Security starts early

The view of quantum threats – from the front lines

Tim Hollebeek
quantum computing
© Shutterstock / Dmitriy Rybin

Quantum computing might initially sound like a far-fetched futuristic idea, but companies such as Amazon, Google, and IBM are putting their weight behind it and preparations have begun. With quantum computing potentially within our reach, what will happen to our current security models and modern-day encryption? See what security experts are doing to prepare for quantum threats.

The future is here. Or just about. After a number of discoveries, researchers have proven that quantum computing is possible and on its way. The wider world did not pause long on this discovery: Goldman Sachs, Amazon, Google, and IBM have just announced their own intentions to embark on their own quantum developments.

Now that it’s within our reach we have to start seriously considering what that means in the real world. Certainly, we all stand to gain from the massive benefits that quantum capabilities can bring, but so do cybercriminals.

Scalable quantum computing will defeat much of modern-day encryption, such as the RSA 2048 bit keys, which secure computer networks everywhere. The U.S. National Institute of Standards and Technology says as much, projecting that quantum in this decade will be able to break the protocols on which the modern internet relies.

The security profession hasn’t taken the news lying down either. Preparations have begun in earnest. The DigiCert 2019 Post Quantum Cryptography (PQC) Survey aimed to examine exactly how companies were doing. Researchers surveyed 400 enterprises, each with 1,000 or more employees, across the US, Germany and Japan to get answers. They also conducted a focus group of nine different IT managers to further reveal those preparations.

SEE ALSO: DevSecOps Panel – Best DevOps Security Practices & Best Tools

Starting early

An encouraging development is that 35 percent of respondents already have a PQC budget, and a further 56 percent are discussing one in their organisations. Yet, many are still very early in the process of PQC planning. An IT manager within a manufacturing company said, “We have a budget for security overall. There’s a segment allotted to this, but it’s not to the level or expense that is appropriate and should be there yet.”

Broadening the conversation

The time to start preparing, including inquiring of your vendors readiness for quantum computing threats, is now. One of the respondents, an IT Security manager at a financial services company, told surveyors, “We’re still in the early discussion phases because we’re not the only ones who are affected. There are third party partners and vendors that we’re in early discussions with on how we can be proactive and beef up our security. And quantum cryptology is one of the topics that we are looking at.”

Others expanded upon that, noting that their early preparations heavily involve discussing the matter with third parties and vendors. Another focus group member, an IT manager at an industrial construction company, told the group, “We have third party security companies that are working with us to come up with solutions to be proactive. So obviously, knock on wood, nothing has happened yet. But we are definitely always proactive from a security standpoint and we’re definitely trying to make sure that we’re ready once a solution is available.”

Talking to your vendors and third parties should be a key part of any organisation’s planning process. To that end, organisations should be checking whether their partners will keep supporting and securing customer’s operations into the age of quantum.

Data, data, and data

The data itself was still at the centre of respondents’ minds when it came to protection from quantum threats, and when asked what they were focusing on in their preparations, respondents said that above all they were monitoring their own data. One respondent told us, “The data is everything for anybody that’s involved in protecting it. And so you just have to stay on top of it along with your vendors and continue to communicate.”

One of the prime preparatory best practices that respondents called upon was monitoring. Knowing what kind of data flows within your environment, how it’s used and how it’s currently protected are all things that an enterprise has to find out as they prepare.

SEE ALSO: As quantum computing draws near, cryptography security concerns grow

Crypto agility

To be sure, overhauling an enterprise’s cryptographic infrastructure is no small feat, but respondents listed understanding their organisation’s level of crypto agility as a priority. Quantum might be a few years off, but becoming crypto agile may take just as long.

Organisations will have to plan for a system which can easily swap out, integrate and change cryptographic algorithms within an organisation. Moreover, it must be able to do so quickly, cheaply and without any significant changes to the broader system. Practically, this means installing automated platforms which follow your cryptographic deployments so that you can remediate, revoke, renew, reissue or otherwise control any and all of your certificates at scale.

Many organisations are still taking their first tentative steps, and others have yet to take any. Now is the time for organisations to be assessing their deployments of crypto and digital certificates so they have proper crypto-agility and are ready to deploy quantum-resistant algorithms soon rather than being caught lacking when it finally arrives.

Tim Hollebeek
Timothy Hollebeek has more than 15 years of computer security experience, including eight years working on innovative security research funded by the Defense Advanced Research Projects Agency. He remains heavily involved as DigiCert’s primary representative in multiple industry standards bodies, including the CA/Browser Forum, striving for improved information security practices that work with real-world implementations. A mathematician by trade, Tim spends a lot of time considering security approaches to quantum computing.

Inline Feedbacks
View all comments