The Department of Homeland Security (DHS), in partnership with the National Institute of Standards and Technology (NIST), has released a roadmap to help organizations protect their data and systems and to reduce risks related to the advancement of quantum computing technology.
“The transition to post-quantum encryption algorithms is as much dependent on the development of such algorithms as it is on their adoption. While the former is already ongoing, planning for the latter remains in its infancy. We must prepare for it now to protect the confidentiality of data that already exists today and remains sensitive in the future,” stated U.S. Secretary of Homeland Security, Alejandro Mayorkas back in March 2021.
The quantum leap
Quantum computing uses quantum bits, or qubits, based on quantum physics to break barriers currently limiting the speed of today’s common computers. It does not give you more processing power, instead it relies on superposition (ability to be in multiple states at the same time) and entanglement (the perfect unison of two or more quantum particles) to process large quantities of information including numbers.
Researchers and scientists believe that during the next few years a computer which could solve problems that would be extremely difficult or take incredible amounts of time for conventional computers to solve will be widely available. IBM and Google are already “clashing” over who has supremacy in building a capable quantum computer. Regardless, quantum computers could render most of today’s encryption algorithms useless.
“If large-scale quantum computers are ever built, they will be able to break many of the public-key cryptosystems currently in use,” states NIST, which is leading the effort to standardize one or more quantum-resistant public-key cryptographic algorithms. “This would seriously compromise the confidentiality and integrity of digital communications on the Internet and elsewhere.”
Nevertheless, the problem is not a futuristic one. Experts agree that many of the data breaches we witness today may be in the direction of amassing sensitive, encrypted data now to decipher later when the technology becomes mature enough to break the encryption algorithms protecting digital communications.
“Now is the time for organizations to assess and mitigate their related risk exposure. As we continue responding to urgent cyber challenges, we must also stay ahead of the curve by focusing on strategic, long-term goals,” Mayorkas said in the DHS press release.
Evaluate your risk exposure
The first step towards understanding quantum risk is to create a full inventory of your cryptographic assets. This includes the use of cryptography in the organization but also documentation regarding policies and procedures. It is also imperative to determine what type of information is protected by cryptography and for how long it must stay protected.
The inventory of your assets impacted by quantum computing is highlighted in the joint DHS – NIST roadmap. The roadmap provides a seven-step process that emphasizes creating an inventory of encrypted systems, and prioritizing data that is most at risk. Besides inventorying your critical assets, DHS and NIST suggest performing a detailed risk assessment to calculate the risk to each item in the inventory and then prioritize these systems for cryptographic transition based on organization functions, goals, and needs.
Develop a plan to mitigate risk
The last action item in the DHS – NIST roadmap is to create an action plan. Finding the optimal solution can also be a challenging task. A recommended approach is to use hybrid solutions where the level of security depends on both a classical and a quantum-safe algorithm (e.g. one of the candidates of the NIST standardization process). If one of the algorithms is secure, the overall security is maintained.
An important element in the transition to quantum-safe cryptography is the introduction of crypto-agility. This design principle facilitates changes to the cryptography even after deployment and allows us to prepare for the transition to quantum-safe solutions once the NIST standardization process is completed. System design methodologies should incorporate crypto-agility to ensure long term security and privacy. Implementing crypto-agility in hardware can result in significant cost savings as the need for future hardware replacement can be potentially avoided.
Some implementations of crypto-agility even centralize the rollout of cryptography over the entire environment. If a specific algorithm becomes inadequate, it is managed centrally through a process that is ideally transparent to other systems. Such a platform is not only useful for mitigating quantum risk but can ultimately also improve security by providing a centralized mechanism for cryptographic configurations.
The underlying concept of the DHS – NIST roadmap is to enhance an organization’s crypto-agility. Although the post-quantum era is still a few years away, practicing crypto-agility now will help your organization evolve, and avoid expensive security retrofitting in the future as quantum computing becomes more prevalent.
A recent Thales survey on weaknesses in data-in-motion showed that 73% of respondents recognize quantum computing represents a significant cybersecurity threat and they must plan to protect data against quantum threats starting now. These include practical steps such as implementing Quantum-safe algorithms that will enable the safe and crypto-agile migration from current cryptography to post-Quantum world.
Thales also recently partnered with Quantum Xchange to offer immediate quantum-safe and crypto-agile key delivery capabilities. The resulting quantum-resistant network solution enables end-users to future-proof the security of their data and communications networks; overcome the vulnerabilities of present-day encryption techniques, e.g., keys and data traveling together; and protect against man-in-the-middle, harvesting, and future quantum attacks.
Use our free Post-Quantum Crypto Agility Risk Assessment Tool which will help you have a better understanding of whether your organization is at risk oo a post-quantum breach, learn about the scope of work required, and what you should be doing today to be post-quantum ready.