Internet security company Cloudflare, the world’s largest DDoS-mitigation service, plans to shift a sizable chunk of its traffic through post-quantum encrypted services over the next year.
Approximately 35% of human-directed web traffic to Cloudflare’s network is currently protected through advanced encryption algorithms. These algorithms are theoretically designed to withstand attacks from significantly more powerful quantum computers in the future. This year, the company will expand post-quantum encryption to its zero trust suite, including its network identity access solutions, secure web gateway for inspecting TLS traffic and WARP device clients.
The moves are part of a long-term strategy to future-proof all Cloudflare’s services against a potential threat that many computer scientists believe we must prepare for, even though quantum computers capable of breaking classical encryption are thought to be years, if not decades, away from reality.
John Graham-Cummings, Cloudfare’s chief technology officer, told CyberScoop that while the company has spent eight years developing its own post-quantum plans, the focus this year on its zero trust products reflects a heightened level of interest they’re seeing for the services on the corporate and enterprise side.
“We are now seeing real pull from customers, particularly in financial services, but also in other areas, to actually be post-quantum safe,” Graham-Cummings said.
The National Institute of Standards and Technology has advised the private sector and other organizations to begin the laborious process of replacing their older encryption. The goal is to have most of our digital data and devices protected by post-quantum algorithms by 2030.
The adoption of such encryption by major service providers like Cloudflare is an important component of that migration strategy. According to 2022 data from We3Techs, Cloudflare’s services are used by 1 out of every 5 websites, while Netcraft has found it was used by nearly 20% of the million busiest websites on the internet. Many of the world’s largest websites rely on Cloudflare’s services to defend against DDoS attacks.
Graham-Cummings said the work being done this year at Cloudflare represents “the corporate access portion” of its post-quantum migration.
In a blog published Monday, the company said its broader migration efforts around post-quantum encryption will require updating several communications protocols used for digital certificate signatures and key agreement protocols.
Thus far, Cloudflare said it has made “significant progress” on updating key agreement mechanisms using a lattice-based algorithm based on CRYSTALS-KYBER, one of NIST’s approved post-quantum algorithms, which is also approved by the NSA for protecting national security systems. The blog stated that the company’s work on adapting digital certificate signatures is “still in its early stages.”
NIST has spent much of the past decade working out how to best protect current systems data from a quantum computer capable of breaking most forms of classical encryption used today. The agency has identified and approved five new algorithms thus far that they hope will underpin the future of modern encryption, and they want everyone to start using them as soon as possible.
That’s because NIST and national security officials believe that while we may not see a genuine cryptographically relevant quantum computer for years , intelligence services for foreign nations and other bad actors are likely stealing and harvesting classically encrypted data today in the hopes of breaking open their secrets when the technology does eventually arrive.
Others also worry about the prospect of “technological surprise,” or when a technology breakthrough happens earlier than expected, creating massive disadvantages for those who could not prepare.
Those possibilities and the warnings from NIST have caused many businesses and organizations — often working with security budgets that are largely focused on the digital threats of today — to ponder how quickly and forcefully to carry out their own migrations.
Graham-Cummings likened the challenge to Y2K, the massive push in the late 1990s to patch computers against a potentially catastrophic software bug. Preparing for the coming post-quantum revolution will require a similar collective effort by society, but with less certainty around the timeline.
“I think what we’re starting to see on the corporate side is people thinking about this a little bit like the Y2K problem,” he said, “with the difference being that they don’t actually know when the date is.”
