Seems appropriate that during Cybersecurity Awareness Month two meaningful reports on the urgency of post-quantum preparedness planning were published. Cloud Security Alliance’s Practical Preparations for the Post-Quantum World and the Department of Homeland Security’s roadmap to post-quantum cryptography. The underlying theme in both papers is that the greatest cryptographic transition in the history of computing is about to take place and all organizations – from federal agencies to commercial businesses – will be impacted. The time to act is now.
Data security expert and lead author of the CSA paper, Roger Grimes, shares in a recent LinkedIn post:
“Even if you do not know it yet, soon every organization in the world…nearly every person…will be involved in a multi-year cryptographic migration project…likely involving your whole organization within the next one to two years. But NOW is time to learn more about it, educating yourself and others, along with telling senior management (since it will be their budget) about what’s about to happen. Most people aren’t even aware it’s on the horizon. But soon you and everyone else will be involved in it, personally and professionally. This is not hyperbole. It’s what is happening.”
Organizations, especially those with persistent long-duration data, need to start planning and executing their quantum risk assessment and post-quantum readiness plans now. It may require more time and resources than ever imagined and there’s no guaranteeing a sufficiently capable quantum computer won’t become available before your migration is complete – putting your mission-critical data at risk.
Homeland Security Secretary Alejandro Mayorkas said: “Now is the time for organizations to assess and mitigate their related risk exposure. As we continue responding to urgent cyber challenges, we must also stay ahead of the curve by focusing on strategic, long-term goals.”
As in both papers, Quantum Xchange has long advocated the dire need to raise awareness and convey to leadership the severity and immediacy of the quantum security threat. Faced with competing priorities, they may otherwise fail to understand why this issue deserves immediate attention and investment. We’ve created a robust library of educational materials to get you quickly up to speed on quantum security approaches, best practices, and recommended next steps.
Despite the warnings from groups like NIST, DHS, CSA, WEF, etc., too many organizations are taking a “wait and see” approach, waiting for NIST to publish its final PQC algorithms as standard before they take any action. Unfortunately, this is flawed, shortsighted thinking. Consider the following:
- A quantum computer may be available before the final PQC selection process is finalized (2023) and the full transition is completed. NIST warns another 5-15 years will be needed before a full cryptographic transition is completed. Yikes!
- There is no guarantee that the cryptographic standards selected will not be broken by adversaries or vulnerable to implementation errors.
- Harvest today, decrypt tomorrow attacks are happening now.
- Current PKE systems, i.e., TLS/SSL and key management practices are rife with vulnerabilities putting today’s data and communications networks at risk. With PKE, the encryption keys and data travel together. An attacker needs only to compromise one connection to obtain secret information.
Consider that final bullet point for a second. The network encryption systems we rely on today were built decades ago in the 1970s/80s, not designed for the hyperconnected environments of today. Think about how much the digital landscape has changed between now and the last major cryptographic transition Y2K. Or between now and 2007 when the original iPhone hit the market. At Quantum Xchange we believe the inherent architecture flaws of PKE systems – mainly keys and data traveling together – is no longer fit for purpose. A totally new and reimagined key delivery architecture for the pending post-quantum world is needed.
Shor’s algorithm proves traditional asymmetric encryption like RSA and Diffie-Hellman will be rendered obsolete in the quantum age. This includes nearly 90% of all widely used cryptography on the Internet and networks today. Asymmetric keys will become broken or weakened and need to be replaced with PQCs or QKD, while symmetric keys may require lengthening to maintain protection strength. In either instance, expensive multi-year crypto migration projects are likely. Or you can deploy Phio TX.
Quantum Xchange’s groundbreaking key delivery systems eliminates the “original sin” of PKE by decoupling key generation and delivery from data transmissions. The crypto-agile platform can support quantum keys generated from any source, protected by any method, and operates over any TCP/IP connection to deliver quantum-safe keys anywhere on the planet. The FIPS-validated implementation works as a simple architecture overlay and can be dropped into your existing crypto infrastructure today to make it immediately quantum resistant.
This October, we encourage you to embrace the evergreen theme of Cybersecurity Awareness Month and “Do Your Part. #BeCyberSmart.” Read the DHS roadmap for post-quantum crypto, heed the advice of CSA, and contact Quantum Xchange to learn more about Phio TX.
