we should fix massive security issues before they become problems.
And this is an important lesson because in the years ahead we’re going to face at least a couple of Millennium Bug-style problems with our computer systems.
For example, in just under 14 years time we’re going to run into “The 2038 Problem”.
Like the Millennium Bug, this is an issue with dates. On the 19th January 2038, seven seconds into 3:14am GMT, many computers around the world may stop counting upwards, creating a similar date ‘reset’ issue to the Bug.
In the case of 2038, the reason for the weird cut-off date is because computers calculate dates and times by counting the number of seconds since the 1st January 1970 – and traditionally they stored this number as a 32-bit integer.
And without getting into a full explanation of how to count in binary3, the upshot is that numbers larger than 2,147,483,647 cannot be saved as a 32-bit integer – and that’s how many seconds will have elapsed at the fateful 2038 moment.
The good news is that this problem is easily solved – dates and times can be stored as 64-bit integers instead, which is something most modern computer systems can do. That gives us an extra 292 billion years – by which point, either fixing the computers of the future will be someone else’s problem or it will be after the heat-death of the universe and we’ll have bigger issues to worry about.
But 2038 could still be an annoying problem as not every computer system has yet been updated, and to fully mitigate the problem it will require software vendors the world over to update all of their software all over again, requiring a similar upgrade campaign to the Millennium Bug.
Despite this though, I’m not really that worried. The 2038 problem has been well known for years, and most major software, like MacOS and Windows have been 2038-ready for years. And, of course, the 2038 problem has a defined date on which problems will arise – meaning that even if there are somehow critical systems4 that are still not prepared, there is at least a hard deadline to focus minds. And we still – definitely – have 14 years left to go to sort the problem out.
Instead, what actually worries me is another big Millennium Bug-style moment that the world is barrelling towards.
It’s a much worse problem than a few screwed up dates, and scarily we don’t know when it might actually happen. And as a final twist: It might already be too late to fully mitigate the problem.
If you enjoy nerdy takes on politics, policy, tech, media and society, don’t forget to subscribe (for free!) to get new posts direct to your inbox.
Q Who
Encryption is one of the foundations of our modern world. Thanks to clever cryptography, we can be confident that our data is stored securely, and that no one can intercept it en route to us. It’s the reason why we trust our phones and our computers with our most sensitive information5.
But now imagine for a moment if there were a technological breakthrough that meant that encryption didn’t work. If suddenly computers existed that were capable of breaking the cryptographic maths – meaning that someone in possession of such a device could conceivably break open encrypted data – like having a skeleton key that can open every bank vault in the world.
This isn’t a mad Black Mirror pitch. This is a real thing that could happen in the not too distant future if we successfully manage to develop “quantum” computers that are literally based on the principles of quantum mechanics.
Such a breakthrough would be a major technological moment – one that security professionals sometimes ominously refer to as “Q-Day”.
The technical explanation of exactly why encryption can be broken by quantum computing gets complicated quickly.
But the short version is essentially that today our major encryption standards – cryptographic techniques known as RSA and ECC – are premised on a type of maths that would take a traditional computer literally hundreds of thousands of years to decrypt by brute force.
But a “quantum” computer will, in theory, be able to perform the calculations in minutes or even seconds.
And this means that if the quantum breakthrough is achieved, something we think of as reliably secure today could conceivably be blown wide open in the future.
True Q
So that’s why quantum computing is a big deal for security. But what I’ve glided over so far is whether we will ever actually achieve this quantum breakthrough.
I can’t claim to understand the physics myself, but I’m told that on paper, the maths behind quantum computing works – the challenge isn’t one of fundamental physics, but of engineering such a machine in the real world.
And to be clear, this is not a trivial problem. For example, unless we unexpectedly invent some amazing new superconductor technology, quantum computers will need to run at extremely cold temperatures – close to absolute zero – to reduce thermal interference and other problems.
But my understanding is that of the many technological challenges that remain, progress is slowly being made by scientists. That’s why when talking about quantum I’m not just a medieval alchemist, swearing blind that it is possible to turn lead into gold, while wearing a big wizard hat.
And it’s also why quantum computing is being taken very seriously by serious people.
For example, the United States, European Union and China all have major quantum research programmes. Britain even has a National Quantum Strategy and a Quantum Technologies Programme that’s supported by not just the Department of Science, Innovation and Technology, but also the Ministry of Defence and GCHQ (who I’m guessing are quite excited about the possibility of reading Putin and Xi’s WhatsApp messages).
Similarly, on the corporate side, Amazon, Google, Microsoft and other big tech firms all have quantum research programmes working towards the breakthrough too.
And this isn’t just about racing to break almost all existing digital security. There’s a positive case for quantum, as there is huge potential for the same technology to speed up drug discovery, or improve climate forecasts by massively increasing the number of calculations that can be performed when creating digital models.
Plus we could conceivably use the immense compute power of quantum for more banal problems too, like optimising postal delivery routes or routing car traffic more efficiently around the road network. And with quantum computation, we should be able to train AI models more quickly too, unlocking even more magic-adjacent capabilities like the ones we’ve seen emerge over the last year.
That’s why, despite the risks, both governments and major corporations are actively working on making Q-Day happen. And that’s why we need to pay more attention.
But what makes Q-Day different – and potentially scarier – than the Millennium Bug is not just the far reaching implications, but the reality that we don’t know exactly when the big moment might happen.
In fact, people have been repeatedly arguing that the quantum breakthrough is imminent for years now, even though it has yet to materialise. In that sense, it’s just like fusion energy, a Terminator 2 sequel that isn’t shit, or Matthew Goodwin’s fabled ‘realignment’.
So for all the hype, “Q-Day” could still be decades away. Or it could be next year. We simply don’t know. And this uncertainty makes it much harder to anticipate and plan for.
Deja Q
If/when Q-Day finally arrives, the effects won’t actually be felt in a single day.
This is another way it’s different to the Millennium Bug – where, in theory, all of the chaos would have been unleashed in a few short days.
Instead, one expert6 explained to me that after a quantum breakthrough, malign actors will prioritise who to target, and aim for the highest value secrets first.
That means that if China builds a quantum computer, it is probably first going to go after America’s military secrets, rather than your half-finished novel on Google Drive.
Similarly, quantum decryption will still not be instantaneous. It’s conceivable that the first quantum computers could still take a year or two to decrypt a given lump of data. But hey, if it’s something as important as nuclear secrets, then the malign actor may decide it is worth the wait, because at least it will be decrypted on a human-scale timeline, rather than over the next 100,000 years.
In the longer run, quantum computing will likely follow previous technological breakthroughs. Performance will improve and availability will increase as the technology becomes commoditised – and that’s when we’ll get the lower-level problems like chancers hacking credit card details and breaking into your bank account, and so on.
And to be clear, once the technology has been scaled, it could still be a long time before quantum computing is a genuine threat for most users. There are probably some people reading who are sceptical that a threat of this magnitude will ever happen.
However, I think quantum is still something worth worrying about – because even if we assume any significant breakthroughs are unlikely, the downside risk if the technology does take off is enormous.
And as if to illustrate this point vividly, we’ve all recently all experienced how low probability events can change everything.
In 2019, there was no particular reason why pandemic preparation should have been at the top of any government’s agenda, and barely anyone outside of a handful of bureaucrats and epidemiologists ever really thought about it.
And in 2022, the idea of AI Large Language Models with the capabilities of ChatGPT seemed impossibly futuristic, like something that may have been decades away – right up until the moment that OpenAI invented it, and we all tried it for ourselves.
So I think it is sometimes sensible to expect the unexpected – especially when there are things we can do now to reduce problems later.
And to illustrate this, I’ve saved arguably the scariest thing about quantum computing until last. That’s what the cybersecurity industry describe as “harvest now, decrypt later”.
This is the idea that instead of just waiting for quantum capabilities, it’s more than possible for hackers right now to start collecting troves of encrypted data in anticipation of Q-Day.
So imagine, for example, if hackers used all of the normal hacking techniques available today to acquire an encrypted file called nuclear_launch_codes.zip.
Acquiring the file wouldn’t be easy – the hackers would still need to bypass firewalls, steal login credentials and find holes in software. And even if they successfully obtain the file, it would be effectively useless – without a quantum computer there would be no way to determine what is inside the blob of zeroes and ones without the encryption key.
But it could still be worth the effort. Because even if they can’t decrypt the file right now, it means that they’ll have it ready to go on Q-Day, when they can finally set a quantum computer to work pulling the file apart. So what feels safe today might prove to be anything but.
And taking this to its logical conclusion, we can basically assume that this race to gather data has already begun. It seems implausible to me that the Americans, Chinese, Russian and every other intelligence service on Earth are not already harvesting data ready for a Q-day blowout.
All good things…
Luckily, I don’t need to end this post on a massive downer, having done my best to scare the life out of you.
This is because like the Millennium Bug in the 90s, there is increasing awareness that quantum computing is a massive potential problem that we may need to deal with in the future.
And the critical players are already taking quantum seriously as a security threat.
For example, Apple recently launched an iPhone software update that upgrades iMessage to use a “post-quantum” form of encryption, that essentially uses more difficult maths (and some clever encryption key trickery) that engineers expect that quantum computers will still struggle to decode.
And similarly, governments are broadly raising awareness – the NCSC has issued some guidelines to chivvy British industry and government along, for example.
However, I can’t help but wonder if we need an even greater sense of urgency.
For example, I understand there are still no well defined “post-quantum” standards for securely passing data around, aside from in closed systems like iMessage. That seems like something we should sort out.
And more broadly, in many organisations, institutions and individuals' lives, digital security is still a horror show. This is something that should be fixed anyway, for the here and now – but with the risk of harvesting, making data as secure as possible should be a higher priority than ever.
But perhaps the biggest lesson of all is that if we think quantum is a problem, just like the Millennium Bug, we actually need to do something about it – so that we’re ready for when the quantum future does arrive, and that thanks to our careful work, it will make the quantum concerns look like a big fuss over nothing.
Phew, you reached the end! If you enjoyed reading and would like more takes on politics, policy, tech, media and society direct to your inbox, then make sure you subscribe (for free!).
And don’t forget to follow me on Twitter and Bluesky.
If you watch the video you can see the evident schizophrenia in the design of the studio, which is both cold like a news broadcast, but exciting like light entertainment. And it appears that the studio was given a water feature for some reason. Seriously.
I say “we”, but I was only 12 so I personally was not particularly helpful to the effort.
I can’t work out if counting in binary is something that is pretty popularly understood now, or if this is just a weird thing that only tech people know. (In the era before smartwatches, I used to wear a binary watch, because of course I did).
Such as banks or financial institutions that are still operating on 1970s mainframes – which does still happen today occasionally.
The downstream consequences of this trust are easy to see. For example, all of our WhatsApp messages are end-to-end encrypted. That’s why we trust our messages are kept private, and why we only ever see leaks from the Tory MP WhatsApp group during leadership crises – when it is the MPs themselves doing the leaking, and not some random hackers.
A guy called Tim Callan, who works for security firm Sectigo.
The good news is that as of July 2022, NIST picked Kyber (https://pq-crystals.org/kyber/index.shtml) as the standard post-quantum algorithm, and companies including Google and Cloudflare (which handles a big chunk of all web traffic globally) have been advertising it in TLS handshakes.
In Cloudflare's case, they've been doing it since September 2022. You can try it yourself by going to https://pq.cloudflareresearch.com/ using Google Chrome (you'll need to enable the special flag as described there). There's a longer discussion of Kyber and the various alternatives here- https://blog.cloudflare.com/nist-post-quantum-surprise/ . Disclosure: I work for Cloudflare.
I remember working in 1998-99 on Y2K, one of my first jobs in IT.
Found and fixed hundreds of minor bugs and hit one major one: there was a storage system for documents (Word documents, mostly) that automatically deleted anything that hadn't been accessed for more than seven years and the calculation for the years would have gone haywire and deleted everything on 1 Jan 2000. Obviously, we fixed that!
Typical issues were things like it would display 2000 as 19100, but calculate just fine (it was treating 2000 as 100 and then sticking the characters 19 on the front).
Note that we still get date bugs - there are a bunch of systems that didn't work properly on 29 Feb this year because they don't handle leap years properly.