On the not-too-distant horizon are quantum computers. They will be capable of so much, including the ability to break the cryptography underlying public key infrastructure (PKI). This creates an unprecedented problem for the encryption and authentication that enterprises put their trust in today. To prepare for the future, organizations must take a proactive posture to protect their data and systems. Collectively, we want to realize all benefits of quantum without compromising the security of our data and systems.
The US National Institute for Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE) has already put in place several practices “…to ease the migration from the current set of public-key cryptographic algorithms to replacement algorithms that are resistant to quantum computer-based attacks,” according to its latest update.1
Cryptography is the foundation of digital trust; a threat to cryptography is a serious threat to the roots of this digital trust. In today's increasingly connected ecosystem, broken cryptography can result in unauthorized access to sensitive information, lack of control over connected devices and, potentially, pose great dangers.
Cryptography is the foundation of digital trust; a threat to cryptography is a serious threat to the roots of this digital trust.
Consider cars, airplanes, satellites and energy grids. These durable, critical devices are highly vulnerable to attack, as they have long in-field lives. They will require software updates and updated certificates to understand modern cryptography. Imagine a state-sponsored attack hacking a satellite system and tricking it into accepting its own malicious code instead of the authentic update. Long-life devices need to be agile and capable of handling whatever cryptographic changes come their way. In a nutshell, security measures need to be future-proofed.
Where are organizations most vulnerable today? Typically, it is knowing what is at risk and knowing where risk areas are lurking. When it comes to quantum preparedness, a good first step is for organizations to inventory their systems and locate and identify where their cryptography is deployed.
NIST,2 the American National Standards Institute (ANSI) and other industry experts are estimating that quantum technology will be capable of breaking current cryptography by 2030. Others speculate that timing for quantum will hit even earlier, “In a little more than 5 years,” warns Arvind Krishna, director of IBM Research. In a recent article, he stated, “Anyone that wants to make sure that their data is protected for longer than 10 years should move to alternate forms of encryption now.”3
Here are a few questions to determine quantum preparedness urgency:
- For how many years does the device need to be secured?
- How long does the information need to remain confidential?
If the answer to either question is 7 or more years—think jet engines, pacemakers, cars—start preparing today. Bridging the gap between current and quantum-safe security will require a new, seamless approach. Many organizations are looking to adopt a crypto-agile posture without affecting existing systems, adherence to standards and end users.
If your organization manages a device that requires mission-critical security, including PKI and digital certificates, hardware security modules (HSMs) or physically embedded roots of trust, start preparing today.
“It is critical to begin planning for the replacement of hardware, software and services that use public-key algorithms now, so that the information is protected from future attacks,” NIST urges.4
These segments, for example, have high-stakes security requirements:
- Critical infrastructure, including energy and satellites
- Military
- Automotive industry
- Airline industry
- Financial services
Because of the real risk imposed by quantum computing—and despite the uncertain arrival time—many chief information security officers (CISOs) and chief information officers (CIOs) have tasked their IS/IT or cryptography teams with investigating the threat and recommending a mitigation strategy.
Here are 6 steps organizations can take to start readying their IT ecosystems for quantum:
- Research—Conduct your own research to determine how large-scale quantum computing will impact public-key cryptography and how it will impact your business.
- Catalog—Perform an archaeological expedition to understand where cryptography is located and how it is used in your organization.
- Prioritize—Identify and prioritize high-value assets for migration.
- Strategize—Collaborate with your internal team to build a strategy and create a migration plan.
- Partner—Look for tools and partners. Share your needs with key vendors to ensure that their road map aligns.
- Plan—Planning your attack will take time, but preparing early will help mitigate risk.
Organizations will likely perform a gradual migration and start by upgrading their most critical, at-risk assets in phases. They should be looking for full backward compatibility. The ISARA Catalyst Agile Digital Certificate Technology is an example of a crypto agility methodology for creating an enhanced X.509 digital certificate that simultaneously contains 2 sets of cryptographic subject public keys and issuer signatures. Enhanced X.509 certificates are compliant with industry standards and, if incorporated, will enable organizations to meet compliance.
Researchers with Deloitte’s Center for Government Insights advocate that organizations take action now to prepare for quantum. “There are real dangers to inaction…waiting around for quantum tech to mature could mean organizational change occurs too late.”5
Paul Lucier
Is vice president of sales, business development and marketing at ISARA. He partners with CIOs, CISOs, military leadership and problem solvers to introduce technology solutions that drive positive change. He has spent more than 20 years in information and communications technology (ICT) opening new global markets, streamlining operations, managing teams and directing sales and business development growth with successful sales in the US federal government, specifically the US Department of Defense. Lucier played a crucial role in leading global growth in his more than 14 years at BlackBerry through partnerships with US federal, state, local public sector, government and Fortune 1000 enterprises. He supervised successful new market launches in North America and across Africa, Europe, the Middle East and, Russia.
Endnotes
1 National Cybersecurity Center of Excellence, “Crypto Agility: Considerations for Migrating to Post-Quantum Cryptographic Algorithms,” National Institute for Standards and Technology (NIST), USA, 2020
2 Chen, L.; S. Jordan; Y. K. Liu; D. Moody; R. Peralta; R. Perlner; D. Smith-Tone; Report on Post-Quantum Cryptography, National Institute of Standards and Technology Internal Report 8105, USA, April 2016
3 Foremski, T.; “IBM Warns of Instant Breaking of Encryption by Quantum Computers: 'Move Your Data Today,'” ZDNet, 18 May 2018
4 Op cit Chen et al.
5 Routh, A.; J. Mariani; A. Keyal; S. Buchholz; “Preparing for the Coming Quantum World (Pragmatically),” Nextgov, 12 June 2020