No longer relegated to post-doctorate physics academia and sad Schrödinger’s cat thought experiments, post-quantum computing remediation has arrived in the real world.
Quantum computing is expected to emerge in earnest a decade from now, with the power to crack existing public key infrastructure (PKI) cryptography schemes like RSA and the Advanced Encryption Standard (AES). And with NIST’s recent release of three final quantum encryption standards, security teams are now racing against that 10-year clock to update vulnerable cryptography before quantum algorithms go into production that are capable of crushing them and unlocking reams of secret data.
With NIST effectively handing off the work of post-quantum encryption remediation planning and execution to cybersecurity teams around the world with the release of the standards, the time is now for rank-and-file cybersecurity professionals to get “hands on” with post-quantum cryptography (PQC), according to Jason Soroko, senior vice president of product at Sectigo.
“For regular cybersecurity practitioners who have been saying, ‘I’m waiting for NIST,’ there is no longer reason to wait,” Soroko says.
Major information technology (IT) players like Akamai, and browsers including Google Chrome, have already initiated large-scale efforts to shore up their post-quantum cryptographic cybersecurity. But, individual organizations will need to handle the security of data both in-transit and at-rest after it’s handed off to their networks from the edge and content delivery networks (CDNs). And unfortunately, the sheer scale of the problem is gargantuan, so they need to start now.
“Transitioning to post-quantum cryptography is a complex, multi-year process that requires careful planning to minimize disruption and ensure continued security,” Soroko explains. “Early planning allows for a smoother transition when PQC standards become widely available.”
Time is of the essence, too: there are already worries about “steal now, decrypt later” adversaries harvesting sensitive encrypted data and storing it for future decryption via quantum computers.
Transitioning to NIST’s New Post-Quantum Cryptography Standards
Philip George, executive technical strategist at Merlin Cyber, characterizes the release of the new NIST post-quantum cryptography standards as a “pivotal moment for cybersecurity practitioners and general technology consumers alike,” but notes that considerable time and effort will be needed to get arms around the scope of the PQC migration. And the complexity starts with the fact that all communications rely on cryptography for essential authentication functions, as well as privacy and security.
“There isn’t one single area across the IT domain that does not rely on cryptography — whether it’s encrypting data, securing connectivity to a bastion host, or providing validation checks for software,” George says.
Thus, as a first practical PQC step, cryptography’s sheer ubiquity requires a fulsome, automated asset inventory to prepare for any transition to quantum. To that end, “conduct a comprehensive audit of all cryptographic assets and protocols in use within the organization,” Soroko advises. “This includes identifying where cryptographic algorithms are used for data protection, authentication, digital signatures, and other critical security functions.”
There are scanning tools available to assist companies with the work of gathering evidence of cryptography across the organization, as well as from data from public key infrastructure logs and certificates, certificate management tools, cryptographic hardware keys, and more, he notes.
Further, these tools can maintain that cryptographic inventory as the organization’s infrastructure changes, and integrate into ongoing development processes.
PQC Asset Inventory & Building a Remediation Plan
Once the cryptography asset inventory is complete, a remediation plan can be put into place, which involves determining which assets are most vulnerable to quantum attacks and need upgrading to post-quantum algorithms first, Soroko suggests.
For instance, when it comes to defending against the “harvest now and decrypt later” threat, Soroko suggests immediately identifying the organization’s critical secrets protected by legacy algorithms and prioritizing those for PQC transition.
Meanwhile, PQC migration plans should be as detailed as possible, including the ‘how’ and ‘when’ the transition will take place, Soroko explains.
“Identify legacy and vulnerable cryptography, focusing on algorithms susceptible to quantum attacks (e.g., RSA, ECC),” he says, adding that cyber teams should also assess the “lifespan of critical data to determine the urgency of migration.”
He also advocates that organizations set up a cross-functional team that includes IT, security, legal, and other business units, in order to centralize the PQC migration effort.
“This approach ensures all areas are covered and reduces duplication, leading to significant cost savings,” Soroko says. “Crucially, adopt a top-down approach, ensuring that executives who own the risk champion the initiative, rather than leaving it to IT staff to assess risk. This alignment ensures that PQC migration is treated as a strategic priority, backed by the necessary resources and authority.”
A joint NIST and Department of Homeland Security post-quantum roadmap explains that each organization will have its own particular set of requirements. It recommends determining where to start by asking these questions:
-
Is the system a high value asset based on organizational requirements?
-
What is the system protecting (e.g. key stores, passwords, root keys, signing keys, personally identifiable information, sensitive personally identifiable information)?
-
What other systems does the system communicate with?
-
To what extent does the system share information with federal entities?
-
To what extent does the system share information with other entities outside of your organization?
-
Does the system support a critical infrastructure sector?
-
How long does the data need to be protected?
The Role of Vendors & Partners
Creating a PQC remediation plan should also be done in close coordination with partners and vendors with whom organizations share data, to help guarantee a smoother transition.
“Collaboration ensures that the transition aligns with industry standards, minimizing risks,” Soroko says. “Partners can also offer ongoing support, keeping the cryptographic infrastructure secure against evolving quantum threats.”
Getting perspective on the entire enterprise ecosystem is critically important, and can’t be achieved without engaging partners and vendors.
“Vendors can assist in identifying and securing critical secrets that may be targeted for ‘harvest and decrypt’ attacks, ensuring these are protected with quantum-resistant algorithms,” he adds.
Including vendors in PQC transition planning early can also let cyber teams tap into specialized expertise that can ultimately help them stay ahead of quantum threats, too, according to Adam Everspaugh, cryptography expert with Keeper Security.
“Successfully transitioning to quantum-resistant cryptography will require a combination of expertise in cryptography, IT infrastructure and cybersecurity,” he explains. “Security teams will need to collaborate closely with cryptographers who understand the new algorithms, as well as IT professionals who can manage the integration with existing systems. Given the uniqueness of these algorithms, expertise is still developing.”
Vendors and partners should also continue to work with cyber teams through the research and testing phase, once planning is complete, Soroko says.
“Begin testing and integrating NIST-approved post-quantum cryptographic algorithms within your organization’s infrastructure,” he explains. “This includes participating in pilot programs, collaborating with vendors, and engaging in ongoing research to stay informed about the latest developments in PQC.”
Don’t Drag Your Feet on Quantum
It may seem daunting, but the need to implement PQC standards ahead of the next imminent quantum computing breakthrough means cyber professionals and network defenders everywhere can no longer just think about quantum — they need to act.
“The challenges for IT and security teams are significant, from ensuring compatibility with existing systems, to managing the transition of cryptographic keys,” Everspaugh says. “However, the urgency of this shift cannot be overstated.”
And indeed, organizations which take on the PQC project early will be far better positioned to successfully defend their networks from the impending quantum revolution, Soroko adds.
“Early adoption and testing will help organizations identify potential challenges and refine their implementation strategies,” he says. “Engaging in research ensures the organization remains at the forefront of PQC advancements and is prepared to implement secure algorithms as they become standardized.”