This article discusses how prepared companies are for quantum computing cybersecurity risks based on a recent Deloitte poll and what the current threats are.
Organizations have been cautioned for years that quantum computing (QC) is coming and they should prepare now for its implications rather than later. While QC does have its benefits, it is not a question of if, but when it will present cybersecurity risks to critical and seemingly not-so-critical information systems. A recent Deloitte poll focuses on just how prepared companies are for quantum computing cybersecurity risk right now.
Delving into Deloitte’s Online Poll
Deloitte is one of the top consulting firms providing audit and assurance, risk management, risk and financial advisory, and other services throughout the world. The firm conducted an online poll during its webcast, “Insights and action: Preparing for quantum era opportunities and threats” on July 28, 2022. More than 400 IT professionals who understand the benefits of quantum computing were polled during the online event.
When asked if their organizations were at current risk for “harvest now, decrypt later” (HNDL) cybersecurity attacks:
- 50.2% of the respondents believed they were.
- 21.2% did not think they were at risk.
- 28.6% did not know if they were at risk.
With an HNDL attack, bad actors collect (harvest) data from unsuspecting organizations with the intention of decrypting it in the future - when quantum computing is expected to be capable of making many existing cryptographic algorithms obsolete.
Preparedness for QC Cybersecurity Risks
When various questions were posed as to what their organizations’ timeframes are for assessing their potential, post-quantum encryption vulnerabilities, the responses regarding preparedness plans varied:
- 26.6 % had already completed a risk assessment
- 45% expect to complete their assessments within 12 months or less.
- 18.4% planned to conduct a quantum risk assessment within the next year.
- 16.2% are likely to perform their quantum risk assessments within two to five years.
- 27.7% will wait to begin their efforts for QC security risk management once there is regulatory pressure to adopt policies or legislation.
- 20.7% will wait until there is demand from their leadership, such as CISO/CSO, board of directors, etc., to enable cryptographic agility to address algorithms that are made obsolete by quantum computing.
- 11.7% stated that their organizations appear to be taking a “wait and see” approach where it would take a cyber incident to spur their efforts for quantum security risk management.
- 6.8% said they would wait until their clients or shareholders request an assessment of their QC security risks.
Quantum computing is expected to reach its potential to pose a real-world risk within 10 years. However, preparing for its arrival needs to begin sooner, rather than later to protect against quantum security risks.
NIST Announcement Means Help is on the Way
While the preliminary process has taken over five years, NIST announced the long-awaited winners of Round 3 of its Post-Quantum Cryptography (PQC) Standardization Process on July 5, 2022. The winning cryptographic algorithms have been selected for standardization and include:
- Public-Key Encryption/Key Encapsulation Mechanisms (KEM): CRYSTALS-KYBER
- Digital Signatures: CRYSTALS-Dilithium (primary), Falcon and SPHINCS+
NIST has also selected additional Public-Key Encryption/KEM algorithms for a fourth round of evaluation as potential candidates for standardization in the future, including:
- Classic McEliece
This news has been welcomed across most of the globe as defining standards to use in the fight against quantum computing cybersecurity is being proactive versus reactive. And when considering the real possibility of harvest now, decrypt later cyberattacks, the sooner such standards can be implemented, the better for all involved with protecting sensitive data.
Crypto-Agility is Key to Protect Organizations from QC Cybersecurity Threats
There is no time to waste for organizations to become post-quantum ready, especially with the threat of HNDL cybersecurity attacks hanging over their heads. Encrypting data with algorithms that are not quantum-ready puts that data at risk for many years to come in the case of sensitive data with a long shelf life. With each month, the risk of a quantum-powered attack increases as we near 2030, which is the expected arrival of quantum computing.
NIST’s selection of algorithms for standardization are a major step towards protecting data from quantum computer cybersecurity threats. However, these standards will not be out until at least 2024. One must also realize that there is no guarantee that these new algorithms will be completely secure either and there may be better algorithms in the future. However, by accepting and implementing these standards, it can help force the hand of crypto providers to provide support for the new algorithms and increase user demand for post-quantum crypto solutions. It will also help move Hardware Security Module manufacturers to begin adding these quantum-safe algorithms to their offerings.
Organizations must become crypto-agile now rather than later and prioritize quantum security to begin protecting data now before quantum computing arrives. By doing so, they will be able to quickly switch to whatever algorithms are recommended by NIST to thwart attacks at any given time. This is where Cryptomathic Crypto Service Gateway (CSG) excels in providing the needed crypto agility organizations will need now and in the future.
- Insights and action: Preparing for quantum era opportunities and threats (September, 2022), by Deloitte
- Harvest Now, Decrypt Later Attacks Pose a Security Concern as Organizations Consider Implications of Quantum Computing (March, 2022), by Deloitte