Preparing for the post-quantum cryptography environment today

The thought of quantum computing may elicit a shrug from many a CISO who has enough on their plate already and has decided that’s an issue for the future. My take: get into the conversation, as it is your entity that will be affected sooner or later when post-quantum cryptography becomes a possibly concerning reality.

Quantum cryptography must become a concern for the cybersecurity expert as we (as a community) “don’t tend to prioritize the things that are important until they become urgent,” Jaya Baloo, CSO at Rapid 7, tells CSO. “It’s precisely why we need to start getting ready today for the arrival of quantum computers jeopardizing our current cryptography.”

That advice got my attention. Baloo went on to summarize three steps that every CISO should be taking today:

1. Know thyself. Assess and inventory current cryptographic assets and understand their use in our enterprises.
2. Find opportunities. Look for opportunities that will eventually allow you to transition to quantum-safe technologies.
3. Implementation. Have in place a steady cycle of implementing, monitoring, and testing that makes sure that you have some operational assurance you will be ready when quantum becomes a reality.

She concludes with a sage observation: “It is helpful to take the lessons learned in this step [3 above] and share them within your trusted security communities to make sure that we all level up together and encourage each other as well as our vendors to help us in the journey of quantum readiness. Only when we secure our ecosystems can we enjoy the benefits of quantum computing without continually worrying about the risks to information security.”

Baloo was not alone in her opinions. Nils Gerhardt of Utimaco spoke to me at the most recent RSA about the need to engage in the first two of Baloo’s steps to get ahead of the proverbial curve. “We need seamless transitions to occur” was his primary message. While Joseph Carson of Delinea pointed to the need to engage with those steps in looking for opportunities to implement quantum-resistant solutions.

Read the US Government’s how-to guide to quantum preparedness

Then we have the US government publishing in late August 2023 its preparedness guide with advice from NIST, CISA and NSA on “how to prepare now.”

“Post-quantum cryptography is about proactively developing and building capabilities to secure critical information and systems from being compromised through the use of quantum computers,” Rob Joyce, Director of NSA Cybersecurity, writes in the guide.

“The transition to a secured quantum computing era is a long-term intensive community effort that will require extensive collaboration between government and industry. The key is to be on this journey today and not wait until the last minute.”

This perfectly aligns with Baloo’s thinking that now is the time to engage, and not to wait until it becomes an urgent situation.

The guide notes how the first set of post-quantum cryptographic (PQC) standards will be released in early 2024 “to protect against future, potentially adversarial, cryptanalytically-relevant quantum computer (CRQC) capabilities. A CRQC would have the potential to break public-key systems (sometimes referred to as asymmetric cryptography) that are used to protect information systems today.”

The guide points to four steps (not surprisingly, they also align nicely with Baloo’s advice).

1. Establish a Quantum-Readiness Roadmap. Employ proactive cryptographic discovery to identify the organization’s current reliance on quantum-vulnerable cryptography.
2. Engage with technology vendors to discuss post-quantum roadmaps. Future contracts will ensure “new products will be delivered with PQC built in.” In addition, the mitigation strategies of vendors may be of utility to entities as they plan their own pathways to mitigation. This engagement should also include supply-chain discussion as well as the vendor technology responsibilities.
3. Conduct an inventory to identify and understand cryptographic systems and assets. This means one must put together a comprehensive cryptographic inventory of current systems.
4. Create migration plans that prioritize the most sensitive and critical assets. The organizations’ risk assessments and pathways to mitigation are not static.

When all voices are singing the same tune from the same choir loft, one should take note. CISOs should designate a point for their quantum migration project that will take place over a number of years. The first steps as recommended by the US government, Bayoo, Carson, and Gerhardt are all the same – figure out what you have and take inventory.

Begin to sunset PQC-vulnerable systems now

Then, resources permitting, follow the guidance of Bayoo and begin sunsetting those cryptographic systems identified as PQC vulnerable and replacing them as the opportunity presents itself with cryptographic systems which have been identified as being PQC resilient. This is not a light lift, it is indeed a heavy lift, yet a necessary lift.

For the skeptics amongst us, and we all have a vein or two of skepticism within, I commend to your attention the opinion piece of December 2021: “Collect today, decrypt tomorrow: How Russia and China are preparing for quantum computing” and note the parallelism within the US government bulletin of August 2023 how adversaries will adopt a strategy of “catch now, break later — or, harvest now, decrypt later” operations.

Sitting on the sidelines and waiting is not an option.