In 1994, when mathematician Peter Shor first introduced the quantum algorithm, now famously known as Shor’s algorithm, many found the concept of quantum computers wild and unreal. Fast forward to 2024, the world is delving into the real-world applications of quantum computing and the very real possibility of a quantum apocalypse.

Heralded as the next big thing in technological evolution, quantum computing promises to revolutionize fields such as science, finance, pharmaceuticals, and energy with its unparalleled processing power. As we pave the way for the transformational quantum era, business leaders, particularly CISOs, have a lot to consider and prepare for.

As leaders responsible for building organizational resilience in the face of technological disruption, CISOs have much to do to help their organizations become quantum-ready. Yet, for most CISOs, quantum readiness is still a far-fetched consideration. Given the many other pressing security concerns they face today, investing time and resources in preparing for quantum seems like a luxury they simply cannot afford. Unfortunately, adopting a wait-and-watch stance might not be an option anymore.

Here are four reasons why CISOs need to get a grasp of this disruptive technology today and start preparing their organizations and workforce for its imminent arrival.

1. Quantum is Moving From the “Lab to Production” Faster Than You Think

The quantum industry is advancing at great velocity. Fueled by massive government-backed funding, venture capital investments, and a growing pool of mathematical and scientific talent, quantum research is progressing with remarkable momentum. Globally, over 30 governments have committed to more than $40 billion in public funding commitments to quantum technologies, which will be deployed in the next ten years. Several countries are setting up national research labs and quantum computing data centers to expedite commercial applications. In the private sector, alongside corporate bigwigs like IBM, Google, and Intel vying for quantum supremacy, many nimble startups have entered the fray, each racing to find the next big breakthrough. Case in point, QuEra Computing, a pioneering startup in the quantum field, recently announced a three-year roadmap, culminating in the launch of an advanced error-corrected quantum computer in 2024. All of this highlights how quantum computing is maturing fast and it’s time CISOs started weighing in on the quantum risks.

2. The Quantum Threat to Data Security is REAL

Quantum computing harnesses the principles of quantum mechanics to perform computations at speeds inconceivable by classical computers. This means quantum computers can solve complex problems exponentially faster than classical computers. While this promises groundbreaking advancements in various fields, it also poses a grave threat to current cryptography.

Encryption algorithms such as RSA and ECC form the very backbone of data security today, enabling secure Internet transactions. These algorithms rely on the difficulty of factoring large prime numbers for security. However, a large-scale quantum computer has the potential to solve these mathematical problems using algorithms like Shor’s algorithm within hours. Therein lies the actual threat – the massive boost to computing speed would help break today’s powerful cryptographic algorithms easily, sabotaging the confidentiality and integrity of our data. This means that all of today’s sensitive encrypted data could be exposed and compromised by quantum computers.

Cyber criminals and nation state actors are more than aware of the potential of quantum computing. Security experts believe that threat actors have already begun executing “harvest now, decrypt later” attacks, where they collect and store valuable encrypted data today, with the intent of decrypting it in a few years once powerful quantum computers become available. The threat is real; the sooner CISOs acknowledge it, the better positioned they will be to defend their organizations.

3. Post-Quantum Cryptography Transition Is Not A Simple Switch

In response to the looming security threats posed by quantum computing, scientists and leading cryptography experts are working to develop a new wave of quantum-resistant encryption algorithms that can help organizations guard their data and communications against quantum-enabled cyberattacks. The National Institute of Standards and Technology (NIST) unveiled the first set of post-quantum cryptography (PQC) algorithms—CRYSTALS-Kyber for general encryption and CRYSTALS-Dilithium, FALCON and SPHINCS+ for digital signatures—in July last year and the standardization of these algorithms is expected to be completed this year. Once the standardization is complete, organizations will face mounting pressure to begin migrating their systems to quantum-resistant algorithms to avoid encryption compromises, data breaches, and compliance violations.

Transitioning to quantum-resistant algorithms requires substantial planning, time, and resources. Cryptographic migrations can even take decades to complete. Considering the case of the now deprecated SHA-1 algorithm, researchers discovered potential vulnerabilities in SHA-1 as early as 2005. However, it took more than a decade for popular web browsers to phase it out, and some organizations are still in the process of replacement. It is important to remember that delayed migrations can expose sensitive data. Even if a commercial quantum computer becomes available 10 years from now, CISOs need to start planning for the migration today to safeguard data, minimize risks, and reduce costs.

Also, it’s not just the complexity of the process but the magnitude of it. According to an estimate by the World Economic Forum, more than 20 billion digital devices will need to be either upgraded or replaced with post-quantum cryptography in the next 10-20 years.

To ensure seamless and secure migration to PQC, CISOs need to lead with a clear roadmap. Here are some steps to consider:

• Risk Assessment: Create an inventory of all cryptographic assets, such as digital certificates, keys, and crypto libraries and the data they are protecting. This inventory will serve as the basis for scoping the impact of transitioning to PQC and identifying high-risk instances.
• Migration Planning: Prioritize critical systems and data assets for migration based on their risk profile and sensitivity. Test and evaluate suitable PQC algorithms based on business use cases. Develop a clear process and timeline for migrating to PQC with minimal disruption to existing systems and workflows.
• Crypto-Agility Implementation: Apply the ability to switch from the current algorithms to PQC at scale without disrupting mission-critical operations. Build flexibility into systems to adapt to rapid shifts when quantum becomes mainstream.
• Continuous Monitoring and Adaptation: Stay informed about the progress of NIST’s PQC standardization process and understand recommended migration strategies. Align organizational crypto policies and governance with NIST’s guidance on PQC migration and the World Economic Forum’s Quantum-Secure Transition Framework to structure goals, follow best practices, and minimize risks. Engage with academia and industry partners in quantum computing to keep abreast of the latest developments and glean valuable insights.
• Workforce Training and Education: Invest in training and education for cybersecurity professionals within the organization to promote quantum literacy. Equip them with the knowledge and skills needed to understand quantum technology and the new PQC algorithms to make informed decisions.

4. Compliance Frameworks Will Evolve to Regulate Quantum Applications

The arrival of quantum computing will also redefine the compliance landscape. Data privacy regulatory bodies and standards organizations will likely review current compliance guidelines and frameworks from the quantum lens. Stringent requirements might be laid out around the use of post-quantum cryptography, data governance, third-party vendor engagement, access to quantum hardware, and ethical use of quantum applications. Industries such as finance, healthcare, and government, which handle vast amounts of confidential information, will face heightened scrutiny to strengthen their defenses against quantum threats. Moreover, compliance audits may include assessments of organizations’ readiness to withstand quantum attacks and their adherence to industry-specific regulations in the context of quantum computing. Not foreseeing these changes and not building the processes needed for compliance can have serious financial consequences.

The quantum growth trajectory, as they say, is non-linear and unpredictable. There is no time to brood over the “when” question. The path to achieving crypto-agility and preparing cryptographic systems for quantum computing can be complex and time-consuming for CISOs. But, starting now and taking a proactive and systematic approach can help pivot quickly and build an adaptive cryptographic infrastructure that can evolve with emerging security challenges and requirements.

To learn how AppViewX can help you implement crypto-agility and start preparing today for Post-Quantum Cryptography, visit: https://www.appviewx.com/solutions/crypto-agility-and-post-quantum-cryptography-readiness

*** This is a Security Bloggers Network syndicated blog from Blogs Archive - AppViewX authored by Krupa Patil. Read the original post at: https://www.appviewx.com/blogs/why-cisos-need-to-act-on-quantum-readiness-now/