What will a post-quantum computing landscape mean for digital security? Securing the future is going to be more challenging with quantum computing presenting risks that many organizations are not prepared to address.
This emerging risk was the topic of our recent Inside the CISO’s Office episode featuring John Bruggeman, Consulting CISO, and Heidi Shey, Principal Analyst of Security and Risk at Forrester. Read on for the key takeaways from their discussion, including what risks companies need to add to their risk register and how they can best prepare for a post-quantum computing world. John and Heidi’s thoughts were backed up by research from Forrester—check out the full report here.
A new era is coming (or perhaps it’s already here)
Quantum computing presents a significant positive opportunity in many fields, like medicine and healthcare, weather forecasting, logistics, and financial modeling. The research industry has overly complex problems that require vast computational horsepower to fold proteins and predict hurricanes. Advanced computations will allow for chemical reaction simulations, faster drug discoveries, accurate climate modeling, and more. The result will be discoveries delivered at a faster rate than ever seen.
It’s an exciting time—but it’s a journey of a thousand steps—and the reality is many companies don’t know they are on a quantum journey. Preparations must be made to capitalize on the potential advantages of quantum computing and address the risks presented to a company’s digital security by quantum computing.
Why are we talking about post-quantum security?
When we discuss quantum threats, it may seem as if we are discussing risks that are five or ten years in the future. Quantum computers are here now, IBM has been selling commercial quantum computers for over four years. Quantum computers might not be widely deployed and not fully realized for another five years. The question is, are you prepared to defend against the quantum threat?
The simple answer is no, most companies are not prepared. According to Heidi, five years is not a long time. Quantum computing may still feel like a futuristic topic relegated to press releases and distant promises, but breakthroughs are happening. Soon, we’ll see exponential growth in the quantum computing space. If companies are unprepared for the threats of quantum computing, they will have significant vulnerabilities with their encryption technology. Just as people were not prepared for the risks and rewards of the World Wide Web in 1995, quantum computing presents a similar leap forward in computation power and peril.
Also read: Navigating the future of AI security, emerging threats, and zero trust
What threats exist in a post-quantum space?
A central talking point for John and Heidi was cryptography, and the current reliance on a few algorithms that use the factoring of large prime numbers to ensure a message can only be read by the intended recipient. Quantum computing presents a real risk because of Shor’s algorithm. It has the potential to quickly factor these large numbers and decipher and decrypt our current encoding techniques.
According to Forrester, the main vulnerabilities of the quantum future include:
- Key exchange: Asymmetric key algorithms such as RSA and elliptic curve (ECC) will be vulnerable to quantum computing. This means exchanges that use RSA or ECC to exchange a symmetric key can be broken into and decrypted.
- Encryption: While Advanced Encryption Standard (AES) encryption will not be breakable by quantum technology, companies should assume key exchange algorithms will be vulnerable. This effectively makes AES encryption vulnerable as well.
- Digital signatures: Algorithms such as RSA, ECSDA, and DSA will all be vulnerable to quantum computing.
What does this mean for data security today?
The main takeaway is companies need to inventory their data security now, not in five or ten years. Organizations need to know what encryption they are using to secure data at rest and data in transit.
Data that has a long shelf life presents a significant vulnerability. Currently, companies may feel their data is encoded securely and don’t worry even if malicious actors get access to that data. However, if criminals or nation states hold onto this data long enough for quantum computing to advance, they will likely be able to crack the code and decrypt this treasure trove of encrypted data.
Another issue related to data management occurs when companies keep old data that is no longer needed. It’s easiest to get rid of the key that decodes the data, but with quantum computers, a key will no longer be necessary, and that data will become vulnerable. Data will need to be destroyed, not just the key.
Considerations like these make it essential for companies to begin to ask questions of their security vendors when upgrading their technology stack and secure communication tools. Organizations looking to invest in these tools today should ask vendors about their plans for post-quantum cryptography. Investigate how their trusted vendors can assist your organization in developing its crypto agility and post-quantum cryptography.
Also read: Fortifying the perimeter: Zero trust, AI-driven endpoint security, and the rise of MXDR
Avoid being left behind
It takes time to upgrade encryption technologies. Think about SHA-1. Some companies still use SHA-1 which was deprecated in 2011. It’s understandable—encryption technology is embedded in many different products, making it difficult to pinpoint precisely how data is being encrypted today.
Guidance from the National Institute of Standards and Technology (NIST) states that AES 128, 192, and 256 will remain safe, with a caveat around the vulnerability in key exchange created by sharing the keys needed to decrypt it.
In order to minimize risk, companies need to update their encryption algorithms to align with NIST guidelines. Remember that quantum computing will also bring benefits to address security concerns, such as ingesting large data sets that can bring us closer to real-time identification and mitigation of threats. The threats quantum computing present maybe addressed through quantum computing itself, but companies need to prepare and get up to date today to make use of these solutions tomorrow.
Be prepared
Movement is already happening, especially in government agencies. Highly vulnerable sectors such as government financial services or three-letter agencies such as the National Security Agency (NSA) are already preparing for these quantum risks. These organizations are following NIST guidelines to create an inventory of sensitive data or algorithms in advance of quantum computing.
Post-quantum cryptography is really quantum-resistant cryptography. NIST is working on new encryption algorithms that are resistant to quantum computing advantages. In July 2022, they released four potential encryption algorithms that resist the speed and processing power of quantum computers. These algorithms are not yet finalized, but vendors know what these algorithms are and can begin to test them in their products.
Once NIST releases the quantum-resistant algorithms companies that have prepared will be best positioned to implement them quickly.
Be a pessimist
The main takeaway from John and Heidi’s discussion is that companies must prepare for the future. Be a pessimist, not an optimist. Quantum computing presents challenges that will be realized in the next five years, and there is no better time than today to begin your quantum readiness journey.
While companies wait for new NIST standards, the best thing to do is to know exactly where your data is and who has access to it today. You might even discover and address security vulnerabilities already putting your company at risk now. Get a task force together with the following members:
- PQC experts who are staying abreast of new developments.
- Team members who know your technology stack and where you have vulnerable technology, including data that you plan on holding onto for a long time.
- Vendors who are key to your environment and learn what their quantum readiness capabilities are.
Read through Forrester’s Planning for Post-Quantum Security report to understand the current landscape better. Having a thorough knowledge of the principal vulnerabilities and how to plan for them will help companies prepare for the future.
Quantum preparedness will be a journey, but most begin with a simple conversation. For advice on how to achieve quantum readiness, reach out to an expert from CBTS.
