Guest contributor |
Quantum computers can solve certain kinds of basic problems more quickly than a classic computer, and as they continue to advance, this will bring a lot of opportunity for things like medical research and data modelling. But they will also be able to break today’s public key cryptographic systems, which form the basis of securing sensitive data. While the quantum computers available today aren’t of sufficient size for this threat to become a reality yet, the technology is steadily progressing and advancing.
Global funding to advance quantum computing technology appears to be at an all-time high, with some of the wealthiest nations and largest organisations leading the development effort. This level of commitment means the quantum threat is not a question of if, but when, one will be powerful enough to compromise the security of our digital infrastructure.
What can we do to prevent this? The answer is simple: we need to move today’s cryptographic systems to new quantum-safe crypto algorithms. However, that isn’t easy to do. It’s a complex task and will touch almost every piece of digital infrastructure and data that we rely on today.
Recently we have seen some guidance from governments that require businesses to start preparing for the post-quantum threat now. That isn’t only because of the time and effort it will take to transition to post-quantum cryptography (PQC) but also because there are threats that exist today – namely with long-life data and devices. The main known threat for long-life data – which needs to remain confidential for more than 10 years – is ‘harvest now, decrypt later’. This is where bad actors harvest data today with the intention of decrypting it once we have a quantum computer with the capabilities to do so.
To prepare for the transition to PQC, businesses must take a series of steps to ensure the migration is smooth. The first step is to assign a leader to oversee the organisation-wide strategy and then take a cryptographic inventory, looking at the hardware and software, as well as cryptographic assets like keys, certificates and secrets. This will ensure organisations have the right technology in place to support the requirements of PQC or provide visibility into all cryptographic assets to help determine if they are crypto agile.
From there, businesses must modernise their infrastructure around cryptographic assets and technology, ensuring all essential components are in place such as a centralised certificate life cycle management. It’s also important to have post-quantum-ready infrastructure including public key infrastructures and hardware security modules.
Although the standards are not yet finalised, we do have a first set of approved quantum-safe crypto algorithms from the US National Institute of Standards and Technology’s PQC competition. While draft standards are expected this summer, it’s important for firms to be working with vendors to identity PQC testing opportunities within their networks and start testing with these initial algorithms to understand their overall impact. It’s also vital to remember that crypto is dynamic and changes over time, as do best practices for adopting standards, so these initial steps will put businesses in a good position to evolve as the landscape does.
The quantum threat is inevitable, and the journey to quantum safe will be complex, but there is still time to prepare – and that time is now.
Samantha Mabey is product marketing director at Entrust
This article was originally published in the Summer 2023 issue of Technology Record. To get future issues delivered directly to your inbox, sign up for a free subscription