return
In technology, the interplay between innovation and vulnerability is constant and dizzying. The advent of quantum computing is further evidence of this, as it promises both unprecedented computing power and a new threat to classical cryptography. Based on initial recommendations recently issued by leading U.S. security and standards organizations, this post delves into the realm of quantum readiness and examines the imperative for organizations to proactively plan for migration to post-quantum cryptographic (PQC) standards.
The quantum question and cryptography
In today's rapidly evolving technology landscape, the field of cybersecurity is facing an unprecedented challenge: the emergence of quantum computing capabilities. At the heart of this revolution is the enigma of "quantum bits," or cubits, which have the ability to exist in multiple states simultaneously. By harnessing this superposition and quantum entanglement, quantum computers have the potential to solve complex problems at speeds that could revolutionize fields ranging from drug discovery to modeling complex systems. These capabilities pose a serious challenge to classical cryptography.
Current public key algorithms and systems, such as RSA, Elliptic Curve Diffie-Hellman (ECDH), and Elliptic Curve Digital Signature Algorithm (ECDSA), have the peculiarity that their strength depends on the "intractability" of the mathematical problems. On the other hand, quantum algorithms, such as Shor's algorithm, could disarm these problems with disturbing simplicity, leaving data encrypted with such algorithms vulnerable. This threat forces cryptographic paradigms to evolve to avoid a potential digital crisis.
In the United States, the Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the National Security Agency (NSA) and the National Institute of Standards and Technology (NIST), recognizes the need for organizations, particularly those supporting critical infrastructure, to prepare for the potential impact of quantum computing on cryptographic security.
Actionable for companies
In response to this looming threat, the global cryptography community has begun the search for quantum-resistant solutions, giving rise to post-quantum cryptography. To this end, researchers are developing encryption algorithms that remain secure even in the presence of adversaries with enormous computational capabilities. These post-quantum cryptographic algorithms generate mathematical problems of greater complexity to solve, providing security guarantees that go beyond the quantum realm.
Although the concrete framework for PQC standards is expected to emerge around 2024, organizations are invited to start taking preparatory steps with a plan proposed by the above-mentioned organizations that includes 5 areas of work, which are explained below.
Quantum readiness is not a solo endeavor; it requires a multidisciplinary approach. Organizations must assemble cross-functional teams that include cryptography experts, system architects, and risk management specialists. These teams can forge a readiness roadmap that outlines the path to migrate to PQC standards. This overall roadmap will serve as a guide to support the organization through the transition.
At the core of this roadmap is a thorough understanding of the cryptographic systems that currently support the organization's infrastructure, which includes an assessment of the algorithms, protocols, and systems that are vulnerable to quantum attacks. Cryptography experts play a key role in identifying weaknesses and proposing alternatives that are resistant to such attacks. Once the vulnerable areas are identified, collaboration between them and software engineers is the natural next step. The team must work to research, develop, and test post-quantum cryptographic algorithms that can replace current methods. Rigorous analysis and validation will ensure the effectiveness and security of these new algorithms against both classical and quantum adversaries.
At the same time, system architects and risk management specialists will be working to integrate these new cryptographic methods into the infrastructure, which requires an assessment of the implementation implications to ensure that these new algorithms can be integrated into existing systems without compromising performance. The plan should also include milestones for algorithm selection, design, implementation, testing, and deployment. It must also include a period of continuous monitoring and updating, recognizing that the landscape is dynamic and evolving, and must be flexible enough to accommodate unforeseen challenges and advances. This first major step represents the collective effort of diverse teams toward the goal of cryptographic resilience, for a not-too-distant future in which digital assets remain secure even in the face of attacks driven by quantum technologies.
Far from a checklist item, creating an inventory of quantum-vulnerable technologies is a strategic step. This cryptographic inventory enables preparedness on several fronts. First, it identifies vulnerabilities, allowing organizations to gain visibility and focus their efforts on strengthening weaknesses. Second, it guides the transition to a zero trust architecture, ensuring that potential access points are fortified against adversaries. Third, it improves understanding of access to external data so that proactive measures can be taken to protect those entry points. Finally, the inventory helps anticipate potential data targets, making it easier to take proactive measures.
Cryptographic discovery tools are needed to identify vulnerabilities in the various layers of the technology stack, from network protocols to end-user systems, as well as source code dependencies. It is worth noting that discovery tools may not be able to identify the elements embedded internally in products, which complicates the process. Such a cryptographic inventory enables strategic risk assessment and resource allocation, and should be sure to correlate with available inventories of existing software and technologies, such as information asset inventories, identity, credential, and access management (IAM) systems, endpoint detection and response (EDR) systems, and so on, to provide an overview of the state of the organization and strengthen the risk assessment. Identifying areas where sensitive data is most at risk informs strategies, while addressing vulnerabilities in critical processes improves resilience. Ultimately, the role of the inventory extends to directly informing risk assessments and ensuring timely adoption of post-quantum cryptography (PQC) standards.
From the above, it is clear that a well-developed plan and roadmap should describe how the organization's current vendors plan to migrate to PQC solutions, with sufficient lead time to get the algorithms tested, and their integration into the products. This applies to standard commercial products, also called COTS (commercial-off-the-shelf) for both on-premise and cloud-based environments. Ideally, vendors should publish their own PQC roadmap, framing their commitment to the implementation of post-quantum cryptography. For their part, standardization institutions, regulators and agencies should urge organizations to proactively plan for necessary changes to existing and future contracts. Considerations should be taken into account to ensure that new products are delivered with PQC built in, and that older products are upgraded with PQC to meet transition deadlines.
Quantum resilience is a collective effort that goes beyond organizational boundaries. Engaging in dialogue with technology vendors fosters a shared understanding of preparedness strategies. Organizations should inquire not only into timelines, but also into vendor integration mechanisms, and this exploration is especially relevant for critical systems and legacy applications.
The intricate web of modern supply chains amplifies the threat. Organizations must be able to navigate this maze by mapping the dependencies of quantum vulnerable cryptography within their systems and among their partners and stakeholders throughout the chain. Forging collaborative partnerships with vendors, especially for cloud-based services, will ensure alignment with preparedness principles. This requires prioritizing high-impact systems, industrial control systems (ICS), and systems with higher long-term confidentiality requirements. Once the risks in cryptographic elements and components have been identified, the next step is to identify the risks to the data or functions that rely on these technologies.
All of this may result in additional costs that have not been previously considered, but they must be included in risk management, both technical and operational, and in all aspects of the business.
As mentioned, the quantum readiness odyssey extends to technology vendors, who play a critical role in protecting the digital landscape. With the knowledge gained from the preliminary PQC standards, vendors can recalibrate their products to adapt to the impending reality. This proactive approach, coupled with secure by design principles, strengthens the digital sphere against quantum-based vulnerabilities.
Indeed, this is a time in history when manufacturers and vendors of technology and services have the opportunity to position themselves as innovators and drivers of change. This process is not just a technical endeavor, but embodies a commitment to strengthening digital defenses against new threats. Although the quantum horizon is characterized by uncertainty, the timeline for action is becoming clearer, and it is better to get on board early than late, as the cost may be too high.
Conclusions
As the quantum era unfolds, organizations must rise to the occasion and fortify their digital defenses against the challenges ahead. In the midst of a rapidly evolving threat landscape, cryptography resilient to quantum computing is emerging as the answer. By taking the steps outlined here, organizations can begin to build defenses against the adversaries of the future. With the countdown to the NIST PQC standards submission well underway, organizations are naturally invited to begin the journey of preparation. At a time when the boundaries between the classical and quantum worlds are beginning to blur, organizations have an opportunity to make an early impact. The future is knocking at the door, and the need for cybersecurity that is ready to meet those challenges is growing more urgent every day.
