The quantum threat
Applications using traditional cryptography methods may be vulnerable to quantum-based attacks.
Quantum computing has the potential to impact and transform a wide range of industries and create new opportunities for businesses to gain a competitive advantage. It is now entering mainstream business and is proving to be a worthy investment. While the current lot of quantum computers have limited number of qubits and are sensitive to temperature and other ‘noise’, huge investments by governments, industries, and academia indicate that progress on quantum computers and quantum computing is likely to be much faster than previously thought possible.
Quantum computing can resolve problems that are tedious even for powerful supercomputers. Now, researchers are predicting that some traditional cryptography algorithms – ones that enable a secure medium to communicate in the presence of malicious third parties – will soon be vulnerable to targeted cyberattacks, as quantum computing continues to evolve. Therefore, enterprises must build awareness among key stakeholders, identify champions to own quantum adoption, and detect opportunities and threats that could result from quantum uptake.
Achieving crypto-agility takes time and effort. A risk assessment based on a comprehensive crypto inventory allows for a prioritized approach.
The wide-ranging impact
Vulnerable crypto systems impact both industry and society.
Algorithms such as Grover and Shor that run on quantum computers have broken widely used cryptographic algorithms. These include some of the popular public key algorithms, symmetric algorithms, and hashing algorithms.
Let’s look at some common use cases where these cryptographic algorithms are used:
Secure socket layer and transport layer security (SSL/TLS) protocols to secure online communication
Blockchain and cryptocurrency implementations
Virtual private networks (VPNs) for private remote access connections
Digital signatures for authentication and identification of users / endpoints
Since these cryptographic algorithms are critical for securing applications and systems, vulnerabilities here disrupt organizations that rely on them.
The impact of this quantum threat extends beyond businesses to common people as well. eCommerce is a classic example where online transactions are conducted with the belief that they are secure. However, whether this will sustain with quantum computers coming of age is yet to be seen.
Crypto-agility enables rapid transition to secure cryptography.
To protect themselves against quantum attacks, organizations need to replace potentially vulnerable algorithms with quantum-safe ones. The first step toward this is to be crypto-agile.
A crypto-agile application is one that can support multiple cryptographic algorithms and enable faster migration to new cryptographic algorithms. To transform applications to a crypto-agile state, enterprises should take the following steps:
Identify the crypto algorithms currently in use within the application and the related lines of code.
Refactor the application to separate the cryptography code into independent modules outside of the core application code.
Leverage external encryption libraries, wherever possible, with a centralized key management platform/service.
Work with suppliers for off-the-shelf and custom applications to ensure migration to a quantum-safe cryptography.
Crypto-agility ensures that vulnerable crypto algorithms used within applications can be replaced easily with secure ones. This also enables rapid transition of applications to a post-quantum state when quantum-safe algorithms are standardized.
The journey ahead
There is no better time to start than now.
Organizations have multiple applications and services, so it can be difficult to determine where to start the journey toward a quantum-safe business.
Quantum-safe algorithms are yet to be standardized, and hence, are not recommended for production use yet. However, organizations can take certain immediate steps for crypto-agility, such as:
Apprise business teams and senior management of the emerging risks due to quantum computing and the need to start preparing for it.
Adopt crypto discovery tools to undertake a crypto inventory of the ecosystem. This will identify the use of cryptography that may be vulnerable to quantum attacks.
Conduct a risk assessment of applications and services based on the outcome of the crypto discovery, with a focus on the business criticality of systems. Prioritize applications and services for remediation based on the risk rating.
Engage with third-party service providers and support vendors to address potential vulnerabilities.
De-couple the crypto logic as much as possible from business logic in applications.
Automate cryptographic keys and digital certificate management.
Organizations can start by migrating some applications as proof-of-value projects using quantum-safe algorithms. This will fine-tune the processes and procedures for the eventual migration of all vulnerable applications to a quantum-safe state.
Enterprises should take a hybrid approach in their initial years of adopting quantum-safe cryptographic algorithms. Applications should be designed as crypto agile, supporting the use of both a traditional and a quantum-safe algorithm. In case a vulnerability is identified in the new quantum-safe algorithms, the applications can quickly fall back on alternative algorithms or transition to a more secure algorithm.
Take a crypto-agile approach to building defenses against quantum attacks.
Quantum computing is creating new risks, threats, and opportunities. Building defenses against quantum-based attacks requires time and meticulous planning.
A crypto-agile approach can act as a first line of defense against the cybersecurity threats posed by quantum computers. Organizations will be better positioned to adapt to threats and update security protocols based on new and emerging threats.
Organizations should also invest in a focused program for post-quantum cryptography migration, possibly with a center of excellence that guides the application teams through this journey. Prioritizing the applications based on a risk assessment and being nimble in execution will go a long way in ensuring a smooth execution of this complex program.