Quantum computing may be the greatest cybersecurity threat the world has ever seen – and that’s no exaggeration. Soon, data encrypted with current cryptographic algorithms will be unlocked. The transition to new quantum-safe algorithms for the post-quantum cryptography (PQC) era will be neither simple nor quick. There’s no question that the time to start preparing for quantum resilience is now.
Quantum computing threatens the security of current encryption algorithms for one simple reason: Speed. Today’s prevailing public key infrastructure (PKI) standards, RSA and ECC, depend on the fact that decrypting text without a key involves an enormous amount of mathematical calculation, a process estimated to take current computers millions of years.
With quantum computing, the time needed to perform such calculations shrinks enormously. In a test conducted by Google in 2019, a quantum computer executed an operation that would take a supercomputer 10,000 years in about three minutes. The newest version of this quantum computer is said to be 241 million times faster. The point is, there are real computers that exist right now that could crack the technology used to protect virtually all of the sensitive data that exists outside of military and other top secret installations.
While it’s unlikely that quantum computers are currently in the hands of cybercriminals or hostile nation-states, they will be. Several global powers, like China, are pushing the boundaries to achieve quantum computing. In anticipation, many bad actors are pursuing a “harvest now, decrypt later” strategy. Collecting sensitive data that is currently encrypted with RSA and ECC technologies, knowing that they will likely be able to decrypt it soon.
McKinsey estimates that 5,000 quantum computers will be available by 2030. In other words, quantum-enabled hacking could become a reality in just over five years. But given the resources available to state-sponsored organizations, that day might come much sooner.
The U.S. government isn’t waiting. The National Institute of Standards and Technology (NIST) initiated a formalized effort to pursue PQC algorithms in 2016. The results were released in July 2023. Two algorithms belong to the so-called Cryptographic Suite for Algebraic Lattices, CRYSTALS-Kyber for general encryption and CRYSTALS-Dilithium for digital signatures. Two other signature algorithms were also released, SPHINCS+ and FALCON.
These algorithms will most likely be standardized by NIST by the end of this year. The existence of standardized PQC solutions will put even more pressure on CISOs to migrate beyond the RSA and ECC technologies now in place. Preparing against this threat is no simple matter. It takes time.
The history of SHA-1 is a good example of how slow and complex the process of migrating from one established security technology to another can be. Serious vulnerabilities in SHA-1 were discovered and published in 2005, and further successful attacks by academics soon followed. Ten years later, SHA-1 was still so popular that the Mozilla Foundation issued a security warning to developers to avoid using SHA-1 certificates. This was after NIST had formally deprecated SHA-1 in 2011. There is no reason to think that abandoning RSA and ECC will be any easier.
Quantum computing will not only redefine the threat landscape. It will redefine the regulatory landscape as well. Current guidelines will be revised to account for the threat of quantum-enabled attacks. Audits will include assessments of an organization’s preparedness to defend against such attacks.
Financial, healthcare and government organizations will face heightened scrutiny due to the sensitive nature of the data they handle, but CISOs in every sector will need to be proactive. This is important not only for compliance but also because of the new risks that will emerge.
To protect their organizations, CISOs should consider implementing the following steps as soon as possible:
● Risk Assessment: Identify and catalog those assets that are most vulnerable to quantum attacks, including digital certificates and keys, along with the data, machines, applications and services they protect. This inventory will provide a sense of the scope, impact and cost of migration to PQC.
● Migration Planning: Prioritize systems, application, services and data assets for migration based on their risk profile. This will include systems that handle PPI and other data subject to regulatory compliance, but intellectual property may also be important. PQC algorithms should be evaluated and tested against actual business use cases. The result of this step is a well-defined process for the migration to PQC with minimal business disruption, along with a realistic timeline.
● Crypto-Agility: One overarching goal of the migration should be establishing a security process and supporting technologies that enable the rapid upgrade of system components like cryptographic algorithms or key exchange protocols to address emerging security threats and business requirements.
For years, quantum computing has been portrayed as a futuristic possibility. Now, it has arrived. Fortunately, new cryptographic algorithms that can resist quantum attacks exist and will be standardized soon. But, as experience has shown, implementing new cryptographic infrastructure is complex and time-consuming. CISOs must take the first steps now.