Quantum computers, in contrast to the classical computers we are all familiar with, leverage the principles of quantum mechanics to perform computations. While they hold tremendous potential for solving certain problems exponentially faster, a threat looms over the core foundations of our digital security. As we usher in an era of unprecedented computational power and speed, the traditional cryptographic protocols that have safeguarded our sensitive information for decades are now under siege.
But fear not, there are tangible steps IT leaders can take to protect their organizations, according to Atsushi Yamada, CEO of ISARA, a security solutions company based in Ontario, Canada. Their mission: To create a crypto-agile and quantum-safe world where the possibilities and benefits of quantum computing are realized without giving up digital trust and privacy. He shares a bit of his best thinking as we head into this very unknown unknown.
What do CIOs and CISOs need to know about quantum computing’s impacts to security and IT?
Quantum computers have the potential to break current cryptographic algorithms, compromising the confidentiality and integrity of sensitive data. All industries and government sectors that rely on cryptography to protect sensitive data, secure communications, or manage transactions will be impacted.
Today, classical cryptographic algorithms are used almost everywhere, and post-quantum cryptographic algorithms are still being standardized. Eventually, the classical algorithms that we rely on today will be obsolete.
IT networks typically use cryptographic mechanisms to ensure that only designated personnel can access network resources. After all, you can’t let just anyone go read or modify data, change system configurations, and so on. This authentication uses quantum-vulnerable cryptography—meaning your valuable data is at risk from attacks using quantum computers.
In some cases, attacks against a single resource or asset can cause widespread damage, disrupt business operations, and can be difficult and expensive to remediate. An example here could be an attack against the root of trust in a public key infrastructure. If the root certificate authority’s private key is compromised, then there can suddenly be a complete breakdown of trust throughout the PKI.
There are numerous other examples I could also give, such as forging of credentials, fabricating authentic-looking documents, or decrypting sensitive and private communications. This is why it is so important for organizations to compile an inventory of their cryptography now. Where are you using it? How are you using it? Is it vulnerable? What happens if it is successfully attacked?
The good news is that an industry-wide effort has been underway since 2016 to develop and standardize cryptographic algorithms that will replace current quantum-vulnerable standards. This effort has included researchers, standards organizations, industry stakeholders, government entities and policymakers. The initial selected cryptographic algorithms are currently going through the final phases of the standardization process and are expected to be published sometime in 2024.
Why is it important for organizations to embrace post-quantum cryptography now?
I see four primary reasons why embracing post-quantum cryptography now is critical: to protect data, reduce risks, control costs, and create or maintain competitive advantages.
The migration to post-quantum cryptography will be a complex and time-consuming process requiring thorough testing and evaluation before implementations can be done. By starting now, the migration can be better planned, costs can be controlled, and errors can be kept to a minimum. A rushed migration can be error-prone and costly.
Because we can’t predict exactly when a quantum computer large enough to break currently used cryptography will emerge—reasonable estimates are in the 10–15-year range, but it could be less—the risk-averse approach is to ensure your organization is protected as soon as possible.
Delaying the migration leaves organizations vulnerable to potential attacks. In some cases, threat actors may already have your encrypted data and are waiting until they have the quantum capabilities to decrypt it. If you’re manufacturing devices or equipment that are expected to be operational for a long time, then you need to make sure they are quantum-safe before they go into the field. This means including post-quantum cryptography into the development plans now.
Eventually, using standardized post-quantum cryptography will be a requirement. Your customers will demand it, regulation will likely require it, and it will just make good sense from a business operations perspective. We have seen how costly business disruptions from cyberattacks can be, and this seems like a threat we can work to avoid. Organizations that are quantum-safe will have clear advantages over those who are not.
What does a migration to post-quantum cryptography entail?
Just think about the enormity of cryptographic migrations in the past. We often talk about the parallels to the migration from the SHA-1 to the SHA-2 hash functions or from the Triple-DES to the AES encryption algorithm, specifically that the migrations took decades and in some cases are still ongoing. The reality is the post-quantum cryptography migration is even more intricate and complex.
While I can’t give you a complete answer here about how to do a migration, I will give you some highlights. The migration to post-quantum cryptography involves a comprehensive and phased approach to replace existing cryptographic algorithms with quantum-resistant alternatives. This means updates to software libraries, protocol standards, network infrastructure and other components to support the use of quantum-resistant algorithms.
Organizations must first conduct a thorough risk assessment—I like to call this an inventory—of their cryptography to evaluate the potential impact of quantum computing on their systems and infrastructure. This will help identify and prioritize the systems, applications, and data that are most critical and vulnerable.
Organizations must then select suitable post-quantum replacements. This process involves evaluating different quantum-resistant algorithms based on their security, performance, interoperability, and suitability for specific use cases. It is critical to consider factors such as algorithm maturity, ongoing research, standardization efforts, and the requirements of your customers or suppliers.
Once the proof-of-concepts have been completed, the solutions identified, and the plans made, the next step is to start implementing the migration plans. It can also involve acquiring new assets such as cryptographic libraries, digital certificates, hardware security modules or other pieces of software and hardware. Continual testing is required throughout the process to ensure things are going properly and as expected, and the migration plans should be adjusted or updated as necessary.
How can organizations kickstart their post-quantum cryptography migrations?
It starts at the top. The migration to post-quantum cryptography involves critical decisions around technology, budget and resource allocation, and governance. That’s why it’s important to take things one step at a time. I recommend taking a phased, iterative approach as organizations evolve their infrastructures and environments. This will help ensure that you can assess changes, mitigate risks, and minimize errors and costs.
Start by gathering the stakeholders for strategic alignment, decision-making, risk management, communication and stakeholder engagement. Bringing together the organization’s leaders ensures that everyone is on the same page regarding the significance and impact of post-quantum cryptography. It allows for a shared understanding of the need for migration and the strategic goals behind it.
By aligning stakeholders and appointing a person or a team to lead the migration efforts, organizations can develop a unified approach and vision and get their migration roadmaps in order.
Taking steps to embrace the post-quantum migration now provides organizations with the necessary lead time to do the testing, conduct proof-of-concepts, gain the required expertise, train staff, and smoothly transition from quantum-vulnerable to quantum-safe.