Q-Day-the day when a cryptographically relevant quantum computer can break most forms of modern encryption-is fast approaching, leaving the complex systems our societies rely on vulnerable to a new wave of cyberattacks.
While estimates just a few years old suggested that a quantum computer capable of running Shor's Algorithm would not be operationally available until 2029 or later, more recent research to produce fault-tolerant quantum systems, such as the 48 qubit system produced by a team at Harvard, combined with news of PsiQuantum's million qubit system slated to come online in 2027, suggest that the Q-Day horizon, however secretively or publicly it plays out, is coming faster than most anticipated.
Beyond the concerns presented by the breaking of cryptography, there is an existing threat that requires urgent action today.
The limits for malicious use are unending; for instance, encrypted data on the inner workings of a nuclear facility stolen in 2024 would still be relevant and exploitable in 2030 when a quantum computer can decrypt it.
Given the massive vulnerability these campaigns represent today, cybersecurity leaders should focus on shifting toward quantum-resilient systems as soon as possible.
The only way to ensure the digital commons remains operational and secure into the future is to collectively begin fortifying defenses in preparation for the coming quantum wave.
A new era of post-quantum cryptography standardization.
These NIST-validated quantum-resilient algorithms will finally be ready for deployment and enterprise use by security-oriented public and private sector early adopters.
The shift away from classical encryption to PQC won't happen overnight-and it shouldn't.
Solutions will need to be hybridized with current best-in-class cryptography during an initial transition phase with the eventual goal of ensuring all systems incorporate quantum resilience wherever possible.
As outlined by the US Office of Management Budget directive, which advises agencies on how to prepare for quantum resilience, the first step is to inventory active cryptographic systems, including those used for creating and exchanging encryption keys, providing encrypted connections, or creating and validating digital signatures.
Once all systems have been identified, they can be categorized and prioritized by the most sensitive and critical data segments to have the most important systems upgraded first.
This process involves replacing current encryption methods with quantum-resilient algorithms, a complex and time-consuming initiative.
Finding the right place to deploy PQC first to protect the most secure data systems and meet implementation constraints, while also avoiding the known and unknown pitfalls of trialing new technologies is enough to warrant much of the inaction we're seeing today.
For security-conscious, forward-thinking organizations willing to trial and roll out PQC alongside the forthcoming NIST standardization, specific IT systems should be prioritized to ensure the long-term security of sensitive information.
These systems include key management systems responsible for generating, distributing, and managing cryptographic keys, secure communication systems including virtual private networks, secure email, cloud services, and applications, bespoke critical systems such as those used by financial institutions or in scientific research and engineering environments, along with operationally critical IoT devices.
There are also across-the-board architectural changes that can be made quickly for broad initial protection, e.g., deploying quantum resilient TLS proxy systems, such as terminators and load balancers, and upgrading application layer cryptography libraries.
NIST's standardization of PQC algorithms is the last piece of data most organizations have been waiting to start implementing PQC solutions.
Although our shared quantum computing-enabled future is constantly evolving alongside the corresponding defensive barriers required, the soon-to-be-published NIST standards offer a call to action backed by a sufficient degree of certainty to those on the fence about starting their PQC implementation journey.
While most CISOs are currently and rightly engaged in defending against the most urgent threats, action to protect them from being swamped by the coming wave of Q-day is prescient.
This Cyber News was published on www.helpnetsecurity.com. Publication date: Mon, 01 Jul 2024 03:43:09 +0000