Survey Surfaces Limited Amount of Post Quantum Cryptography Progress
A survey of 1,042 senior cybersecurity managers in the U.S., the United Kingdom and Australia finds only 5% have implemented quantum-safe encryption, even though 69% recognize the risk quantum computing poses to legacy encryption technologies.
Conducted by Propeller Insights on behalf of DigiCert, a provider of public key infrastructure (PKI) used to encrypt data and certificates, the survey also finds that 69% of respondents believe quantum computers will break current encryption within five years.
However, on the plus side, 57% said they are either extremely (19%) or very (38%) prepared for quantum threats.
Mike Nelson, vice president of digital trust for DigiCert, said that while adoption of quantum-safe encryption technologies is thus far limited, there is significant awareness of the issue. In fact, 46% of respondents acknowledged substantial amounts of their data could be compromised by quantum computers.
Nation states are already harvesting encrypted data on the assumption that they will be able to decrypt it in the future using quantum computers. It would then become possible to use generative artificial intelligence (AI) models to surface sensitive data pertaining to, for example, intellectual property, that could be disseminated to an organization’s competitors.
The challenge organizations face is that upgrading encryption algorithms and schemas requires multiple years of effort. In the meantime, no one knows for certain when quantum computers might be able to crack legacy encryption algorithms, otherwise known as Q-Day.
The challenge, of course, is convincing business leaders to allocate resources to upgrade encryption algorithms and schemas in the face of so many other more immediate competing priorities.
At the very least, organizations should already be creating an inventory of their cryptographic assets, including digital certificates, to determine which ones are being relied on to encrypt their most sensitive data, noted Nelson.
Additionally, organizations should also now be testing post-quantum cryptography (PQC) to better understand the level of effort required to upgrade and any interoperability issues that might arise, he added.
The overall goal should be to avoid having to quickly adopt new encryption technologies when it is inevitably discovered that quantum computers have been able to decrypt legacy encryption technologies, noted Nelson.
Of course, there will be organizations that are not fully prepared when Q-Day arrives, so some level of panic is almost going to be unavoidable. While not all the data being encrypted today may prove to be valuable a few years from now, there will still be plenty of instances where sensitive data will almost inevitably be exposed. The only issue that will remain to be discovered is to what degree organizations may be able to ascertain how much of their encrypted data is now being shared with potential rivals. In addition, business leaders and government officials may also be subject to threats to disclose that data unless they comply with specific requests.
Hopefully, it will become easier in the months and years ahead to upgrade encryption algorithms and schemas to keep such types of incidents to a minimum. In the meantime, cybersecurity would be well-advised, as always, to be prepared for the worst.
