Ready or not, quantum computing technology is rapidly advancing, and its new capabilities will be available sooner than most think. Quantum technology has the potential to transform applications like materials sciences, drug discovery, financial transactions, and even climate change research. However, these revolutionary advances are also introducing substantial challenges to digital trust and encryption. Some experts have predicted that post-quantum computing technology will be powerful enough to break leading cryptographic security algorithms within a decade or less.
Organizations are taking the potential risks of post-quantum computing technology seriously, but their state of readiness remains shaky. According to a recent Ponemon Institute Report, 41 percent said they believe their organizations have less than five years to be ready for the new challenges. Yet only 23 percent of participants reported having a security strategy in place, and only 30 percent said their organizations are allocating budget for post-quantum readiness.
It’s never too early to take a proactive stance
Why aren’t organizations better prepared for new developments that could impact their most critical business processes? In informal conversations with customers, we’ve heard that many are more focused on short-term technology challenges like the rapid emergence of AI. Until a well-working quantum solution capable of cracking encryption actually appears, organizations prefer to focus on immediate security threats such as nation-state actors and other near-term IT priorities.
However, although current technology can’t yet break today’s encryption schemes, many organizations are concerned that attackers may be capturing encrypted packets now, with plans to crack them when new compute capabilities are available. According to the Ponemon Institute, 74 percent of survey participants worried that attackers might conduct these “harvest now, decrypt later” attacks.
Even if organizations aren’t ready to directly address coming quantum computing challenges, they can still take steps to evaluate and be ready to rapidly deploy new encryption algorithms. That requires an organization with crypto-agility. Crypto-agility is the ability to discover a complete inventory of keys, certificates, algorithms, libraries, and protocols and then quickly switch to different encryption mechanisms. It requires understanding how cryptography is in use within an organization, and having the culture and tools required to rapidly update it.
Moving toward crypto-agility
Government and industry leaders have already taken some initial steps to help organizations address the coming post-quantum challenges. The National Institute of Standards and Technology (NIST) has already chosen four algorithms designed to withstand attacks by quantum computers, and is now in the process of standardizing these algorithms. Three new signature algorithms are expected to be ready for use in 2024, and organizations with implementations of crypto-agility will be best prepared to implement them.
Do an inventory
What are some steps that organizations can take to enhance crypto-agility today? Acquiring visibility is fundamental. All too often, IT and security staff have only limited insight into how and where cryptography is used in their infrastructure and business processes.
To understand which areas need attention, take steps to initiate a thorough inventory. Perform a complete scan of applications and systems that are now using public key cryptography. A reputable certificate discovery service can provide a current snapshot of your certificate environment.
Organizations should also extend the inventory beyond certificates, to examine components in their communications and hardware systems. Elements like Hardware Security Modules (HSMs) and Trusted Platform Modules (TPMs) do often hold cryptographic assets. In DevOps environments, code signing processes might also be vulnerable to advanced new attacks. To keep insights complete and current, organizations should perform discovery tasks on a frequent basis.
Automate for efficiency
After acquiring in-depth visibility into potentially risky areas, the next step is to ensure the organization is prepared to replace outdated cryptographic assets quickly, and at scale. These assets include any documents, servers, processes, users, and devices that utilize cryptography. Automation can play an important role in responding to new challenges on short notice. Individually managing cryptographic assets is error-prone, labor intensive, and time-consuming.
For a large enterprise organization with many thousands of cryptographic assets such as certificates, it’s simply not practical to update crypto manually. The simplest way to ease certificate lifecycle management is to use PKI as a service, with an automation manager, which can enable organizations to rapidly roll out large numbers of certificates in just minutes, to cloud or on-premises environments.
Test for preparedness
Cryptographic elements often extend across a variety of applications and environments, so interoperability testing is another important step for improving crypto-agility. Many organizations, such as DevOps teams, routinely perform testing as part of their development cycles, so testing won’t require major changes, but refinement of existing processes.
When it’s time to update cryptographic algorithms, first check the interoperability of your infrastructure and applications before migrating at scale.
Solving for today’s challenges, and preparing for the future
Although any strategic initiative can seem daunting, taking some steps to strengthen crypto-agility today can reassure key decision-makers that their organization is fully prepared for challenges that lie on the horizon. According to the Ponemon report, organizations that were considered high performers in the survey were more positive about their ability to achieve a safe post quantum computing future using the necessary cryptographic techniques. With the right culture, communication, tools, and technology partner, organizations can get on the fast track toward crypto-agility today.
For organizations and individuals wishing to learn more about how to become quantum ready or are on the fence about when to start a quantum strategy, DigiCert created World Quantum Readiness Day that will be on September 26, 2024. The event serves to drive awareness of the implications of quantum with a plethora of information on what companies can do today.
About the Author
Dr. Avesta Hojjati is VP of Engineering at DigiCert. Prior to joining DigiCert, Dr. Hojjati held a variety of roles at large enterprises such as Symantec and Yahoo, as well as being a founder and CEO of Security7 Inc., a penetration testing company. At DigiCert, Dr. Hojjati leads the advanced development of a suite of cybersecurity products, including embedded/IoT device security and post-quantum cryptography (PQC) solutions, in addition to influencing the broader product roadmap in conjunction with the M&A strategy.
Dr. Hojjati earned his Master’s and Ph.D. in Computer Science from the University of Illinois at Urbana-Champaign, and his Bachelor’s in Computer Science from Texas Tech University. He has authored over 20 journal/conference papers and is the inventor of 30 U.S. patents, both granted and pending.
Avesta can be reached online at https://www.linkedin.com/in/avestahojjati/ and at our company website https://www.digicert.com/