Why businesses need to start transitioning to post-quantum cryptography now [Q&A]
The arrival of quantum computing, like nuclear fusion, is one of those things that always seems predicted to be a decade or more away, but the issue of quantum cryptography is on the doorstep now.
While quantum computers have the ability to break current encryption methods at alarming speeds, The National Institute of Standards and Technology's (NIST) release of Post-Quantum Cryptography (PQC) standards throws down the gauntlet on quantum cybersecurity.
We spoke to Chris Hickman, CSO at Keyfactor to find out what businesses need to do to prepare.
BN: With the official finalization of NIST's PQC algorithms, what are your predictions for the PQC space?
CH: The space is going to heat up, with vendors getting ready to release products and public-key infrastructure (PKI)and signing solutions going into production. And it’s just the beginning. The release of the NIST algorithms culminated a program that started in 2016, but it is the starting line for PQC, not a finish line.
People can't afford to take comfort in the fact that practical quantum computers are still 10-plus years away because the threat is a lot closer than you may think. For example, 'Harvest Now, Decrypt Later,' (HNDL) is a trend occurring today where encrypted data both at rest and in transit is being stolen for the purpose of decrypting that data later when a suitable computer is available.
The time to start preparing data and systems for PQC is now. Business leaders first need to understand that the PQC transition is more of a marathon than a sprint. It will take time. Keyfactor's 2024 PKI and Digital Trust Report found that most organizations believe that transitioning to PQC will take about four years. But in reality, experts believe it will take eight to 10 years to do correctly.
And it may be a marathon, but it's still a race, even with quantum's arrival uncertain. The world is now racing against an unknown timeline and opponent to secure -- or break -- encryption. We don't know how many laps the race is or where the finish line is, but if we stop, our opponents will catch us. And we will have a lot to lose.
BN: How is the quantum threat evolving with AI? Why can't businesses afford to wait to implement PQC?
CH: AI could accelerate the arrival of quantum attacks because it could enable threat actors to launch an attack on classical cryptography without having a full-blown, perfect quantum computer.
A reasonably functional quantum machine might be able to do the hard work of factoring primes, which are essential elements in cryptography and is something that quantum computing researchers in China reportedly have made significant strides achieving. That work could then be used by AI-powered computing or even traditional computing, to launch an attack.
AI can also make it easier to sort through previously stolen data for sensitive, valuable information and use quantum computing to crack the encryption. In fact, with quantum computing on the horizon, HNDL is emerging as a style of attack.
Up until now, companies may have been able to hide the fact that data was stolen if they knew it was safely encrypted because attackers wouldn't be able to use it. But quantum computing, aided by AI, will take that false sense of security away.
BN: How can businesses best determine which processes and solutions to prioritize as they begin their PQC transition?
CH: You need to start with a full inventory of all your cryptographic assets. Without clear visibility into those assets across your organization, it is impossible to start the actual transition of those assets to PQC.
Creating that inventory can take a lot of time and manpower, so organizations should invest in automated tools that can bring all your cryptographic assets into one place, allowing IT and security teams to work on priority projects. And because the transition will take time, it would be very helpful to leverage tools that can work in both PQC and existing environments.
A tool such as Keyfactor's Command platform, for instance, can manage and maintain digital certificates regardless of scale and support multiple Certificate Authorities (CAs). Furthermore, Keyfactors EJBCA Platform will allow organizations to replace legacy at risk certificates with those that use the Post Quantum Algorithms.
With visibility of your assets and a plan in place, teams should begin testing NIST’s initial suite of finalized PQC algorithms in sandbox environments. It's also critically important to test your organization's crypto agility, to determine how quickly teams can manage, update, and secure machine identities within your PKI infrastructure.
During this process, teams can leverage a tool such as Keyfactor's PQC Lab, a free SaaS-based version of EJBCA Enterprise. It allows users to test changes to the infrastructure and better understand their impacts without impacting production environments.
Another essential early step is developing a clear implementation strategy. You will need to take a good look at the data, identify the most critical data and applications, and make determinations based on risk. For example, you'll need to give priority to data that has a long life or presents financial implications, such as data and systems regulated by the Payment Card Industry Data Security Standard (PCI DSS) or the EU’s General Data Protection Regulation (GDPR).
Establish a budget for the transition that fits your organization and identify the tools that teams will need for migrating to PQC. And it's especially important to know which parts of the transition process can leverage automation.
To keep the transition on track, you need to establish an exact timeline outlining the steps you need to take, setting realistic deadlines for each stage. You also should clearly define roles and responsibilities for each IT and security team member.
Moving your organization to PQC won't be quick or necessarily easy, but addressing these strategic elements early as part of a clear implementation plan can ensure the most seamless transition possible.
BN: What steps should businesses take now to prepare, including smaller shops that do not have access to the same resources as national or global corporations?
CH: Organizations that haven't done so already need to start viewing cryptography as a critical asset. In addition to making sure you have an accurate inventory of cryptographic assets, your teams need to understand which cryptographic libraries are in use in your organization’s products, software, and IoT devices.
Now is also a good time to communicate with companies in your supply chains and make sure they have a plan to move to PQC to ensure any data that is shared with them remains safe. Weaknesses in your supply chains can leave you as vulnerable as weaknesses in your own systems.
Remember, achieving PQC-readiness is a collaborative journey. And as with most complex security scenarios, there is no single solution. A successful transition to PQC will be the result of a carefully planned and executed process.
Image credit: ArtemisDiana/depositphotos.com