Adopting Quantum Cryptography: Why Y2Q Will Be Too Late
(SecurityBoulevard) Governments and organizations around the world, including significant threat actors, are pouring vast amounts of money and resources toward the development of large-scale quantum computers and related quantum technologies. “Anyone that wants to make sure that their data is protected for longer than 10 years should move to alternate forms of encryption now,” warned Arvind Krishna, director of IBM Research, in a ZDNet article.
Philip Lafrance, Standards Manager at ISARA, where he works with standards development organizations across the globe, including ETSI and NIST, to help set standards for post-quantum cryptography and related areas of information security; is the author of this detailed and helpful look at transitioning to a quantum-safe state.
Quantum-safe planning involves:
- Understanding where the organization currently uses cryptography.
- Understanding the security dependencies throughout the organization and its supply chains.
- Understanding where and how their systems are vulnerable to quantum-enabled attacks.
- Deciding on exactly how to migrate current systems to next-generation technologies.
- Allocating budgets and receiving leadership approval.
- Executing the migration.
“Anyone that wants to make sure that their data is protected for longer than 10 years should move to alternate forms of encryption now,” warned Arvind Krishna, director of IBM Research, in a ZDNet article.
Here are the initial migration steps we recommend as organizations transition to a quantum-safe state:
1) Discover where the organization is using cryptography and catalog what type of cryptography it is and what information it’s protecting. Intuitively, this should be easy enough to do, but in practice, this discovery phase may be prohibitively complex and expensive. Many organizations have given this task little attention to date and don’t know where to start. For organizations with large shadow IT departments or poorly documented cryptography, even a large audit might not guarantee complete coverage.
2) The discovery and audit process should also investigate the need for quantum-safe protections for partner organizations or vendors in the supply chain. An organization can do everything it can to make itself quantum-safe, but if it is integrating OEM components that are not quantum-safe into their own products or services, then the organization might still be quantum-vulnerable.
3) Once an audit is completed, the next steps include determining how to upgrade, transition or migrate vulnerable cryptography to versions certifiable as quantum-safe. Again, this step includes working with partners and suppliers.
Making the relevant inquiries now is essential to minimize the amount of time it will take organizations, partners and suppliers to make this cryptographic shift.