COMMENTARY: Progress on the development of quantum computers has progressed steadily. Governments around the world have committed billions of dollars to invest in the development of quantum computers. Many of the world’s largest technology companies are leading the effort and continue to announce incremental improvements and innovations.
While an exciting time, this also means organizations must prioritize new security efforts. It’s time to make post-quantum readiness a top concern. While almost half of organizations haven’t begun to take action or are even considering how to prepare for the impact of quantum computing, recent guidance from trusted organizations has taken shape that will influence and guide how security teams approach post-quantum cryptography.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
In August 2023, the National Institute of Standards and Technology's (NIST) post-quantum draft standards served as the starting whistle for teams to begin the race to quantum-safe deployments. Shortly thereafter, the House Committee on Space, Science and Technology approved amendments to the National Quantum Initiative Act reauthorization, that set national scientific, economic and security priorities for quantum technology for the next five years.
Following these efforts, the launch of a new tech consortium committed to driving the adoption of post-quantum cryptography demonstrated that major tech companies understand the importance of this preparation and will begin the push for all other organizations to follow in their footsteps. We can also expect ratified standards coming out this summer that will continue to further quantum safety.
Companies must consider post-quantum preparedness a priority today, to avoid the inevitable threats coming with quantum computing, such as cybercriminals infiltrating their systems and stealing sensitive company information. We can not overstate the impact of quantum threats, and it’s up to today’s leaders to prepare for tomorrow’s evolving risks.
The impact of quantum threats
Within the decade we expect to see quantum computers that break the cryptography we universally use for data and IT infrastructure protection, known as public key encryption. In fact, McKinsey estimates that by 2030, we’ll see up to 5,000 quantum computers in operation.
All of the connected products that we use daily, from vehicles and consumer goods to health care devices, use classical cryptography and will become vulnerable as their operational lives will span the quantum computing transition. For businesses, this means that any organization with an abundance of data with long-standing value (sometimes 25 or more years) is also particularly susceptible to the quantum threat. This includes critical infrastructures such as finance, healthcare, and government.
Already, we are seeing bad actors deploy “harvest now, decrypt later” strategies today that target sensitive data now so that the data will still be valuable when they can finally access it with quantum attacks. At this point, most experts agree that it’s a matter of when – not if – that the industry will develop a scaled quantum computer that will threaten the security of our digital infrastructure.
How to prepare for tomorrow’s threats
While it may seem years away, the transition to post-quantum cybersecurity strategies will not happen overnight and security teams need to make post-quantum preparedness a priority to ensure all data gets protected.
To ensure the safety of all data and networks, post-quantum preparedness requires comprehensive updates to existing IT systems to transition to new cryptographic algorithms. In the past, IT professionals have had to navigate cryptographic changes like moves from RSA to ECC, and SHA 1 to SHA 2, but the transition to post-quantum cryptography will present many new challenges.
There are five steps security leaders can take within their organizations today to prepare for post-quantum threats:
- Take inventory: Know what cryptographic assets and algorithms the company has and where they reside.
- Prioritize: Migrate the most valuable data with the longest shelf life to post-quantum cryptography first.
- Manage: Support the organization’s ability to manage its cryptographic assets in an automated way.
- Test: Start prototyping with NIST’s quantum-resistant algorithm options. Some security vendors are offering access to post-quantum cryptography in their platforms. Organizations should use this early access to test quantum-resistant algorithms in lab or non-production systems.
- Plan: Build a post-quantum cryptography strategy with vendors and make a road map for the company’s migration. Post-quantum readiness relies heavily on whether or not the organization’s IT vendors are doing a good job at post-quantum implementation. Delays or poor planning on database, buffer, system, memory, or support updates, for example, will impact the software the company relies on.
All IT systems will need to transition to these new cryptographic algorithms to ensure the safety of their data and networks. The recent uptick in government guidance creates a blueprint for businesses to navigate rising challenges and security threats brought on by quantum computing, and it’s up to security leaders to ensure their organization can follow and comply with the recommendations.
Moving forward, it’s vital that IT leaders stay up-to-date with industry developments and government initiatives, like the new NIST standards, and engage with vendors that are building quantum readiness into their products.
Right now, there’s time to prepare, but we have to get going before quantum development continues to accelerate in the years ahead. By preparing today, leaders will put their businesses into a secure position as we head into the quantum computing era.
Greg Wetmore, vice president of software development, Entrust
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.