AndSus-AdobeStock
Quantum computing signals the coming of the API storm
With insecure APIs creating vast blind spots and quantum computing poised to break current encryption, organisations will need to overhaul their cyber defences
We’re moving to an era defined by artificial intelligence (AI). Add to that the looming development of quantum computing, and the cracks in our cyber security posture are starting to grow.
Nowhere is the need to address this more urgent than in critical sectors like government, banking, and healthcare, where the weight of tech debt and increasingly complex IT environments has created problematic – and dangerous – gaps in cyber security defences.
The prevalence of application programming interface (API)-first development – where the API is designed and developed before any other part of the application – over the past decade has spurred enormous innovation, but it has also introduced one of the most significant blind spots in modern enterprise cybersecurity.
What we see at F5 tells us that the vast majority of web-based attacks now target API endpoints, and Gartner predicts that API abuses will account for more than 50% of data breaches by 2025.
So, what are APIs and why are they in the crosshairs? APIs are the connective tissue of the digital realm. They power everything – from mobile banking apps to programmes automating critical workflows. But many organisations can’t say with confidence how many APIs they actually have – or where they are. In one recent API discovery exercise we uncovered over 31,000 unknown endpoints, and that’s not as much of an outlier in the enterprise space as you might think.
That’s not a gap. That’s a canyon.
This lack of visibility is a problem now. But as we enter the era of quantum computing, it will become an enormous strategic risk.
Quantum computing leverages the principles of quantum mechanics to solve problems faster and more efficiently than traditional computing. While the potential for innovation and progress is unprecedented, so too is the potential for cyber security risk.
This next leap in IT presents a significant threat as it renders key current encryption methods ineffective. This means every interface, every endpoint, every certificate will need to be upgraded. The scale is daunting. Yet, the ability to do so quickly and consistently will define which organisations are secure, and those which are not.
Generative AI is expanding the threat surface
Securing the organisation against the future threats of quantum computing would be a herculean task in itself, but there is another – more immediate threat – keeping chief information security officers (CISOs) awake at night.
The explosion of generative AI.
AI models themselves are becoming high-value targets. Cyber criminals are already using evolving techniques to exfiltrate intellectual property by exploiting vulnerable APIs.
Compounding the challenge is the sheer number of APIs in use. Common industry estimates suggest that up to 50% of API endpoints are unmanaged, and keeping an up-to-date inventory of APIs and endpoints is a daunting challenge. Dormant or outdated APIs—sometimes called ‘zombie APIs’—are especially vulnerable, providing attackers with hidden entry points.
Here’s what I’m so worried about – AI is exploding an already misunderstood an attack surface, and that growing attack surface is what defenders will need to address to be quantum-ready. It’s getting worse, the closer we get to Q-Day, whenever that is.
Automation and visibility is key
In these environments, manual approaches to API management and security are doomed to fail. Automated discovery mechanisms – systems that automatically identity, analyse, and map – that can continuously inventory APIs across hybrid, multi-cloud environments are critical to regaining control.
Organisations are already seeing success using multiple lenses to discover and classify APIs – including code-based API discovery and traffic inspection.
But visibility is only the first step. Consistent security controls that can be deployed across environments – on-premises, the cloud, and the edge – are crucial to securing the discovered APIs.
Preparing for a post-quantum reality
Quantum computers have the potential to be a massive boon to progress and innovation, but they also pose a threat. While we don’t yet have an exact timeline for “Q-Day”, the crucial issue of cyber security and full visibility of the interfaces serving your data must be addressed in preparation. We know that actors, including nation states, are already harvesting encrypted data in anticipation of more powerful quantum computers, and this is every bit as much of a race condition as the global race for AI dominance.
So, preparation must start today. Like generative AI before it, I predict that cryptographically relevant quantum computing will come quicker than expected and will reshape the world of IT around it. A geopolitical surprise could turn into a global fire drill very quickly.
Reactive controls must be replaced with proactive defences. Piecemeal visibility needs to give way to real-time observability – after all, you can’t protect what you don’t know is exposed.
The combined pressure of AI, expanding API ecosystems, and the inevitability of quantum computing is forcing a reckoning in cybersecurity. This is the time for bold leadership. For security teams to work hand in hand with architects, developers, and executives. And for all of us to recognise that visibility and agility aren’t just nice-to-haves anymore. They’re the foundation of success in the new era.
Chuck Herrin is field CISO of F5
