By Dr. Adam Everspaugh, Cryptography Expert, Keeper Security.
Collaboration is needed to avoid a post-quantum apocalypse
A post-quantum apocalypse is not a plot from a science-fiction thriller. The consequences of the new-future threat posed by quantum computers built to attack classical public key encryption algorithms is severe enough that governments and the security industry are developing new cryptography designed to withstand quantum computing attacks.
Public and private industry collaboration are needed to defend against threats to the current cryptographic standards that support modern network security. The ongoing research and development of post-quantum algorithms and protocols from organisations like NIST, CISA and the NSA are critical, and continue to advance national prioritisation and broader awareness of the threats that quantum computing could pose to cybersecurity. Cybersecurity professionals, researchers and organisations need to stay informed about the latest advancements to prepare for the post-quantum era.
Next decade reality: Time-traveling attackers
Quantum computers that can break modern cryptography may become a reality within the next decade. Though the date is uncertain, the superiority of quantum computing capabilities poses a very real threat to nation-states, enterprises and individuals alike. The primary attack of concern is store-and-crack, where attackers may capture and store encrypted information and web traffic now, and then when quantum computers are available, break the encryption and read the secrets that are stored. If the secrets are still valuable in the future, attackers can use them to exploit sensitive systems.
Quantum computing algorithms are known to break public key cryptography including RSA and elliptic curve cryptography by efficiently solving the underlying hardness problems on which these cryptosystems rely. To address this risk today, the industry must begin reviewing research and guidance from NIST, in order to incorporate quantum-resistant cryptography to ensure long-term security.
Practical next steps for cybersecurity: Public-private cooperation
Cybersecurity involves not only protecting data now, but also ensuring security into the future. Organisations will need to assess their cybersecurity risks and begin adopting quantum-resistant cryptography where appropriate. This includes understanding which data and systems are most vulnerable and where changes to protection must be prioritised.
The critical next steps for the cybersecurity industry will be to monitor NIST’s progress and watch for the finalised versions of their encryption standards, as well as production software library support. Then, the industry must integrate these new cryptographic standards. This process may take a year or more, so attention and investment must happen now to evade store-and-break-later attacks. A multi-agency cooperative effort by organisations and the cybersecurity community is crucial to ensure the industry is prepared as soon as possible. All organisations and agencies will need to collaborate with CISA, NIST and NSA on tracking the migration to quantum-resistant cryptography and the overall state of quantum readiness.