With many government and private entities investing in Quantum computing, the ability to break modern computing protections is fast approaching. Some predict that we’ll reach this milestone (aka “Q-day”) within the next 10 years. To put the power of Quantum computing in perspective, it would take a quantum computer 10 seconds to crack an encryption key that would have otherwise taken a modern computer 300 trillion years to crack. With that in mind, security leaders should assess the risk posed by quantum computing and decide whether and when to take action.
Is there an imminent threat? Quantum computers will be able to break the most commonly relied upon cryptographic algorithms in today’s computing: RSA and elliptic curve cryptography (ECC). This would allow an attacker to effectively decrypt data or forge digital signatures generated using these algorithms. Said differently, an attacker would be able to impersonate entities authenticated using today’s encryption certificates, which are the foundation of virtually all trust in today’s computing. The second threat is “Store Now, Decrypt Later (SNDL)” attacks. It is believed that some state actors have been storing encrypted data with the purpose of decrypting it when the ability to break current algorithms becomes a reality. This attack is exceptionally serious when we consider the ability to decrypt intercepted data sent over the public internet or data that has been exfiltrated in high profile data breaches in the last few years. SNDL attacks alone are an important argument for not delaying the transition to quantum-secure algorithms.
What to do about it? To address this threat, organizations need to implement quantum-resistant encryption and key exchange algorithms (more below). A precursor to these changes is engaging in “Crypto Agility”, which refers to the capability to seamlessly transition to new cryptographic methods as technology evolves. Core to this capability is to maintain an inventory of encryption within our environment and enable upgrades of cryptographic algorithms and key management transparently to the end user and without impact to business operations. Crypto Agility has additional impacts on processes such as procurement to ensure the technology supply chain maintains quantum resistance.
What are quantum-secure algorithms? AKA Post-quantum cryptography (PQC) are cryptographic algorithms designed to resist attacks from both classical and future quantum computers. Several quantum-secure algorithms are available in various stages of maturity, and have been proposed as potential alternatives to traditional cryptographic algorithms. These algorithms cover various encryption areas including key exchange, symmetric encryption, public-key encryption and digital signatures.
Should you invest in quantum threats mitigation? This decision depends on a number of factors including the potential impact of unauthorized access to (decryption of) your data, the sensitivity of your data/IP and the speed by which you’d be able to adopt new encryption standards. Note that the adoption of new cryptographic standards alone may take several years depending on the size and complexity of your organization. For example, a government organization with material external dependencies (certifications, other agencies, budgeting, etc.) and process requirements will need many years to plan and to acquire the capability to perform ongoing crypto inventory, establish governance and perform crypto upgrades on demand. Another example involves long lifespan hardware or machinery such as cars, airplanes or SCADA systems. Because these systems are expected to be in operations for over a decade with little to no operational disruption, it is essential to equip them with quantum-secure cryptography as soon as possible in preparation for vulnerabilities that could surface a decade from now.
How do I mitigate quantum threats to my data? There are several steps one can take immediately to start risk mitigation. They include developing a post-quantum migration plan, implementing capabilities to maintain an encryption inventory, crypto agility, crypto governance and performing assessments of impact on your applications, infrastructure and any previously-compromised data. These steps are further informed by regulatory and compliance updates such as the Quantum Computing Cybersecurity Preparedness Act and the evolving standards and guidance from organizations such as NIST.