Worry About Post-Quantum Threats? Here Is How Orgs Should Proceed

As quantum technologies are expected to migrate from research labs to real-world commercial environments within this decade, some governments and organizations have started to recognize the potential post-quantum threats and get prepared for years to quantum (Y2Q). As quantum technologies are expected to migrate from research labs to real-world commercial environments within this decade, some governments and organizations have started to recognize the potential post-quantum threats and get prepared for years to quantum (Y2Q). The Cybersecurity and Infrastructure Security Agency (CISA) this week announced a Post-Quantum Cryptography Initiative to unify the agency’s effort against threats posed by quantum computing. It comes on the heels of the Department of Commerce’s National Institute of Standards and Technology (NIST)’s selection of the first four encryption algorithms that will become part of its post-quantum cryptographic standard, which is expected to be finalized in two years. The two agencies recommend organizations start preparing for the cryptographic standard transition by following the Post-Quantum Cryptography Roadmap. It suggests organizations take action to inventory applications that use public-key cryptography; test the new standard in a lab environment; create plans for transition and acquisition policies regarding post-quantum cryptography; alert IT department and vendors; and educate and train the workforce about the upcoming transition.  The World Economic Forum’s Quantum Computing Network also initiated a Quantum Computing Governance program and Deloitte is one of the partners. “What we are focusing on is at some point in the future, quantum computers will likely be able to implement specific algorithms that can attack some of the current day cryptography, specifically public-key cryptography,” Colin Soutar, managing director in Deloitte Risk & Financial Advisory, told SDxCentral. One of those algorithms is Shor’s algorithm, developed in 1994 by the American mathematician Peter Shor. What can organizations do in preparation for that? First of all, Soutar recommended understanding their potential exposures, such as their existing cryptography tools, vulnerabilities in the supply chain, how they currently store and protect data, and the types and sensitivity of the data.  “There is a concern that there’s an attack going on called ‘hack now, decrypt later,’ which actually tries to capture some of that data, especially in transit, and store it on the understanding that later on once Shor’s algorithm has been implemented, attackers can then attack that data,” he said.  After building out the risk profile, organizations can adopt better cyber hygiene based on the discovery and decide whether to update their cryptographic standards.  “Ultimately, the defensive measures that organizations can put in place around things like zero trust, multi-factor authentication, network integrity, just the standard cyber hygiene,” Soutar said. “We never say that that will give ultimate protection, but those are always good things to do.” Other Deloitte experts also suggest learning about quantum’s potential repercussions in specific industries, monitoring technology developments, creating a strategy to address the security impact of quantum computing, and improving organizations’ crypto-agility in a blog.