The threat posed by quantum computing is no longer a distant concern but an imminent reality. Experts believe so-called ‘Q-Day’, the point at which quantum computers will be able to break existing encryption algorithms, could be just a few years away.
The power of quantum computing offers huge social and economic benefits, as highlighted in the UK government’s National Quantum Strategy, published in November 2023. However, the strategy emphasized that the technology’s potential to undermine current cryptography used to secure internet data is a national security challenge that must be overcome to realise this potential.
“It's fair to say that the threat is real, it could break the internet,” Rob Clyde, Board Director at ISACA, told Infosecurity.
The implications of attackers being able to break current public key cryptography (PKC) algorithms, which provide secure sessions on browsers, secure transactions and digital signatures, are manifold, he explained.
“It means you have the double threat of attackers being able to spy on data and inject signatures into the process,” noted Clyde.
In addition, experts believe that threat actors are already leveraging quantum by undertaking ‘harvest now, decrypt later’ attacks.
It is crucial that organizations are aware of the data security implications of advances in quantum computing and know how to mitigate this looming danger.
Initiatives to Create Quantum-Secure Cryptography
Governments and the tech industry are currently engaged in efforts to facilitate the migration towards post-quantum cryptography (PQC), aiming to have these encryption protocols rolled out widely before Q-Day strikes.
This will be a massive undertaking, given the scale and reliance on the internet.
“The threat that quantum computers pose to current PKC standards is global and not something that any one organization can tackle on their own,” commented Marc Manzano, General Manager of Quantum Security at SandboxAQ.
One of the most significant initiatives is the US National Institute of Standards and Technology’s (NIST) publication of draft post-quantum cryptography (PQC) standards in August 2023. The draft documents outline three Federal Information Processing Standards (FIPS) and incorporate the four encryption algorithms NIST had previously selected to form its PQC standard.
The encryption algorithms selected include:
- The CRYSTALS-Kyber algorithm chosen for general encryption (used for access to secure websites)
- CRYSTALS-Dilithium, FALCON and SPHINCS+ were selected for digital signatures
It is expected that the standards will become the global benchmark for quantum-resistant cybersecurity across the world in 2024.
Clyde said that once these draft standards become official open-source and proprietary software will begin implementing the algorithms rapidly.
He added that SSL certificates for websites will be quickly updated with the new algorithms.
The UK’s National Cyber Security Centre (NCSC) guidelines set out how organizations can migrate their systems to PQC based on the NIST standards.
Several industry-led entities focused on driving PQC awareness and adoption have also been created. This includes the PQC coalition, a body that aims to bring together industry, academia and governments.
Manzano explained: “As of now [the coalition] has four dedicated workstreams focused on advancing standardization efforts, education, implementation and modernization of cryptography management, respectively.”
How Can Organizations Prepare for PQC Migration
NIST and other entities involved in this space have worked to homogenize security and interoperability with the new PQC algorithms and concepts. Nevertheless, Philip George, Executive Technical Strategist at Merlin Cyber, noted that even small-scale cryptographic transitions have proven to be complex undertakings to plan and execute.
“The migration to PQC will be the largest cryptographic migration in the history of computing, so the potential for the loss of availability for affected systems remains high,” he outlined.
Much of the migration will be completed automatically, for example in browsers. However, Clyde said that organizations implementing software must ensure they have a process for picking up the new algorithms as they come through.
1. Be Familiar With Guidance
The first step organizations should take is to educate themselves on the guidance offered by the entities involved in the development of quantum-secure cryptography. For example, George advised referencing the CISA/NSA Quantum-Readiness factsheet, which recommends organizations pull together key representatives across their risk management program to establish a quantum readiness project team.
2. Build a Cryptographic Inventory
Another crucial action that should be taken now is to build a cryptographic inventory. This requires identifying every instance of cryptographic assets within the IT infrastructure, whether embedded in applications, filesystems or elsewhere.
Manzano noted: “This will enable compliance and governance teams to control what cryptography is being used while, at the same time, offer remediation alternatives for the identified vulnerabilities present in the systems.”
George emphasized that this inventory of cryptographic dependencies should include organizations’ supply chains.
3. Understand Your Enterprise
In addition, having an understanding of the cryptographic systems being used across an enterprise’s systems will help address the very live threat of harvest now, decrypt later attacks. Clyde noted that quantum computers will struggle to decrypt certain types of symmetric encryption algorithms currently available, particularly AES 256.
“There’s no need to wait on this, look for reencryption programs that will quickly move you into quantum-resistant symmetric algorithms such as AES 256,” advised Clyde.
4. Incorporate Cryptographic Agility
Following the inventory and discovery process, organizations need to incorporate cryptographic agility into targeted assets and systems. Manzano noted that organizations that require high-speed, low-latency operations, such as financial institutions and telecommunications providers, may have concerns about the impact PQC algorithms will have on network performance, operations, cost and the user experience.
“Being able to conduct accurate benchmarking can give these organizations deeper insights into which algorithms offer the best balance of performance and security, enabling them to make informed business decisions and solidify their corporate cryptographic policies,” he said.
George added that taking these steps now will reduce the time and effort to shift from one cryptographic standard to another and introduce new standards seamlessly.
5. Don’t be Caught Off Guard
There will be a lot of announcements to come regarding quantum computing – both in terms of the threat posed by this technology and the initiatives to protect against such dangers.
Clyde said it is vital all organizations keep a close eye on updates from tech firms involved in this space, such as IBM and Google. In particular, pay attention when they state they are close to building a quantum computer that can break existing encryption algorithms.
“Pay attention to the makers of quantum computing so you’re not caught off guard when a sudden breakthrough occurs,” Clyde said.
He noted that this is what happened with AI, where many people were taken by surprise by the launch of OpenAI’s ChatGPT generative AI tool in November 2022.