A scientist at Los Alamos National Laboratory recently asked an important question: “When full-fledged quantum computers arrive, will we be ready?” This scientist researches quantum information theory and his opinion piece for Scientific American magazine focused on quantum computing’s applications. But it’s a smart question when considering cybersecurity as well.
Quantum computing will fundamentally increase processing power, which could mean exciting advances in fields ranging from particle physics to machine learning to medical science but also increased data security risks.
Why are quantum computers so important?
- They represent the next evolutionary step in quantum mechanics.
- They combine information theory with quantum mechanics.
- They process enormous amounts of data at once.
- They possess capabilities to quickly reach non-linear answers.
- They factor prime numbers much faster than existing computers, threatening public-key encryption when in the wrong hands.
That last fact is, unfortunately, a downside for organizations intent on keeping their data secure. In this post-quantum computing (PQC) reality, current encryption algorithms will be no match for the speedy code-cracking possible with quantum computers. Cybercriminals will take advantage of this capability once quantum computers are more accessible.
Seventy-one percent of IT professionals recognize the threat that quantum computing poses to existing cryptography, according to the “Quantum’s Promise and Peril: 2019 DigiCert Post Quantum Crypto Survey.” With some of those surveyed concerned that this threat could emerge as early as 2022, companies understandably are uncertain about the best way to respond. Read on for tips on determining your company’s current level of risk and strategies to tighten up security in the post-quantum computing era.
How To Determine Your Organization’s PQC Readiness
This threat is imminent. Cybercriminals are likely hoarding encrypted data in anticipation of the day when quantum computers become available to the larger public and they can use them to break modern cryptography. Companies shouldn’t wait either. It’s critical to identify your company’s knowledge of the quantum computing threat and its current level of preparedness for a PQC future. One way to do that is by using DigiCert’s “Post-Quantum Cryptography (PQC) Maturity Model.”
Determining the company’s degree of knowledge and level of preparedness will determine your company’s PQC maturity level:
- Novice: Little, if any, knowledge of or preparation for the threat.
- Apprentice: Some knowledge of the threat and some preparation to address it.
- Practitioner: Advanced knowledge and the first steps toward creating a comprehensive strategy to secure the network against quantum threats now and into the future.
- Academic: Deep knowledge of the pending threat but no meaningful preparation.
- Maverick: Novice-level knowledge, which results in deploying unproven or poorly designed security measures.
- Master: Expert level of knowledge and extensive preparation.
Once a company achieves mastery, it’s in an excellent place to anticipate security needs and protect critical systems and applications. Each level carries its own risks including mastery, as it could be tempting to become overly confident, relax security standards and slide back to a former level. Taking a few steps now can help organizations get ahead of the fast-approaching challenges ahead.
Step #1: Increase Your Crypto-agility
By crypto-agility, we strive toward an efficient method to effortlessly identify and replace outdated cryptographic algorithms when necessary. First, identify every server—protocols, libraries, algorithms and certificates—that utilizes encryption within your organization. One way to do this is by adopting a certificate management platform that automates the certificate lifecycle management. Second, document what you’ve learned as part of a plan that includes how you’ll identify and resolve encryption issues. Third, ask your third-party vendors how they plan to protect against quantum threats. Verify that potential new vendors are prepared, too.
Step #2: Identify the Right HSM
Organizations rely on hardware security modules (HSMs) to protect custom keys used in their public key infrastructure (PKI). If your company is one of them, research how they’re being used, whether they can be upgraded to support quantum-safe encryption and, if so, how quickly those upgrades could happen. Digital security firms Gemalto and Ultimaco, among others, offer quantum-safe HSMs.
Step #3: Embrace Always-On SSL
Multiple companies, including Google and Microsoft, have the best practice for Always On SSL (AOSSL), according to Internet Society’s blog post “Best Practice: Always On SSL (AOSSL).” SSL/TLS certificates let website visitors know that the site is authentic and that any data they input will be encrypted. With AOSSL, companies can apply encryption across all websites (internal and external), reducing the company’s exposure to cyberattacks such as Man-in-the-Middle(MITM).
A major approach to prepare for post-quantum crypto-threats is by gaining encryption agility. A properly deployed AOSSL makes it easier to update encryption algorithms in response to quantum computing threats that emerge in the future.
Step #4: Test Your PQC Strategy
Enterprises that are best equipped for the PQC era don’t take a set-it-and-forget-it approach to security. Instead, they regularly test their security to make sure it will hold up in the case of a true threat. That typically means observing how their certificates work in a sandbox environment so they can adjust their approach if something isn’t working effectively. Knowing your environment, having organization-wide visibility and taking the right action at the time of a real treat are all essential steps to be protected against the threat caused by quantum computers.
Don’t Panic, but Be Prepared for Quantum Computing
The threat that quantum computing poses to encryption has been looming for years. If your company hasn’t taken action as yet, there’s no time to waste. Determine your level of knowledge and preparedness and take strides to advance both. The more you can improve in both areas, the better off you’ll be when cybercriminals begin using quantum computers to crack previously difficult-to-crack cryptography.