Introduction
As quantum computing advances, the potential for cryptanalytically relevant quantum computers (CRQCs) to break current cryptographic systems becomes a pressing concern. In response, the Office of Management and Budget (OMB), mandated by the Quantum Computing Cybersecurity Preparedness Act, recently published a report on post-quantum cryptography, outlining a comprehensive strategy for transitioning federal information systems to post-quantum cryptography (PQC).
In this article, we will discuss the urgency for organizations to prepare for post-quantum cybersecurity.
How Data is Currently Protected
Public key cryptography is fundamental to modern security systems to ensure the security, integrity, and authenticity of communications and data transmitted over private or public networks.
It ensures the security of data, so that only the intended recipient can access and read the message, preventing unauthorized parties from intercepting and understanding the communication, as well as its integrity, meaning that the data has not been altered during transmission, guaranteeing that the received message is exactly what was sent, without any modifications. It also provides authentication, by verifying the identity of the parties involved in the communication, ensuring that the message is coming from a legitimate source, as well as non-repudiation, meaning that the sender cannot deny having sent the message. All these functions play a vital role in securing communications, protecting data, and establishing trust in digital interactions.
The Upcoming Threat of Quantum Computers
The rise of quantum computers, however, poses significant threats to public key cryptography, particularly to widely used algorithms like Rivest–Shamir–Adleman (RSA) and Elliptic Curve Cryptography (ECC). Both cryptographic algorithms are still very secure against traditional computers, built around a binary system, where a bit or binary digit is used as the smallest unit of data, with two possible values (1 or 0). However, cryptographically relevant quantum computers (CRQCs), using qubit instead, that can represent a value of either 0, 1, or range of values between 0 and 1 simultaneously, as well quantum mechanical phenomena like superposition, interference, and entanglement, can solve problems exponentially faster than classical computers, and as such could break these encryption schemes by efficiently solving problems such as integer factorization and discrete logarithms, using algorithms like Shor's; as a result, encrypted data and digital signatures relying on these methods could be compromised.
But Who Currently Owns Quantum Computers?
Countries like the United States, China, and the European Union, alongside major tech companies such as IBM, Google, Microsoft, and Intel, are heavily investing in quantum computing research, though none have yet reached the cryptographically relevant level. While Google claimed quantum supremacy in 2019, this achievement was specific and does not threaten current encryption methods. Existing quantum processors, developed by companies like IBM and Rigetti, have reached only small scales and lack the stability needed for cryptographic relevance.
Experts estimate that a cryptographically relevant quantum computer (CRQC) might still be 10 to 20 years away, with significant challenges ahead. There is speculation that military and intelligence agencies may be conducting secret research, but no public evidence suggests a CRQC exists today.
“Harvest Now, Decrypt Later” Threat
Although such quantum computers are not yet widely commercially available, the quantum threat is real, as cyberattacks like the “Harvest now, decrypt later” can be used by cybercriminals to capture and store encrypted data today, intending to decrypt it in the future when quantum computers become widely available. And this strategy threatens long-term confidentiality, especially for sensitive information with a prolonged value (e.g., IP, classified data, etc.) and highlights the urgency of transitioning to quantum-resistant encryption methods to protect long-term security.
This has led to the development of Post-Quantum Cryptography (PQC), which aims to create cryptographic algorithms that can withstand quantum attacks. Unlike current algorithms like RSA or ECC, which could be easily broken by a cryptographically relevant quantum computer (CRQC), PQC algorithms are designed based on mathematical problems that remain hard even for quantum computers.
The transition to these new systems is however a significant challenge, as it requires updating or replacing vast amounts of existing digital infrastructure, ensuring compatibility with current technologies, and maintaining security during the transition period. This process is urgent but complex, as it involves not only technological innovation but also widespread adoption and standardization across industries worldwide.
What Should Organizations Do?
As per Executive Order (EO) 14028, data must be encrypted now only when transiting over the Internet, but also over internal networks.
1. Perform a Cryptographic Inventory
Organizations should perform a cybersecurity risk discovery and cryptographic inventory using a cryptographic monitoring and risk assessment tool like Quantum Xchange™ CipherInsights, to monitor their network and identify cryptographic vulnerabilities in real time, including unencrypted traffic, clear-text passwords, expired certificates, self-signed intermediate certificate authorities, insecure encryption, providing a clear understanding of your cybersecurity posture and a prioritized list of risk mitigation to maintain compliance, pass audits, and better prepare for the inevitable migration to Post-Quantum Cryptography (PQC).
Unlike other similar solutions, which primarily address network performance and general cybersecurity, CipherInsights provides deep visibility into cryptographic operations, detecting vulnerabilities such as outdated algorithms and improper key management, and helping organizations maintain compliance with cryptographic standards and proactively manage risks associated with cryptographic assets, ensuring that encryption practices are secure and up to date, something often overlooked by more general network monitoring tools.
2. Identify Systems That Will Not Support PQC
Identifying systems that will not be able to support Post-Quantum Cryptography (PQC) as early as possible is crucial to prioritize mitigation strategies, such as upgrading hardware, replacing vulnerable software, or isolating these systems to minimize risk. Early identification also allows for a smoother transition, reducing the likelihood of operational disruptions and ensuring that critical data remains protected as quantum-resistant algorithms are implemented.
This is especially critical for organizations that rely on connections with third-party partners in their daily operations, as these external links are often integral to business processes, but they also present significant security vulnerabilities if not properly secured against future quantum threats.
Even if your organization implements post-quantum security measures, the entire link remains vulnerable if a connected partner does not support quantum-safe protocols, as a security breach on one end could compromise the entire communication chain, exposing sensitive data to potential post-quantum attacks.
3. Implement Post-Quantum Resiliency
Implementing post-quantum resiliency is crucial in preventing Man-in-the-Middle (MITM) attacks due to the impending threat posed by quantum computers, which will be capable of breaking current cryptographic algorithms that underpin data security. Traditional encryption methods, such as RSA and ECC, rely on the difficulty of factoring large numbers or solving discrete logarithm problems—tasks that quantum computers can perform exponentially faster with algorithms like Shor's. As a result, encrypted communications could be decrypted in real-time, rendering them vulnerable to MitM attacks.
Post-quantum cryptography employs algorithms that are resistant to quantum attacks, ensuring that even with the advent of powerful quantum computing, the integrity and confidentiality of data in transit are maintained, securing communications against future vulnerabilities and safeguarding sensitive information.
Quantum Xchange™ Phio TX is the first quantum-safe key encryption key delivery product that can combine all post-quantum technologies, to enable encrypted, fault-tolerant, and load-balanced key transmissions over any distance, any medium, and to multiple transmission points, using Post-Quantum Cryptography (PQC) to secure communication channels and integrating with entropy sources for truly random key generation, ensuring not your organization’s communications are securely from ever-growing post-quantum attacks.
QuantumXchange™ Phio TX architecture.
Conclusion
The urgency to prepare for post-quantum cybersecurity can be intimidating, especially with the challenge presented by transitioning to these new systems. If you have questions about post-quantum resiliency and how it works, the team at ISEC7 Government Services would be happy to help; we can also help support the deployment of Quantum Xchange’s Phio TX and help you to better leverage your current solutions. The team at ISEC7 Government Services works with companies in the private and public sectors to ensure their ecosystems are protected and their security posture endures through training and best practices, and we can complete a security assessment to help you navigate the options available to you to help strengthen and protect your infrastructure.