The Quantum Threat and the Urgency of Action
The world of technology is on the cusp of a revolutionary transformation, driven by the rapid advancements in quantum computing. These powerful machines promise to tackle complex problems that are out of reach for today’s high-performance computers, opening up new frontiers in fields such as materials science, drug discovery, and artificial intelligence. However, this technological breakthrough also poses a significant threat to the cybersecurity landscape as we know it.
Fully error-corrected quantum computers, which experts estimate could be available as soon as 2030, will possess the capability to easily break the commonly used asymmetric encryption protocols, such as RSA and elliptic curve algorithms. These protocols form the foundation of securing vast amounts of sensitive data, critical systems, and flagship products across various industries. The implications are staggering, as quantum computers will be able to decode encrypted messages without the original decryption keys, rendering many of our current security measures ineffective.
The post-quantum cryptography (PQC) era has already begun, whether organizations realize it or not. Increasingly connected devices, such as autonomous vehicles, will need to meet high security standards to protect user safety and privacy for their usable lives, which could extend well past 2040 – a time when experts believe error-corrected quantum computers will be widely available. This means that the security of these systems must be future-proofed to withstand the quantum threat, a challenge that requires immediate attention from cybersecurity leaders.
Assessing the Quantum Risk: Timing is Critical
Understanding the value of cybersecurity for an organization is typically the first step in traditional security assessments. When it comes to the quantum threat, the critical question is not just about the value at risk, but also the timing of when to begin mitigation efforts. This is because the precise impact of quantum computing on existing encryption protocols will vary depending on the nature of the data and systems involved.
To determine the appropriate timing for quantum mitigation strategies, organizations should carefully examine two key characteristics of their high-priority assets: data shelf life and system life and development cycles.
Data Shelf Life: Some data produced today, such as classified government information, personal health records, or trade secrets, will still be valuable when the first error-corrected quantum computers become available. This means that any long-term data transferred on public channels now is at risk of interception and future decryption, even if regulations on post-quantum cryptography do not yet exist.
System Life and Development Cycles: Critical physical systems developed today, including the hardware and software used to collect, process, and store data, as well as a company’s products, will likely still be in use when the first fully error-corrected quantum computer is expected to come online. This is particularly true for systems and products with long development timelines and operational lifetimes of more than ten years, such as connected vehicles, which must meet high security standards to protect user safety and privacy.
By understanding the sensitivity of their data and systems to quantum threats based on these two factors, organizations can create a shared internal understanding and formulate appropriate mitigation strategies.
Navigating the Path to Post-Quantum Cryptography
Before deciding on a mitigation pathway, data, system, and product owners should create a standardized data cataloging and risk assessment process to determine the sensitivity of their various data types and systems to quantum threats. This will help inform the appropriate course of action, which can be one of three broad approaches:
-
Adopt PQC solutions today: For organizations with particularly high-value assets or systems with long lifetimes, adopting PQC solutions now may be the best course of action, despite the current trade-offs in cost and performance.
-
Retrofit existing systems to PQC standards at a later date: Many organizations may choose to wait and monitor the evolution of industry standards and regulations before making the switch to PQC. In this case, they should focus on ensuring that their hardware and software architectures can be easily retrofitted in the future.
-
Enhance the efficacy of traditional encryption protocols: Organizations with lower-risk data and systems may opt to focus on extending the lifespan of traditional encryption protocols, such as using longer asymmetric key lengths and scaling up symmetric key lengths for sensitive data, while monitoring the PQC landscape.
The precise path forward will depend on the organization’s specific circumstances, including the type of data and systems they need to protect, the performance requirements of their cryptography protocols, and the number and distribution of connected devices and systems that require protection.
Overcoming the Challenges of Implementing Post-Quantum Cryptography
While PQC solutions are available today, they are still in the early stages of commercialization and face several challenges that organizations must consider:
Cost: PQC solutions currently make up only about 2% of the global cryptography market. Without the benefits of deep penetration and scale, these solutions cost more than traditional cryptography, which can be a significant burden for organizations needing to secure large amounts of data, devices, and systems.
Unproven Effectiveness: PQC solutions have not been conclusively proven to provide protection against quantum or even conventional threats, as they are still nascent and cannot be tested against quantum computers that do not yet exist. This means organizations will need to acquire both conventional and PQC solutions to ensure the highest possible level of security if they take action today.
Performance Limitations: Current PQC solutions require significantly more computing power and higher latency times compared to existing standards, making them impractical for organizations that require low-latency performance over public channels, such as those running high-value edge and cloud computing applications.
Given these risks and costs, most organizations should take a wait-and-see approach to PQC solutions, with the exceptions being those with particularly high-value assets or systems that cannot be easily retrofitted in the future.
Preparing for the Quantum Future: A Roadmap for Organizations
For organizations that choose to wait on adopting PQC solutions, there are still important steps they can take today to prepare for the post-quantum era:
-
Ensure Flexibility in Hardware and Software Architectures: Reserve computational resources for future cryptography updates and make the architecture sufficiently modular to simplify adding and exchanging cryptography modules in the future.
-
Prepare Operationally and Financially for Retrofitting: Understand the complexities and costs associated with retrofitting systems with PQC solutions, especially for organizations responsible for a large number of devices or systems.
-
Build Long-Term Relationships with Relevant Stakeholders: Invest in relationships with suppliers, regulators, and peers within and outside of the industry to stay up-to-date on emerging standards and solutions for PQC, and potentially collaborate on developing cost-effective solutions.
-
Enhance Traditional Security Measures: For organizations with lower-risk data and systems, focus on extending the lifespan of traditional encryption protocols, such as using longer asymmetric key lengths and scaling up symmetric key lengths for sensitive data.
By taking these proactive steps, organizations can lay the groundwork for a smoother transition to the post-quantum era, ensuring the security and resilience of their critical data and systems.
Conclusion: Embracing the Quantum Future, Securing the Present
The threat posed by quantum computing to current encryption standards is real and imminent. As the post-quantum cryptography era begins, organizations across industries must act decisively to protect their data, systems, and products from the looming quantum threat. By understanding the sensitivity of their assets, assessing the appropriate timing for mitigation efforts, and implementing a tailored approach to PQC adoption, organizations can prepare for a secure future in the quantum age.
The transition to post-quantum cryptography will undoubtedly be complex, but those organizations that have already established strong machine identity management practices, with a focus on quantum-resistant solutions, will be at a significant advantage. The time to act is now, as the consequences of inaction could be devastating for businesses, their customers, and the broader digital ecosystem.
Visit IT Fix to explore more insights and practical guidance from seasoned IT professionals on navigating the rapidly evolving technology landscape.
