The Quantum Computing impact on digital security, and why the time to prepare is now (Guest blog by Entrust)
Quantum Computing is an exciting topic. As Quantum Computers continue to advance they will provide a multitude of efficiencies and opportunities through their ability to process exponentially faster than any traditional computer. In the energy and utilities sector, some of benefits could be identifying energy and network efficiencies, or simulations and process improvements that could contribute to something like carbon reductions.
But in addition to the many opportunities quantum computers will bring, they also post an inevitable threat to digital security. It’s estimated that within the decade a quantum computer will be powerful enough to break traditional public key cryptography. It will essentially mark the end of the golden age of cryptography as well know it and will mean that in order for organizations to remain secure, they will need to migrate to post quantum cryptography (PQC).
Although the timeline suggests that the threat is roughly 10 years away, it’s actually much sooner. There is a known attack happening today of “harvest now, decrypt later” where bad actors are harvesting long life data – sensitive data that must remain confidential for 10+ years – with the intent of decrypting that data once a quantum computer is capable. This threat is critical for any organization or entity, including energy and utilities, that handles or stores this kind of data.
In the United States the National Security Agency (NSA) released the “Commercial National Security Algorithm Suite 2.0”. This document was created to notify and guide National Security Systems (NSS) owners, operators, and vendors of PQ requirements as it relates to “networks that contain classified information or are otherwise critical to military and intelligence activities.” It also set out timing parameters to begin this transition, the first of which is for software and firmware signing, and they indicated that transition should begin immediately.
The Steps for PQ Preparedness
Knowing the transition to PQC will be very involved and span several years, where should you start? Some steps organizations should be taking to prepare include:
1 – Inventory Data
Understanding where your valuable and/or long-life data resides, as well as the related data flows, will help you determine where to start where your highest concerns are.
2 – Inventory Cryptographic Assets
Some organizations already struggle with knowing what cryptographic assets reside in their environment and having visibility into this is key when creating a post-quantum readiness plan. In addition to visibility, it’s important to ensure compliance, control, and automation of these assets.
3 – Build a Cryptographic Agility Strategy and Roadmap
Cryptographic agility – the ability to easily move from one algorithm to another – will be critical for the PQC transition. It’s also important for organizations to identify areas of risk relating to cryptography including process, people, and technology.
4 – Test and Plan the Migration
All eyes are on the NIST PQ Competition to determine the recommended algorithms that are PQ safe, but in the meantime, round 3 finalist algorithms have been announced and testing can begin.
While we wait for the final quantum safe algorithms to be determined, NIST and Germany’s Federal Office for Information Security (BSI) have both expressed their support of hybrid algorithms. This essentially helps organizations hedge their bets by mixing traditional cryptography with PQC, and ensures they’ve got that additional layer of protection while the post quantum future approaches.
Knowing the transition to PQC is not another crypto refresh cycle and knowing it will be very involved and span years, one thing we can all agree on, is that from creating a PQ-readiness team, to building out a PQ strategy and roadmap – the time to prepare for post quantum is now.
Get involved with our work
All of techUK’s work is led by our members – keep in touch or get involved with our work on transport and infrastructure by joining our groups.
Authors
