Preparing for a post-quantum security landscape [Q&A]
As widely available quantum computing draws closer, organizations need to consider the extent to which their supply chain presents risks and start building in post quantum readiness to their risk assessments.
To do this, it's critical for businesses to understand the origin and authenticity of all the components that are in the supply chain (both hardware and software). This is especially true for IoT devices, which rely on systems and subsystems created by multiple partners and vendors bringing their solutions together to make a fully functioning connected product/system.
We talked to Chris Hickman, CSO at PKI and machine identity platform Keyfactor, about the threats and how to approach dealing with them.
BN: What is the threat quantum computing poses to current cryptography?
CH: Rumblings about quantum computing have been building momentum in the enterprise IT and security space for years. Transitioning to a quantum-capable world may be the most significant computing developments in the history of humanity, likely to bring massive change impacting climate modeling, medical research, and business intelligence.
But the powerful processing power this technology brings will also allow for new geopolitical threats. Quantum computing stands to overpower the widely used security protocols we currently use to secure the internet, enterprises, military technology, and more. It also has the potential to nullify the infrastructure of security as we know it. With Q-Day, it will be possible to break currently used cryptography, for example RSA, in a matter of seconds.
This is why governments worldwide are prioritizing and investing in the quantum arms race. If the RSA and other algorithms, on which the entire world relies, is compromised by the near-term advancement of quantum computers, we'll quickly find ourselves in a scenario where all encrypted sessions, TLS, server certificates, PKI, code signing, and more are under severe duress and real-time breaches will become possible.
BN: When can we expect post-quantum?
CH: This is the question that everyone wants the answer to. While post-quantum computers exist today, they're not at the point where they can break the cryptographic algorithms we're currently using. However, it is generally accepted that a quantum computer with the ability to break current cryptographic algorithms is possible within 10 years. That said, they're rapidly accelerating, and that day will come. In the meantime, all organizations must seriously consider what they can do to prepare for the inevitable.
BN: How can organizations prepare themselves for a successful post-quantum cryptography migration?
CH: Understanding the full scope of post-quantum cryptography is overwhelming for a lot of organizations, as most companies have cryptography built into places they don't even realize. In fact, 62 percent of organizations don't know exactly how many keys and certificates they have, which will make the ability to manage and mitigate risk incredibly difficult, even for large teams.
Knowing these blindspots are prevalent, it's not surprising that many organizations expect the post-quantum inventory discovery and planning phase -- not even the actual implementation -- to be a multi-year activity. That's why now is the time to prepare.
To begin preparation, consider these steps:
- Understand your crypto landscape: You cannot prepare unless you know which keys, certificates, and algorithms are in use within your organization. This includes the apps that use them. There’s only one way possible to develop a migration plan, and that's by knowing your cryptography, understanding what’s in your organization, and identifying what can and cannot be migrated. This step is crucial to assess the risk involved, what needs to be replaced, and what needs upgrading.
- Create a foundation for your PQC environment: Next, begin mapping where the biggest needs are and what teams you’ll need to work with. This step is important to understand all the data that resides within your organization and how encryption might change for a particular data set. Most organizations have complex matrices of data, so this can take quite some time -- and usually it's not a one-and-done task.
- Explore your options and begin testing them: Algorithms will take a while to finalize, but it's never too early to test and explore so you can get familiar with the things that need to happen. Think about potential scenarios that could happen: What if an algorithm is found vulnerable? How will you manage that post-deployment?
- Strengthen strategic partnerships: Organizations can't successfully prepare for the shift to PQC in a vacuum -- that's where strategic partnerships come in. Seek partners that allow you to test their post-quantum solutions to ensure your entire supply chain will be ready when you need them to be.
BN: What are the key elements that organizations should include on their roadmap to quantum-readiness?
CH: If organizations wait until a quantum computer is invented that can shred encryption, it will be far too late to begin trying to protect against it. To avoid this, there are a couple of key steps that should be taken now to get their post-quantum security heading in the right direction.
The first is to make a commitment to strategic planning. Any organization that uses encryption today needs to prepare for the post-quantum future. But it doesn’t stop there. Any industry that produces products with a lifespan longer than five years -- automotive, medical devices, appliances, and anything that falls within the Internet of Things (IoT) -- is going to be affected. Corporations have to find a way to break out of their short-term, next-quarter-results mindset, and adopt a much longer-term view of security when it comes to preparing for a post-quantum environment.
The second step is to commit to good data and device inventories and security hygiene. Many organizations, especially in the private sector, do not have a good handle on all the devices connected to their systems, which security measures they employ, or where in their vast networks encryption is used. Nor do they know which data are most vulnerable, compared to which data are most valuable. The first actual IT step after gaining leadership commitment to long-term preparation is developing that inventory and committing to keeping it updated. This applies to industries using IoT, as well.
BN: How does post-quantum cryptography affect software supply chains?
CH: With the onset of post-quantum cryptography, organizations will be forced to upgrade their encryption methods to post-quantum cryptography algorithms. As quantum computing advances, security threats will keep pace. Armed with exponentially more powerful computing capabilities, threat actors leveraging quantum computing against targets with crackable encryption will have the power to compromise the authentication and validation of digital signatures. At that point, all digital trust unfolds.
Safeguarding digital trust in this heightened threat landscape will require significant changes to organizations' existing software and infrastructure. Trust must be accounted for at every step. Software today uses digital identities to enable secure communication and updates throughout the product life cycle, otherwise known as PKI (public key infrastructure). Because it's practically impossible to secure software supply chains without using PKI, it’s expected that PKI will become easier to integrate into development tools as PQC becomes a reality. For example, there are open-source tools that exist today that allow organizations to issue post-quantum certificates in a lab environment and even build and test apps with quantum-capable cryptographic APIs to ensure compatibility and interoperability as organizations restructure their IT infrastructure. This takes more time and effort than most organizations would anticipate, and having accessibility to testing tools like these will be incredibly important for PQC readiness.
Image credit: BeeBright/depositphotos.com