A New Sense of Urgency Emerges in the Race to Avert Q-Day
We’ve said it before, and we’ll say it again: cryptography in the enterprise is routinely taken for granted, rarely evaluated or checked.
While ransomware generates all the headlines, an attack on your cryptographic infrastructure could have devastating consequences. Recent proprietary research from Quantum Xchange found that up to 80 percent of network traffic had some hackable flaw in its encryption, and 61 percent of network traffic was unencrypted!
As computers continue to advance in speed and sophistication, public discourse too has progressed. The New York Times Oct. 22 article, The Race to Save Our Secrets from the Computers of the Future, shows that the business mainstream is just now beginning to take note.
Yet, in the same week Ponemon Institute released the findings from a survey of 1,426 IT and cybersecurity professionals commissioned by DigiCert showing that enterprises are worried they are ill-prepared to deal with potential cybersecurity risks brought on by quantum computing, with more than half of those surveyed (61%) expressing concern their organization is not and will not be prepared.
Despite the fractured state of existing cryptographic systems, many decision-makers have turned a blind eye, embracing complacency as strategy when it comes to enterprise cryptography. The Ponemon survey found 23 percent believe their leadership team is not aware about security risks related to quantum computing, and only 39 percent have a company-wide strategy to manage cryptography.
The Securities and Exchange Commission’s (SEC) recent regulations, requiring organizations to disclose any major cybersecurity incidents, could catalyze a much-needed shift in perspective and prompt enterprises to take more proactive action to manage cryptographic risk by adopting more forward-thinking practices and policies.
Quantum Xchange’s CMCO April Burghardt writes about this extensively in her op-ed piece for Fast Company, Cryptography is Dying – Long Live Cryptography.
The article makes the case for elevating cryptographic risk and response to a board level agenda item. She writes: “Having complete visibility of existing cryptographic systems and processes has now become a non-negotiable in preparing the modern business for a future-proof security stance.”
Similarly, NIST and the Quantum Computing Cybersecurity Preparedness Act urge organizations to start checking their systems now for encryption that will need to be replaced, reminding organizations of how past cryptographic migrations took nearly two decades before full transition was completed.
Here again, the Ponemon survey reveals an unnerving truth – most enterprises are stalled with only half (52%) currently making an inventory of the types of cryptography keys being used.
Zach Montague of The New York Times writes in the aforementioned article, “But even given this new urgency, the migration to stronger encryption will most likely take a decade or more – a pace that, some experts fear, may not be fast enough to avert catastrophe.”
Adding to this urgency is the Sputnik-like race for quantum supremacy, where adversaries of the United States may be stealing encrypted data now, waiting for the day when a quantum computer can break its encryption. 74 percent of Ponemon respondents worry their data may be targeted for “harvest now, decrypt later” attacks.
Experts caution these same adversaries are not likely to share when a breakthrough has occurred, making the quiet quantum threat unlike any the defense community has faced. Quantum Xchange’s Chief Strategy Officer Vince Berk writes about this potential cyber espionage tactic in the NextGov article, Back to the Future: Protecting Against Quantum Computing.
The time is now to discover and prioritize cryptographic risk and to understand the security implications of both everyday cryptographic weaknesses and future, quantum-based threats. There’s simply too much at stake not to.
Join Quantum Xchange for the Dec. 6 webinar exploring CipherInsights – our new cryptographic discovery and risk assessment tool. Register here.