Philip George, Executive Technical Strategist at Merlin Cyber, sheds light on the looming divide between organizations prepared for the challenges of post-quantum cryptography and those unprepared for the imminent threat posed by quantum computing.
Philip George, Executive Technical Strategist at Merlin Cyber
Post-Quantum Cryptography Will Divide Organizations into Two Groups – Prepared and Unprepared
This year, CISA, the NSA, and NIST have been leading the charge on Post-Quantum Cryptography (PQC) initiatives, publishing fact sheets and other helpful resources to address threats posed by quantum computing. Next year, NIST is set to publish its first set of PQC standards. This is an early step towards preparing federal agencies as well as private companies to adopt new encryption standards that are designed to protect systems from being vulnerable to advanced decryption techniques fueled by quantum computers. However, the need for this shift is much more immediate than much of the language and rhetoric currently surrounding PQC might suggest. In 2024, we will see a clear divide between companies and government agencies taking this threat seriously and beginning the proper preparations, and those that will find themselves sorely behind the eight ball.
NSA and other authorities have previously said the quantum risk is feasible by at least 2035. Commercial quantum computers do indeed exist today, although they have yet to demonstrate the projected computational scale without significant limitations. However, it is only a matter of time before our Years to Quantum (Y2Q) become months and days – not years.
Impending cryptanalytically relevant quantum computer (CRQC) capabilities should serve as a wake-up call for those in the IT & cybersecurity community who consider quantum computing to be in our distant future. We need to be careful that the forward-looking term “post,” which has become synonymous with quantum computing, does not lead us down a precarious path of complacency. This threat is much closer than most realize.
The key takeaway for IT and OT system owners should be the critical need to establish an integrated quantum planning and implementation team.
Since organizations are ultimately responsible for their own PQC readiness, or lack-thereof, to delay inventory and discovery activities until the new PQC standards are finalized is to invite an inordinate amount of risk to its information security.
The need for early planning is predicated upon the reality that cyber threat actors are targeting encrypted data today – for decryption tomorrow – and crucial data with a lengthy protection lifecycle (Controlled Technical Information and Controlled Unclassified Information nuclear information, for example) will likely be impacted the most.
The era of implicit cryptographic trust and reliance on an iterative standard process is ending. In 2024, agencies and organizations will recognize that the time is now to start mapping out cryptographic dependencies by conducting a full system cryptographic inventory. We will see that the results should then support a risk driven prioritization effort that identifies business critical processes and information – and ensure that we are presently prepared for our “post” quantum future.