Explore the impact of quantum computing on vendor risk assessment and supply chain security, and understand how to prepare for potential disruptions.


Quantum computing isn’t here yet, but it’s on the horizon. Its transformational problem-solving capabilities could address some of the greatest challenges faced by mankind. For businesses, such advanced computing power brings opportunities, but also risks. It can strengthen, as well as compromise, cyber security. It can supercharge supply chain risk management, and undermine it. In this article, we explore the challenges posed by quantum computing for third-party risk management – and how to start preparing for them.
Quantum computing offers significant potential to enhance supply chain security by enabling faster data processing, real-time risk monitoring, and more robust encryption methods, such as Quantum Key Distribution and post-quantum cryptography. However, it also presents substantial risks, as current encryption systems could be easily compromised by the power of quantum machines, exposing sensitive data to cyber threats. The threat of "harvest now, decrypt later" attacks and vulnerabilities in blockchain technology also need to be addressed. Additionally, the complex supply chains supporting quantum computing, including highly specialised hardware and third-party cloud services, introduce new risks. As quantum technology develops, businesses must start preparing by assessing vulnerabilities in their supply chains, strengthening third-party risk management, and planning for the integration of quantum-proof encryption solutions to safeguard data against future threats.
Quantum computing is a rapidly emerging branch of computer science that uses the principles of quantum mechanics to open up new possibilities for computing. Quantum computers can sift through huge numbers of possibilities and extract potential solutions to complex problems in a fraction of the time needed by current computers. They offer vastly more computational power than even the fastest supercomputers available today.
The basic unit of information in quantum computing is the qubit, which serves the same function as the bit in classical computing. Classical bits can only exist in one of two states (1 or 0), while qubits can exist in a multi-dimensional state. The power of quantum computers grows exponentially as you add more qubits, whereas classical computer power only grows in line with the number of bits added.
Quantum computers have the potential to solve large-scale, complex problems that would be unsolvable by conventional computers in any reasonable amount of time. In 2019, Google demonstrated a quantum computer that could solve a problem in minutes that would take a classical computer 10,000 years. That means quantum computing could be transformative in so many areas of modern life, from healthcare research, material science and financial modelling to artificial intelligence, digital manufacturing and cybersecurity.
While quantum computers are not yet practical for real-life applications, some of the world’s most prominent technology businesses, including IBM, Microsoft and Google, are working at pace to develop and build them. Businesses around the world need to be aware of these developments and the potential of quantum computing to solve many difficult, worthwhile challenges in the world. But as well as opportunities, there are risks which have implications for cybersecurity and supply chain risk management. With more widely available quantum computers on the horizon, now is the time to begin assessing the opportunities and addressing the risks. 
Quantum mechanics is a fundamental theory in physics that describes the behaviour of matter and energy at the smallest scales, such as atoms and subatomic particles. Key principles include wave-particle duality, where particles can exhibit both wave-like and particle-like properties depending on observation, and superposition, which allows particles to exist in multiple states at once until measured. Entanglement is another crucial concept, where particles become linked in such a way that the state of one instantly affects the state of another, regardless of distance. These principles challenge our classical understanding of the physical world, enabling quantum computing and other advanced technologies.
The ultra high-speed data processing capabilities of quantum computers offer significant potential advantages for supply chain risk assessment and monitoring. The speed and accuracy of vendor risk profiling could be improved beyond recognition. As could real-time supply chain monitoring and threat detection, providing instant alerts of vulnerabilities anywhere in the supply chain. Quantum computing capabilities could also be used to run advanced simulations of a range of risk scenarios, to support risk management and planning.
The security measures used to protect data and systems could be vastly reinforced with quantum-enabled encryption – helping to keep data safer than ever, whether in transit or at rest. However, the introduction of quantum computers could also pose challenges to traditional encryption, making it easier for hackers to bypass conventional cryptography. That means the power of quantum computing itself must be brought to bear to strengthen data protections.
Solutions in development include Quantum Key Distribution (QKD) which can be used to implement ultra-secure encryption keys to counter quantum-related security threats. Post-quantum cryptography, also known as quantum-proof cryptography, is being developed to create encryption methods that cannot be broken in a future world of quantum computing.
Overall, third-party risk management programmes could be greatly enhanced by the application of quantum computing to supplier or vendor assessment and monitoring, and by the strength of cyber security protections that could be enabled in an age of quantum computing. 
The potential cyber security benefits of quantum computing also represent a risk in the short-term. Currently used encryption methods, such as passwords and digital signatures, could easily be hacked by the power of quantum computers. Until quantum computing itself is used to strengthen encryption methods, it could break existing encryption keys and compromise sensitive data across entire digital supply chains. This would significantly undermine data protection and secure communication between businesses and their third-party suppliers.
One major digital defence system at risk from quantum c fomputing is Public Key Infrastructure (PKI). This long-established system underpins secure web browsing, email encryption, VPNs and other aspects of digital security – protecting everything from financial transactions to personal communications. If quantum computers are able to break this widely used cryptographic system it could lead to widespread data breaches, identity theft and disruption to critical infrastructure.
Even before quantum computers become more widely accessible, there is a risk that hackers could harvest and store encrypted data today, in readiness for the arrival of quantum computing to decrypt that data in future. This type of “harvest now, decrypt later” attack could put valuable long-term data, such as financial records and confidential customer information, at immediate risk.
The capabilities of quantum computing could also render blockchain technology extremely vulnerable, potentially putting crypto currencies and other blockchain-based supply chain solutions at risk. By introducing such advanced problem-solving computing power, quantum technologies could potentially be used by malicious actors to identify and exploit vulnerabilities in a whole range of systems and supply chain networks. What’s more, the integration of quantum technologies into supply chains is likely to introduce new entry points for cyber criminals, presenting an expanded overall attack surface for exploitation.
The operation of quantum devices cannot be explained by classical physics, making it difficult to understand exactly how outputs are generated. Similar to the risks associated with artificial intelligence (AI), this lack of transparency makes it difficult for organisations to carry out risk assessments and audits of third parties providing or using quantum technologies.
In such a rapidly developing and difficult-to-comprehend field, technology development could quickly outpace the regulatory frameworks required to mitigate risks. The potential for quantum technology to render current encryption systems obsolete could quickly erode the trust and stability essential for the functioning of the global digital economy. Recognising the need for a coordinated global approach, international economic and financial regulators and authorities are already collaborating on the principles and approaches needed to underpin appropriate regulatory frameworks.
The introduction of robust large-scale quantum computers is still thought to be up to ten years away. Nevertheless, a wide range of organisations and governments are already obtaining useful results from current devices, with the likes of IBM and AWS providing access to their models for experimentation. The novelty of this new technology brings with it inherent risks in the way it is operated and implemented. Most firms currently testing quantum computing are doing so through cloud services, which creates a web of third-party dependencies and associated vulnerabilities.
Quantum computer providers themselves have vast supply chains, which are almost as complicated as the technology itself. Quantum computing relies on highly specialised hardware to harness the multi-dimensional behaviour of physical matter. That means sourcing parts for quantum computers is particularly difficult. Superconducting quantum computers require helium-3, a nuclear research by-product, and special superconducting cables currently made by just one company in Japan.
As well as the manufacturers of this highly specialised hardware, quantum computing supply chains encompass cloud infrastructure providers, quantum software development platforms, such as Qiskit from IBM and Cirq from Google, cryptography service providers, specialist component suppliers, research and development partners, AI and machine learning specialists, and classical computing resource providers.
These complex and fast-changing supply chains represent considerable risk for quantum technology developers. Robust and effective third-party risk management will be vital to constantly monitor the security status of suppliers, vendors and partners, so that risks anywhere in the supply chain can be quickly identified and mitigated. 
The mechanics of quantum computing and the possibilities it enables can be difficult to comprehend. But the likelihood is that this powerful computing technology will become available over the next ten years and will open up exciting new possibilities for our societies and economies.
The risks brought about by this incredible form of computing power are equally difficult to anticipate. But the simple fact is that such enhanced problem-solving abilities in the wrong hands could undermine cybersecurity and the whole fabric of digital data protection we rely on today.
Now is the time for businesses to begin preparing for a future in which quantum computing plays an increasingly prominent role. That means examining the risks in supply chains and exploring opportunities to strengthen third-party risk management, in readiness for the challenges ahead. The mere prospect of quantum computing is already generating new threats, such as “harvest now, decrypt later” attacks, which put data at increased risk of theft today.
By assessing the security status of your supply chain partners and vendors now, identifying vulnerabilities and targeting actions to reinforce cybersecurity, you can put your organisation in the best possible position to enjoy the benefits of quantum computing, while minimising the risks.
Look out for future articles from Risk Ledger on how to advance third-party risk management to protect your organisation and its supply chain partners.
Monthly research, case studies and practical guides you won't find anywhere else. 
Join thousands of security managers turning their TPRM programmes into success stories.