Quantum computing could break your encryption. It could happen within a couple of years, or it may be a decade or two away. Still, certainly, in the relatively near future, quantum computing will render traditional cryptography obsolete. It’s a challenge every enterprise will have to face, and the sooner they start looking into the risks quantum computing poses to conventional encryption schemes, the better. The U.S. federal government is already assessing the issue.
The 2021 National Defense Authorization Act, which became law on January 1, 2021, includes a mandate to the U.S. Department of Defense to conduct a detailed assessment of current and potential threats to critical national security systems posed by quantum computing.
One of the major concerns is that quantum computing will soon be capable of breaking traditional encryption, and do so very quickly. Last year, before the directive to the U.S. Department of Defense, we spoke with Greg Wetmore, VP of product and software development at Entrust, about how this risk may soon affect enterprises and their ability to keep their sensitive and regulated data secure.
Here is an edited version of our conversation.
Security Boulevard: How far away do you think we are from quantum computing challenging today’s encryption in use by the private sector?
Greg Wetmore: There’s not a precise answer here. It’s somewhat of prognostication, but, you’ll get a range of responses when you talk to the mathematicians and the security experts. But as soon as you get into that 10-plus year time frame, you start to get into a situation where the majority of experts have pretty high confidence that there’ll be a real threat to enterprise businesses and governments from quantum computers as it relates to their cryptosystems.
One of the things we’re trying to educate our customers about is the importance of concentrating on this problem now. Because, when you look back at how long it has taken in the past for organizations to migrate their cryptosystems to more modern standards, it is a long-term shift. I think back to SHA, or the RSA transition to elliptic curve. Those took 20, 30 years from establishing standards to policy changes and technology changes required. Organizations struggled through that. It was not an easy transition.
Security Boulevard: People were using SHA-1 for much longer than they should have been. It took a ridiculously long time.
Greg Wetmore: With those kinds of timelines in mind, it’s essential to get the word out. There are still people using SHA-1. I recently saw a very old, legacy system that is very hard to change. Do the math: you have a 10-year threat timeline and a 20-year mitigation effort ahead of us.
Security Boulevard: What should organizations start to do?
Greg Wetmore: There are several steps organizations can take, starting now. The first one is education. As a security professional in an organization, or a person responsible for information security or data security, now’s the time to make sure you’re educated on the issue and what is at stake.
There is a lot of information from security experts about the threats, and the rationale behind this migration, that needs to come [out] to avoid them. For instance, NIST is publishing lots of information. We can learn from our past, from SHA-1 to elliptic curve, including what went well and where the problems were. That’s the type of education that has to happen.
The second [step] is to understand where crypto is in your organization. Where are the keys, where are the certificates, where’s crypto happening? That’s all about discovery and inventory. That’s not easy, because, as you know, crypto and keys end up everywhere in an organization.
Indeed, security vendors provide technology and the capability to take those inventories and discover where crypto is occurring and where keys are sitting. That can be a complicated process, but it’s one that could take some time, and needs to get started. One of the places where I advise my customers to consider – and look first – [are] some of those old and legacy systems that exist in their modern organization, but haven’t been able to keep up to date. Those are among the places where they’re going to find their first problems.
The third step, from my point of view, is to think about your data. When you’re thinking about a threat to data like quantum computers, you have to think about your high-value secrets. What are those things that you need to keep secure for a long time? When you’re talking to a bank or government, they tend to have a lot of that kind of information that needs to be secure for long periods. And those are the first datasets, to me, that are threatened by post-quantum computing.
The last step is working with security vendors that your organization relies upon for data security and identity security. Think about proof of concepts, think about prototyping, think about getting access to data or early access capabilities so that organizations can try to figure out what their systems will look like. And what is post-quantum crypto going to look like in your organization? What will break? Those are the four steps that I think through, and advise my customers to consider.
Security Boulevard: Are you seeing your customers starting to take steps to prepare themselves for post-quantum crypto?
Greg Wetmore: We’re in the early phase, where we’re talking to customers trying to be at the forefront of security. This is especially true with our financial industry customers and our government customers. They are conscious of their very valuable data that needs to be secured for long periods. They’re the most interested in these discussions, and moving forward with trials and proof of concepts.
But to me, this is a problem that affects every organization; every customer of ours, certainly. Crypto is everywhere. Keys are everywhere. And every organization needs to secure transactions and protect their data, and they need to provide secure identities to their customers, employees and partners.