What Executives Should Know About Quantum-Resistant Security
What Does Quantum-Resistant Security (Really) Mean?
A vast majority of the security methodology around transferring and storing sensitive information utilizes cryptography to achieve the need to maintain confidentiality. Unfortunately, the also vast majority of currently utilized cryptographic systems are vulnerable to the abilities that quantum computing is proving to make possible. So, security as a field is looking to create and understand how to maintain confidentiality that is resistant to the abilities of quantum computers to break their cryptographic systems. While there is currently no quantum computer with enough computing power to handle the large primes that cryptography is leveraging, it is only a matter of time before quantum computers catch up.
How Did It Originate?
The concept of quantum-resistant security quickly became a sizable concern when quantum cryptography produced a working—be it in a very limited scope that would not currently break anything—proof of concept of Shor's algorithm. Shor’s algorithm is a major problem for cryptography because it is designed to find the prime factors of a given integer, which, subsequently, is the major functionality behind how certificates and their keys are created. For instance, with RSA Cryptosystem (and most of the proceeding algorithms for cryptography), we see that the method for creating certificate keys “creates and publishes a public key based on two large prime numbers, along with an auxiliary value.” Those two prime numbers, aka the prime factors, combine into the private key that can decrypt the payload. As a result, the need for quantum-resistant algorithms becomes apparent to secure data against future quantum threats.
Why Is It Important in Cybersecurity?
Quantum computing's relevance in cybersecurity stems from its potential to break many of the cryptographic algorithms that currently secure digital communications and storage. With the potential for quantum computers to decrypt data, the cybersecurity community is focusing on developing and implementing quantum-resistant algorithms to safeguard sensitive information. A potential scenario also points to an immediate problem that should be considered around “store now, decrypt later” attacks, where a malicious actor creates a copy of the encrypted data now and plans to hold onto it until quantum computing matures enough to have the compute power to run Shor’s algorithm against the large numbers used in current cryptography to decrypt the data and use it for malicious purposes.
What Is the Spin Around This Quantum-Resistant Security Buzzword?
As with any emerging technology, there is a lot of hype around quantum-resistant security. The buzz often includes claims of an immediate necessity to “buy new protections now” and exaggeration of the current state of quantum computing advancements. While it is true that quantum computing poses a future threat to encryption, the timeline for when such computers will be practically able to break current cryptographic standards is uncertain. Additionally, being in the conceptual stages, no one knows how quantum computing will continue to impact the security realm on both the malicious/attacking and protective sides, even the US government is designing new standards that take into account the need to be fluid in the ability to switch cryptographic systems should an innovation in quantum computing lead to breaking the cryptography being developed on what we currently know to be resistant. The term “crypto-agility” has been coined in relation to this need to be able to shift rapidly to these potential innovations.
Our Advice: What Executives Should Consider When Adopting Quantum-Resistant Security
The advent of quantum computing calls for a proactive approach to cybersecurity. Executives should be aware of the following considerations:
- Crypto-Agility: Organizations should start assessing their use of encryption and ensure they can transition to post-quantum cryptographic algorithms once they become standardized.
- Risk Assessment: Determine which data and systems would be most at risk if current cryptographic standards were broken and prioritize those areas for upgrades to post-quantum algorithms.
- Education and Training: Educate your cybersecurity team about quantum computing and its potential impact so they can begin to integrate post-quantum strategies into their work.
- Vendor Communication: Engage with vendors to understand their plans for post-quantum cryptography and how they will support transitions when necessary.
- Incremental Transition: Plan for a gradual transition to quantum-resistant security to ensure seamless integration with existing systems and protocols.
Questions to Ask Your Team for Successful Quantum-Resistant Security Adoption
The shift to quantum-resistant security is a strategic imperative that should be addressed methodically. Here are some questions to ask your team for a successful quantum-resistant security strategy:
- How can we begin incorporating both “crypto-agile” and quantum-resistant algorithms into our security systems without disrupting current operations?
- How will we train our security personnel on the nuances and complexities of quantum-resistant security?
- How will we monitor the developments in quantum computing to ensure that our cybersecurity practices evolve appropriately and in a timely manner?
- How do we engage with industry and government bodies to ensure compliance and alignment with emerging quantum-resistant security standards?
- Do we have any extremely sensitive traffic flows or data storage, such as items that would be damaging even if they were leaked 5 to 15 years from now, that we need to prioritize for transitioning into a post-quantum cryptographic system?