Bob Burns | Chief Product Security Officer
All cybersecurity experts agree that the coming of quantum computing will be the dawn of a new era in cryptography. Quantum computing has made continuous progress, and Gartner estimates1 that by 2029, it will be able to weaken existing cryptographic systems to the point where they are no longer safe to use.
The world is getting ready for the post-quantum era
Replacement of existing algorithms has already begun, and NIST narrowed down the following acceptable replacements:
- CRYSTALS-KYBER (key-establishment) and CRYSTALS-Dilithium (digital signatures) were both selected for their strong security and excellent performance
- FALCON will also be standardized by NIST since there may be use cases for which CRYSTALS-Dilithium signatures are too large
- SPHINCS+ will also be standardized to avoid relying only on the security of lattices for signatures
The White House and numerous U.S. Federal agencies have already begun mitigating this risk. In May, President Joe Biden issued a national security memorandum outlining the administration's strategy for addressing the cybersecurity threats posed by quantum computing. In July, Congress passed the Quantum Computing Cybersecurity Preparedness Act, mandating that agencies strengthen their cybersecurity in preparation for quantum computing threats. The Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST) have organized a working group, the National Cybersecurity Center of Excellence (NCCoE) in the Migration to Post-Quantum Cryptography Project Consortium, to assist businesses in protecting their data and systems.
“The transition to post-quantum encryption algorithms is as much dependent on the development of such algorithms as it is on their adoption. While the former is already ongoing, planning for the latter remains in its infancy. We must prepare for it now to protect the confidentiality of data that already exists today and remains sensitive in the future,” said DHS Secretary Alejandro Mayorkas in a recent statement about the working group.
Steps to be taken to enable a smooth transition
As the NIST process to develop a new post-quantum cryptography standard is now underway, businesses should consider conducting an inventory of their current cryptographic systems, the data being secured, and the transition priorities of their systems. Once the new post-quantum cryptography standard is available, early preparations will ensure a seamless and efficient transition.
DHS and NIST have identified the following steps as necessary.
1. Organizations should compile an inventory of the most sensitive and vital datasets that must be secured for an extended period. This information will inform future analyses by determining which data is currently at risk of being decrypted by a quantum computer that is cryptographically relevant.
2. To ensure a seamless transition in the future, organizations should complete an inventory of all systems employing cryptographic technology for whatever purpose.
3. Officials responsible for cybersecurity within a company should determine which acquisition, cybersecurity, and data security standards will need to be updated to accommodate post-quantum requirements.
4. From the inventory, businesses should determine where and for what reason public key cryptography is utilized and then mark those systems as quantum-vulnerable.
5. Prioritize cryptographic transition based on the organization’s functions, objectives, and demands.
6. Businesses should design a transition plan for their systems using inventory and prioritization data.
A Crypto Center of Excellence is more important than never before
For a successful post-quantum transition strategy, CISOs and other security personnel must obtain the support of other business units. Having state-of-the-art equipment is ineffective without the right people and process. It is essential that other teams understand the fundamentals of quantum-safe cryptography so that the security team is not the only one responsible for securing the digital organization.
The most successful strategy to manage and govern the usage of cryptography, according to Gartner2, is to develop a single team with the necessary knowledge to formulate appropriate policies for the company. The Cryptographic Center of Excellence (CCoE) can serve as a means to avoid numerous individual security technology decisions. While security and risk management leaders are accustomed to making decisions of this nature, mismanagement of these decisions can have costly and unforeseen effects.
The CCoE mission can be defined in terms of people, process, and technology.
- People: Educate and enable business units and define collective ownership of crypto assets.
- Process: Lead initiatives that inspire other business units and learn about the requirements, timeframes, and demands of the organization department to accommodate them into the post-quantum transition strategy.
- Technology: Guide business units on the security aspects of their assessment and provide a quick reference of compliance and crypto requirements that business units can refer to.
Crypto-agility is an essential component of CCoE and a current necessity. Crypto-agility is a measure of a company's resilience to threats; it indicates how rapidly a company can recover from an attack or vulnerability with minimum service disruption. In a post-quantum era, when companies must keep one step ahead of quantum attacks on crypto algorithms, crypto-agility will be critically important.
Although the post-quantum era is still a few years away, practicing crypto-agility now will help avoid expensive security retrofitting in the future as quantum computing becomes more prevalent. Take our free Post-Quantum Crypto Agility Risk Assessment, and in under 5 minutes, you will better understand if your organization is at risk of a post-quantum breach, learn about the scope of work required, and what you should be doing today to be post-quantum ready.
1Gartner, Preparing for the Quantum World With Crypto-Agility, September 2, 2022
2Gartner, Preparing for the Quantum World With Crypto-Agility, September 2, 2022