Quantum computers offer potential transformational power for organizations dealing with complex computational problems in various industries such as finance, pharmaceuticals, and automotive. They also pose the risk of breaking the cryptography that currently secures many common digital activities, such as online banking or something as common as browsing the internet (Yes, that green lock in your address bar means you can trust the connection – for now).
There is a current risk of Harvest Now, Decrypt Later (HNDL) attacks being used by attackers to steal encrypted sensitive information with a long shelf life, such as personal health, confidential product data or financial records. The attackers can hold onto the information until a quantum computer with enough power becomes available to break its encryption. If this occurs before the data's expiration, it could lead to significant breaches in the future.
It is, therefore, vital for us to begin preparing for migration to post-quantum cryptographic algorithms now before bad actors get the chance to steal sensitive data that might be used later on. To do this, organizations must upgrade their processes, systems, hardware, software, and services so that when it becomes necessary to switch over to post-quantum cryptography, there will not be any disruption of service. Doing this work now will provide organizations with much-needed peace of mind that their digital platforms are protected from future attack vectors. Starting the process early and working through it as a change management initiative will likely yield better results than procrastinating and eventually having to treat it as a crisis.
Post-quantum cryptography and pre-emptive measures
To address the potential cybersecurity threats posed by quantum computers, organizations will need to adopt quantum-safe cryptography, also known as post-quantum cryptography (PQC). The National Institute of Standards and Technology (NIST) is currently working on its PQC standardization, while other encryption methods such as quantum key distribution are also being standardized by organizations such as the European Telecommunications Standards Institute (ETSI).
The process of selecting standardized PQC algorithms and issuing guidelines takes time. The standards which are being worked on by various organizations (e.g. Ansi X9, IETF, ETSI, and others) won't be out until at least 2024. Also, the process of transitioning to new cryptographic standards will be lengthy (potentially many years) due to its deep integration in complex systems with dependencies from third parties in the supply chain.
However, leaders can take pre-emptive measures before initiating the significant task of migrating to PQC:
The management of quantum risk should be assigned within the organization. Designating a responsible party within your organization to manage quantum risk is crucial. Empowering them with the necessary resources and authority will facilitate preparatory measures and serve as a valuable initial measure in comprehending your quantum risk exposure and assessment.
Evaluate the potential risks related to quantum computing and determine the level of reliance your organization has on vulnerable cryptography. Analyze the organization's ability to effectively manage this risk exposure. The findings can inform future actions and enhance awareness within the organization.
Implementing and practicing crypto-agility is an important step for data protection which only gets emphasized in the face of quantum computing. Crypto-agility means that organizations can quickly change their cryptography protocols – without having to go through complex application changes each and every time –when new attacks are identified, allowing them to stay ahead of any potential threats. This allows organizations to remain secure and protect their data even as quantum computing advances.
Know what needs protection and the tools necessary to ensure it. Managing inventories of sensitive assets and security tools can be challenging for organizations. Understanding how cryptography is used and its purpose can help address quantum risk more effectively.
Emphasize the importance of cyber hygiene practices. In modern organizations, cryptography is just one of many protection mechanisms available for cybersecurity. To minimize risk, it is important for organizations to ensure the effectiveness of other security measures (e.g. protecting other layers of the stack) and that they complement cryptographic solutions.
Three approaches to PQC migration
As cryptography is deeply embedded as a security measure in systems across organizations, the scope of migrating to PQC will require a broad transition with multiple dependencies. Hence, it is crucial to commence the process as soon as possible.
Effective implementation of a quantum cyber strategy requires clear leadership and direction from the board, along with consistent monitoring of key performance indicators to measure progress.
Most organizations will probably use one of the following three PQC migration approaches, with the first approach being compatible with either of the other two.
Many organizations may find managing a parallel implementation feasible if they possess enough resources. There are several cryptographic algorithms that are publicly available and have been reviewed, which could be potentially quantum-safe. These solutions can be employed by organizations today in conjunction with classical cryptography, thereby augmenting their effectiveness.
There are two benefits to using this approach. Firstly, it allows organizations to experiment with implementing quantum-resistant cryptography without much difficulty. This helps them prepare for the eventual complete migration. Second, combining quantum-resistant and classical cryptography provides an additional layer of defense that can protect against current and future threats.
Adopting a phased approach
Organizations with complex infrastructure or limited resources may undergo a phased transition, including the migration of system groups to quantum-secure cryptography with interim evaluation periods to incorporate lessons learned into subsequent phases.
Phase-based migrations enable the distribution of milestones and investments, potentially aiding leaders in gaining support for the migration across affected business departments by minimizing the downtime of affected systems. Additionally, continuous adoption of lessons learned and industry insights can lead to improvement in the quality of the migration.
Complete migration in a single transition
Organizations with smaller infrastructure or limited communication needs, particularly emerging ones, may opt for a complete overhaul to achieve quantum security with existing knowledge and experience. This strategy is relevant for early-stage projects or new capability deployments without a lot of legacy systems.
A complete "big bang" approach may offer immediate protection against HNDL attacks, which can be beneficial for organizations handling valuable data and at risk of such attacks. However, difficulties may occur during the implementation process as a result of inadequate preparation and insufficient ongoing education, which could potentially affect the long-term effectiveness of the solution.
Regardless of the chosen migration approach, it is important for organizations to take action now and embrace the changes (and challenges) coming along with the quantum era in order to benefit from it.
PQC standards and regulatory requirements will become available in the near future and Organizations should start researching different options for their migration path, such as whether they want to use a hybrid approach or an all-inclusive migration. It is a good idea to start the dialogue with their vendor ecosystem at this time as they will likely need to identify and leverage external partnerships to prepare their organization. Ultimately, they should strive to develop a strategy that is tailored to their specific needs – there is hardly going to be a “one-size fits all” solution.