Apple TV+ has had a pretty good hit rate, so when I saw the trailer it sounded appealing - a cross between Good Will Hunting and Jason Bourne. If only.

The main problem with Prime Target is the central premise. You have to turn off your brain for a lot of these conspiracy / spy shows, but in this case it was made worse because I actually know something about the subject at hand.

The central premise is that a genius mathematician at Cambridge University is on the verge of finding a pattern in prime numbers. Prime numbers are foundational to many cryptographic algorithms, so if a pattern was found, it would pose a significant threat to encrypted data. For this reason, the NSA monitors mathematicians around the world, and those on the verge of making the discovery, well… you can guess the rest.

It’s absurd. Put aside the ridiculousness of a US intelligence agency installing cameras in the offices of mathematicians so they can watch them write out algorithms on a white board. Let’s consider the idea that the way to deal with a security vulnerability is to kill the researcher who finds it. It’s nonsense.

Let’s bust a few myths. Companies and marketers like to use terms like ‘military-grade encryption’ or ‘bank-level security’. The fact is, in the case of encryption, there are industry standards. For example, the encryption used to protect the data at rest on your iPhone is no different from the encryption used to protect classified data at rest on a military server.

A common rule in security is that you don’t write your own encryption or use some obscure proprietary encryption. It’s for one simple reason. Obscurity does not equal security. You want the encryption algorithm to be widely reviewed and tested so you have confidence that it is mathematically and technically sound.

For this reason, most of the world relies on the US National Institute for Standards (NIST). They hold open competitions where cryptographers submit papers and proposals for different cryptographic algorithms. It’s an open and transparent process. It’s designed that way so that it’s open to global academic and industry review, and subject to peer review, like any other science. The transparency builds trust, and it helps standardise the use of encryption algorithms so that systems can inter-operate.

Government wants to know about weaknesses in encryption algorithms. The response is not to try and hide the weakness hoping no one else will find it, or kill the researchers. No, the way they deal with it is by deprecating the algorithm and choosing a better one. It happened when flaws were found in the Data Encryption Standard (DES), so they held competitions to select a cipher for a new standard, which became the Advanced Encryption Standard (AES). When you visit a website, the data transmitted between your web browser and the website is encrypted using a different algorithm, which, again, was selected based on merit, and when flaws have been found, NIST updates its standards (FIPS-140) to recommend better ones.

Prime Target could have been more believable (but maybe not so dramatic), if they went with an actual, real threat that is happening right now. The risk to encryption algorithms is not from some genius mathematician - it’s from quantum computing.

As we stand in March 2025, NIST is in the final stages of finalising standards for post-quantum cryptography. If all goes well, governments, vendors and organisations across the world will upgrade cryptographic modules in hardware and software to adopt the new standards, and everything will be fine.

On the other hand, there’s a risk (most likely from China) that a sudden leap will be made in quantum computing and the world will face a Y2K moment.

There’s a misconception that the ‘Y2K bug’ was some kind of damp squib. The media predicted armageddon but in reality nothing happened - therefore it was a lot of fuss and nonsense about nothing.

The truth is that the Y2K bug didn’t cause mass disruption because the entire tech industry spent thousands of hours and billions of dollars fixing the problem. I was one of those lucky people who was on-call over the Millennium New Year’s Eve and had to go in at stupid-o-clock to make sure everything was working ok.

A sudden advance in quantum computing, without a corresponding quick upgrade to quantum cryptography, could be a major threat. Especially when you combine this with the exponential advances being made in artificial intelligence (AI).

If, for example, it is suddenly revealed that a breakthrough has been made in quantum computing and RSA or elliptic curve cryptography (ECC) was no longer viable for SSL/TLS certificates that protect internet communications, billions of certificates would have to be revoked. It would cause mayhem. Or would it?

We’ve been through this before. Vulnerabilities were found in SSL and early versions of TLS. The advice was to upgrade. The advice then turned into a mandatory compliance requirement - at least it did for governments, and for merchants wanting to take online payments (contractual requirements to comply with PCI DSS). There was a transitionary period. No one panicked, and I’ve seen no evidence that there were major or widespread security breaches of organisations that were slow to upgrade.

It just goes to show. The risks are real, but we’re all - especially in the cyber security industry - terrible at quantifying risk. Plus, even when vulnerabilities are found in cryptographic algorithms, there are usually easier ways of breaching security.

Nonetheless, quantum computing is a risk to encryption. The world will need to adopt post-quantum cryptography sooner or later. For those who care about data security it will be sooner, irrespective of the current state of quantum computing. This is for one reason - the ‘harvest now, decrypt later’ threat. If you can capture the data now, it might not be readable now, but it could be later if a vulnerability is found or quantum computing breaks the underlying algorithms.

Quantum cryptography is already being rolled out. In February 2024, Apple announced a post-quantum cryptographic protocol (PQ3) for iMessage. Other vendors have also made upgrades, including IBM, Cloudflare, and Signal.

As an aside, Signal has been in the news recently after stupid Trump MAGA morons tried to convince us that those messages on a Signal chat thread didn’t include classified information. As someone who has worked on an aircraft carrier processing signals about missions and flight operations, I can attest that that kind of detail would have been highly classified, and I would have been subject to court martial and probably sent to military prison if I had disclosed it.

Here in the UK, just in the last days, the National Cyber Security Centre (NCSC) has published a roadmap for agencies and organisations to upgrade vital services by 2028 with a full transition to post-quantum cryptography by 2035.

I’m getting off-track. This post was meant to be a review of Prime Target.

In general, it’s nonsense. Even if you disengage your brain, it’s mildly entertaining, at best.

It stars Leo Woodall, who seems to be in everything at the moment. I’m not quite sure why he’s having the moment that he is. It’s never clearly stated in Prime Target, but his character appears to be written with that old trope that he’s a genius, so he’s ‘on the spectrum’. Maybe Asperger’s Syndrome or something like that. He’s clever, but he doesn’t recognise social cues. We’ve seen it all before. In this case the character is just - bland. I’m not sure whether it’s the writing, or Leo Woodall’s acting. Either way, he’s no Matt Damon.