Quantum-resistant crypto has arrived – act early to protect your business
The point at which quantum computing becomes practically available is uncertain but authoritative bodies, such as the Australian Signal Directorate, advise moving to new standards within seven years. This may appear to be far in the future but underestimates the scale of the change. Virtually all products and services being implemented now will have encryption techniques vulnerable to quantum computing deeply embedded into their technology stacks. Most of these new IT systems will have lifespans longer than seven years. Many organisations are already building up a technical debt that will need to be paid off if they want to keep their systems secure. The scale of the challenge means that it will take many years for changes to be made. Worse still, the issue is not yet on the radar for most organisations.
The good news is that great strides have been made in creating new encryption techniques that are quantum-resistant. NIST (National Institute of Standards and Technologies) has run a competition to identify quantum-resistant encryption techniques. To date, four new algorithms have been identified that provide quantum-proof privacy (e.g. CRYSTALS-Kyber) and digital signature (CRYSTALS-Dilithium, FALCON and SPHINCS+) protection. These new techniques have mathematical properties that allow them to resist the huge processing power that quantum-computing will introduce. Their suppliers will take a lead in resolving their problems.
Given that both the problem and solution are known, how do organisations prepare, plan, and transition with enough time to spare to protect their sensitive information?
Act early to stay ahead of the game
Most organisations have yet to engage with the challenge. Planning the move to quantum-resistant techniques is non-existent or embryonic. Firms needs to speed up planning and implementation to ensure they remain secure in the future. Waiting until encryption algorithms have been broken will leave firms with a mountain to climb to protect their data.
Organisations need to develop IT strategies and change programmes that support the transition to new encryption standards. Organisations also need to consider how long their data remains sensitive for. For example, governments may have data that is sensitive for decades while e-commerce services may only require data to be protected for a very short period. The span of time that data needs to be protected will determine how soon firms need to move. Generally, plan to act early to protect sensitive information.
Drive the change instead of relying on vendors
Technology vendors won’t solve this problem for their customers. Organisations will need to drive the transformation of their systems and services onto quantum-proof encryption. So, how can organisations start the transformation process?
The first step will be to understand the problem. CISOs, IT Directors, and business owners need to raise awareness within their own organisations and highlight the risks of waiting to the last moment. Getting a risk onto risk registers will be a good place to start. Once the risk is understood the next step is to gauge the size and scale of the problem to tackle. Does your organisation have a clear idea of what data needs to be protected or even where encryption is used? This includes the question of what technologies organisations currently employ that have encryption techniques embedded to provide protection. Answering these questions will allow firms to effectively target their resources to help manage risks.
Firms will need to think carefully about their strategy for both identifying the scale of the change and making the transition to quantum-resistant techniques. Firms need to make budget provisions for managing the transition. This will initially be smaller pots of money to support analysis and strategy development tasks followed by substantial investment to replace IT capabilities.
A small number of organisations have already started to tackle the issue. One pension provider built in transition paths to quantum-resistant computing into a major outsourcing agreement. This included agreeing commercial risk management approaches to compensate for losses arising from the outsourcer not being able to transition to a quantum resistant solution in a timeframe that allowed their data to be protected. Attaching a monetary value to the problem of managing encryption algorithms certainly helps to focus attention and provides a template for other firms to adopt.
The organisations best positioned to tackle this issue are those that have a clear strategy and plan. These firms have started discussions with their IT suppliers to understand their roadmaps and plans for quantum proof encryption. The more organisations that engage early, the more focussed IT suppliers will be on providing solutions.
Collaborate for successful implementation
Many firms cannot transition to new standards by themselves. The shift will have to be at an industry level requiring complex coordination amongst multiple organisations, particularly when cryptography is used within complex supply chains or messaging systems. In these situations, industries can only move as fast as their slowest member as they need bring everyone along on the journey.
Organisations need to understand where they have external dependencies on IT services and systems that they cannot directly control or change. When change needs to happen in concert with other parties it is advisable to focus on these dependencies first. Often, this will involve working with trade associations, standards bodies, or key suppliers to initiate change programmes across multiple organisations. Where changes to standards are involved, timescales can also be long. For example, changes to XML digital signature standards are likely to be required but this is an area of considerable complexity. Firms will need to factor in providing time and resources to manage change across their industry sector to help manage their own risks.
While quantum computing represents a considerable security challenge, the way forward has already been found. Organisations need to engage early and with the right resources to protect themselves and their customers.