Preparing for Q-Day as NIST nears approval of PQC standards

Q-Day-the day when a cryptographically relevant quantum computer can break most forms of modern encryption-is fast approaching, leaving the complex systems our societies rely on vulnerable to a new wave of cyberattacks.
While estimates just a few years old suggested that a quantum computer capable of running Shor's Algorithm would not be operationally available until 2029 or later, more recent research to produce fault-tolerant quantum systems, such as the 48 qubit system produced by a team at Harvard, combined with news of PsiQuantum's million qubit system slated to come online in 2027, suggest that the Q-Day horizon, however secretively or publicly it plays out, is coming faster than most anticipated.
Beyond the concerns presented by the breaking of cryptography, there is an existing threat that requires urgent action today.
The limits for malicious use are unending; for instance, encrypted data on the inner workings of a nuclear facility stolen in 2024 would still be relevant and exploitable in 2030 when a quantum computer can decrypt it.
Given the massive vulnerability these campaigns represent today, cybersecurity leaders should focus on shifting toward quantum-resilient systems as soon as possible.
The only way to ensure the digital commons remains operational and secure into the future is to collectively begin fortifying defenses in preparation for the coming quantum wave.
A new era of post-quantum cryptography standardization.
These NIST-validated quantum-resilient algorithms will finally be ready for deployment and enterprise use by security-oriented public and private sector early adopters.
The shift away from classical encryption to PQC won't happen overnight-and it shouldn't.
Solutions will need to be hybridized with current best-in-class cryptography during an initial transition phase with the eventual goal of ensuring all systems incorporate quantum resilience wherever possible.
As outlined by the US Office of Management Budget directive, which advises agencies on how to prepare for quantum resilience, the first step is to inventory active cryptographic systems, including those used for creating and exchanging encryption keys, providing encrypted connections, or creating and validating digital signatures.
Once all systems have been identified, they can be categorized and prioritized by the most sensitive and critical data segments to have the most important systems upgraded first.
This process involves replacing current encryption methods with quantum-resilient algorithms, a complex and time-consuming initiative.
Finding the right place to deploy PQC first to protect the most secure data systems and meet implementation constraints, while also avoiding the known and unknown pitfalls of trialing new technologies is enough to warrant much of the inaction we're seeing today.
For security-conscious, forward-thinking organizations willing to trial and roll out PQC alongside the forthcoming NIST standardization, specific IT systems should be prioritized to ensure the long-term security of sensitive information.
These systems include key management systems responsible for generating, distributing, and managing cryptographic keys, secure communication systems including virtual private networks, secure email, cloud services, and applications, bespoke critical systems such as those used by financial institutions or in scientific research and engineering environments, along with operationally critical IoT devices.
There are also across-the-board architectural changes that can be made quickly for broad initial protection, e.g., deploying quantum resilient TLS proxy systems, such as terminators and load balancers, and upgrading application layer cryptography libraries.
NIST's standardization of PQC algorithms is the last piece of data most organizations have been waiting to start implementing PQC solutions.
Although our shared quantum computing-enabled future is constantly evolving alongside the corresponding defensive barriers required, the soon-to-be-published NIST standards offer a call to action backed by a sufficient degree of certainty to those on the fence about starting their PQC implementation journey.
While most CISOs are currently and rightly engaged in defending against the most urgent threats, action to protect them from being swamped by the coming wave of Q-day is prescient.


This Cyber News was published on www.helpnetsecurity.com. Publication date: Mon, 01 Jul 2024 03:43:09 +0000


Cyber News related to Preparing for Q-Day as NIST nears approval of PQC standards

Preparing for Q-Day as NIST nears approval of PQC standards - Q-Day-the day when a cryptographically relevant quantum computer can break most forms of modern encryption-is fast approaching, leaving the complex systems our societies rely on vulnerable to a new wave of cyberattacks. While estimates just a few ...
5 months ago Helpnetsecurity.com
Preparing for Q-Day as NIST nears approval of PQC standards - Q-Day-the day when a cryptographically relevant quantum computer can break most forms of modern encryption-is fast approaching, leaving the complex systems our societies rely on vulnerable to a new wave of cyberattacks. While estimates just a few ...
5 months ago Helpnetsecurity.com
RSAC panel debates confidence in post-quantum cryptography - Lattice-based cryptography is a proposed answer to the post-quantum cryptography dilemma, but a recently published paper cast doubt on this theory. While it appears to be a false alarm, experts were left questioning their confidence in PQC efforts. ...
7 months ago Techtarget.com
Creating a New Market for Post-Quantum Cryptography - A day in the busy life of any systems integrator includes many actions that revolve around the lifeblood of its business - its customers. Systems integrators help solve evolving customer business challenges, which in turn adds partner value. It's a ...
1 year ago Securityboulevard.com
Making the Law Accessible in Europe and the USA - Earlier this month, the European Union Court of Justice ruled that harmonized standards are a part of EU law, and thus must be accessible to EU citizens and residents free of charge. While it might seem like common sense that the laws that govern us ...
9 months ago Eff.org
How Communications Companies Can Prepare for Q-Day - After a grueling eight years of testing, the National Institute of Standards and Technology (NIST) has finalized the first three algorithms that will form the backbone of the world's strategy to counter the potential threats of quantum ...
2 months ago Darkreading.com
CMMC v2.0 vs NIST 800-171: Understanding the Differences - The NIST SP 800-171 lays out the requirements for any non-federal agency that handles controlled unclassified information, or other sensitive federal information. DFARS does not address the CMMC at all but a new clause is currently being drafted for ...
11 months ago Securityboulevard.com
Accelerating Safe and Secure AI Adoption with ATO for AI: stackArmor Comments on OMB AI Memo - We appreciate the opportunity to comment on the proposed Memo on Agency Use of Artificial Intelligence. Ensuring agencies have access to adequate IT infrastructure,. We base our remarks on our experience helping US Federal agencies transform their ...
1 year ago Securityboulevard.com
NIST Fortifies Chatbots and Self-Driving Cars Against Digital Threats - In a landmark move, the US National Institute of Standards and Technology has taken a new step in developing strategies to fight against cyber-threats that target AI-powered chatbots and self-driving cars. The Institute released a new paper on ...
11 months ago Infosecurity-magazine.com
What is the NIST Cybersecurity Framework? Definition from SearchSecurity - The NIST Cybersecurity Framework provides guidance on how to manage and reduce IT infrastructure security risk. NIST created the CSF to help private sector organizations in the United States develop a roadmap for critical infrastructure ...
11 months ago Techtarget.com
Romance Scammers are Adopting Approval Phishing Tactics - Romance scams are labor-intensive and time-consuming schemes to run. They can be lucrative, pulling in millions in stolen cryptocurrency, but they also can end up going nowhere if the targeted victim becomes suspicious or the bad actor decides there ...
1 year ago Securityboulevard.com
Cybersecurity Standards vs Procedures vs Controls vs Policies - Four interrelated terms used in cybersecurity are Policies, Procedures, Standards, Guidelines, and Controls. Policies are at the top, Standards and Guidelines add detail to policies, Controls are the measured outcome of standards in use, and ...
10 months ago Securityboulevard.com
10 of the biggest zero-day attacks of 2023 - Here are 10 of the biggest zero-day attacks of 2023 in chronological order. Zero-day attacks started strong in 2023 with CVE-2023-0669, a pre-authentication command injection vulnerability in Fortra's GoAnywhere managed file transfer product. ...
11 months ago Techtarget.com
How AI can be hacked with prompt injection: NIST report - As AI proliferates, so does the discovery and exploitation of AI cybersecurity vulnerabilities. Prompt injection is one such vulnerability that specifically attacks generative AI. In Adversarial Machine Learning: A Taxonomy and Terminology of Attacks ...
9 months ago Securityintelligence.com
Check Point released hotfix for actively exploited VPN zero-day - MUST READ. Check Point released hotfix for actively exploited VPN zero-day. Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days. Critical Fortinet's FortiClient EMS flaw actively exploited in the wild. Apple ...
6 months ago Securityaffairs.com
Approval Phishing Scams Drain $1bn of Cryptocurrency from Victims - Approval phishing scams have been used to steal at least $1bn in cryptocurrency since May 2021, according to a new report by Chainalysis. The researchers estimates that this technique, which is frequently used by romance scammers, has led to crypto ...
1 year ago Infosecurity-magazine.com
Week in review: Attackers trying to access Check Point VPNs, NIST CSF 2.0 security metrics evolution - RansomLord: Open-source anti-ransomware exploit toolRansomLord is an open-source tool that automates the creation of PE files, which are used to exploit ransomware pre-encryption. Attackers are probing Check Point Remote Access VPN devicesAttackers ...
6 months ago Helpnetsecurity.com
The US National Institute of Standards and Technology Announces the Successful Encryption Algorithm for Securing Internet of Things Data - The National Institute of Standards and Technology (NIST) recently announced that ASCON was the winning bid for its Lightweight Cryptography Program. This program was designed to find the best algorithm to protect small Internet of Things (IoT) ...
1 year ago Bleepingcomputer.com
Samsung Galaxy S23 hacked two more times at Pwn2Own Toronto - Security researchers hacked the Samsung Galaxy S23 smartphone two more times on the second day of the Pwn2Own 2023 hacking competition in Toronto, Canada. The contestants also demoed zero-day bugs in printers, routers, smart speakers, surveillance ...
1 year ago Bleepingcomputer.com
Days After Google, Apple Reveals Exploited Zero-Day in Browser Engine - Apple has patched an actively exploited zero-day bug in its WebKit browser engine for Safari. Actively Exploited Apple yesterday described the vulnerability as something an attacker could exploit to execute arbitrary code on affected systems. ...
10 months ago Darkreading.com
Apple fixes Safari WebKit zero-day flaw exploited at Pwn2Own - Apple has released security updates to fix a zero-day vulnerability in the Safari web browser exploited during this year's Pwn2Own Vancouver hacking competition. The company addressed the security flaw on systems running macOS Monterey and macOS ...
7 months ago Bleepingcomputer.com
Samsung Galaxy S23 hacked twice on first day of Pwn2Own Toronto - Security researchers hacked the Samsung Galaxy S23 twice during the first day of the consumer-focused Pwn2Own 2023 hacking contest in Toronto, Canada. They also demoed exploits and vulnerability chains targeting zero-days in Xiaomi's 13 Pro ...
1 year ago Bleepingcomputer.com
NIST: No Silver Bullet Against Adversarial Machine Learning Attacks - NIST has published a report on adversarial machine learning attacks and mitigations, and cautioned that there is no silver bullet for these types of threats. Adversarial machine learning, or AML, involves extracting information about the ...
11 months ago Securityweek.com
How to Minimize Friction in the Cyber Compliance Certification - Certification has always been a great way for companies to establish trust with their customers. While there's certainly an argument to be made that certification doesn't necessarily make your company more secure, today's buyers need to know that ...
1 year ago Cybersecuritynews.com
How the New NIST 2.0 Guidelines Help Detect SaaS Threats - The SaaS ecosystem has exploded in the six years since the National Institute of Standards and Technology's cybersecurity framework 1.1 was released. Back in 2016-2017, when version 1.1 was initially drafted, SaaS held a small but significant place ...
9 months ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)