The RAND Corporation’s recent report, “Securing Communications in the Quantum Computing Age” says what we at Quantum Xchange have been saying for years: the quantum threat to secure communications is urgent, but if we start to prepare now, there’s no need to panic.
There was quite a bit we agreed with in the report. The primary shortfall was the omission of Quantum Key Distribution (QKD) as part of the solution to build crypto-agility into our systems. As the report steps through its assessments and recommendations, it focuses solely on Post Quantum Cryptography (PQC) as the means of securing our communications. But this leaves out a critical piece of the comprehensive approach needed to prepare us for a quantum future. Quantum Xchange believes that most organizations will need a layered approach to quantum security — one that leverages both PQC and QKD for maximum security. Therefore, we believe that a defense-in-depth strategy is needed to combat the quantum threat and crypto-agility essential to quantum readiness. Let’s dive in.
Scope of the Report
RAND’s report addresses the threat we will be facing from quantum computers, specifically, the ability of those computers to break the digital encryption methods that we rely on for most of our communications today. It assesses how soon quantum computers are likely to be developed and how quickly PQC is likely to be standardized and adopted. Based on those assessments, the report makes a series of recommendations for government actions (most importantly) – but also for individual organizations – to ensure we get ahead of the threat.
Timelines regarding the arrival of quantum computers remain uncertain. However, RAND consulted experts who assert that it will probably be another 15 years before quantum computers pose a threat to our communications. PQC protocols, something NIST is working on developing, are expected to be drafted in the next five years. Adoption of those protocols, however, will take another 15-20 years and the “global transition” necessary for implementation could take decades.
Given these timelines and acknowledging the lead time needed to implement the necessary measures to safeguard our communications, RAND concludes (as we have already determined) that we cannot afford to waste time in addressing the threat. Even worse, RAND points out that we will encounter cybersecurity weaknesses more dangerous than those we face today if we don’t implement proper PQC in a timely manner. It’s also worth reminding organizations that even today, sensitive, encrypted data is already at risk as it can be stolen and stored until quantum computers are available to decrypt it. RAND’s points that the threat is urgent and that we need to raise awareness of that threat are well taken.
QKD Needs to be Part of the Equation….
RAND recognizes, as we do, that the government is the key driver for change. The report makes valid recommendations for our executive and legislative branches: prioritize the threat; coordinate among key entities to raise awareness of the issue; urge the adoption of PQC standards, and mandate the transition to PQC as soon as possible.
We are really talking about crypto-agility. RAND, in fact, makes the recommendation for individual organizations to ensure cyber-resilience and crypto-agility are part of the overall plan, but from our perspective, this agility involves more than just PQC. At Quantum Xchange, we are already postured to provide crypto-agility through PhioTX. By incorporating PQC as a standard feature in our Phio TX key distribution system, we created the first complete quantum-safe key exchange that is uniquely capable of making traditional keys quantum-safe, and supports both physics and math-based approaches to quantum security.
RAND also recommends that individual organizations determine what systems are vulnerable to assess their risk and develop their plan to transition to a quantum-safe environment. This is certainly important, but in addition to that, businesses should do an inventory of the sensitive, encrypted data they have to determine what kind of protection is required. Anything that has a long shelf-life (i.e., national secrets, proprietary information, PPI, etc.) needs to be protected due to the potential for it to get stolen now and decrypted later – all the more reason to build a plan that can layer in the necessary protection and upgrade your defenses as the threat evolves.
In the current austere environment in which we find ourselves today, we are very familiar with urgent threats. But unlike the threat from COVID-19, which caught the world by surprise, many of us are already aware of the threat posed by quantum computers. As the RAND report highlights, though, we need to raise the awareness of this urgent threat. Adding to that urgency is the prospect of an even greater demand for secure communications in light of the COVID-19-driven increase in telework and remote operations. There has never been a better time to prepare for a quantum-safe future.
Contact us to help you prepare to secure your communications in a quantum world.