Cryptomathic: Focus on crypto agility, not rushing to PQC
Nearly one month after the National Institute of Standards and Technology unveiled its initial post-quantum cryptography (PQC), it is starting to look much more like the NIST announcement was the beginning of a long process rather than the culmination of one.
The long process it kicked off is one of assessment. While many enterprise organizations and government agencies have begun in recent months to acquire a sense of urgency about protecting themselves from quantum threats, their migrations to PQC will not happen overnight, according to Johannes Lintzen, managing director of Cryptomathic. The company has plenty of experience in these kinds of migrations, having been founded 37 years ago in Aarhus, Denmark.
Organizations that rush their PQC migrations risk the possibility of misunderstanding their PQC needs, as well as the potential of adopting standards that still are not fully baked, Lintzen said.
Lintzen noted that in the wake of the NIST announcement, organizations have three options, the first of which is to do nothing at all. “Just ignoring it is probably the worst thing you could do,” he said.
The second option is to jump quickly into migrating to new security. “You could say, ‘Well, it’s been announced, so we’ll implement it now,” he said. “I think that’s a valid approach, but it could lead to another reimplementation down the road, just because of the nature of how these cryptographic systems evolve over time. Until it’s fully standardized, we’re going to see another, you know, maybe two years period of proofing and additional attempts of finding weaknesses.”
The third option, the one the Cryptomathic recommends and which a growing number of cybersecurity firms seem to be supporting, is to begin an organization-wide assessment and house-cleaning–figuring out what algorithms and protection schemes are in use now, what devices, systems and data need better protection, which among those are the most critical, and planning a migration that itself will involves steps of further evaluation and testing in addition to implementation.
Doing all of this first will make an organization more “crypto-agile,” which ultimately may be more important than adding PQC as quickly as possible.
“Take a step back, analyze, get your systems ready,” Lintzen said. “Get crypto-agile as much as possible. Prioritize with certainty areas within your organization that are under more scrutiny than others. Identify those use cases that are important. Make an action list for the next three to five years on how you’re going to migrate all of your systems.”
Possessing crypto agility will allow organizations to be better prepared for whatever comes next–not only the initial NIST standards, but also potential future standards, as there may be more to come. It will also help the IT staffs of these groups respond better to changes, such as the breaking of certain algorithms and the growing need to manage increasingly complex security environments.
While it will take time for user organizations to get their houses in order, it also may take time for the cybersecurity ecosystem to organize itself to support massive migrations across several industries. While numerous PQC specialists have started up in the last few years to attend to the migration, along with longstanding firms like Cryptomathic, Lintzen said many of these software-focused companies are dependent upon the manufacturers of hardware security modules (HSM) to be able to support PQC solutions, and those HSM vendors have their own product timelines.
Still, Lintzen said it is encouraging to see that so many companies and industries are starting to take security much more seriously after decades during which it was not viewed as much of a priority.
“It’s evolved a lot over the years away from cryptography, encryption, and key management being just a really niche thing that no one really talked about and was just driven by compliance and it not necessity,” Lintzen said. “I think really what has changed is that cryptographic operations are now the foundation of pretty much all the communication that is going on online. You have the mega trends of digitalization and cloudification, where organizations like banks are starting to push very sensitive operations into a service-based environment because they’re driven to do so by market realities. The means to protect digital assets… it’s a combination of cryptography and mathematics. That of course, is reflected in our name. To us, these technologies clearly are the glue that holds that foundation together.”
The points Lintzen raises and others are very likely to be discussed in further detail at this fall’s IQT Quantum Cybersecurity event in New York City.
Dan O’Shea has covered telecommunications and related topics including semiconductors, sensors, retail systems, digital payments and quantum computing/technology for over 25 years.