With 2024 fast becoming a pivotal year for quantum technologies, attention is turning to how quantum computers will soon be capable of easily cracking our current encryption standards.
'Harvest now, decrypt later' attacks – where cybercriminals may already be storing data for when quantum computers become powerful enough to break traditional cryptographic methods – contribute to the urgency of the threat, making the need to modernize cryptography systems an immediate priority.
The Importance of Cryptography
Cryptography is the foundational discipline on which all data protection is built. Over the past two decades, the core technologies underlining cryptography standards have remained relatively constant, but the last 12 months have been transformational. The US National Institute of Standards and Technology (NIST) is leading the charge by developing a new global benchmark to bolster defenses against quantum attacks, which was published in August 2024.
The standards are the culmination of an eight-year process which brought together the entire cryptographic community – including government agencies, academics, startups and industry voices.
In preparation for the standards, in 2022, NIST announced that all US public agencies must identify and inventory any vulnerable systems from May 2023 onwards. Then, in March 2023, the White House released its National Cybersecurity Strategy, recommending that the private sector follows the same model in preparing its own networks for the migration to quantum resistance.
As a result, this year we have already seen Apple unveil a protocol to protect iMessage data from quantum attacks, following other security-conscious tech providers like Google Chrome, The Signal Protocol, and Express VPN in taking this step.
Hardware giants like NVIDIA and AMD are also busy building quantum-safe algorithms into their products, and with the US government mandating the migration to post-quantum cryptography for federal agencies through the Quantum Computing Cybersecurity Preparedness Act, there is now real pressure for NIST’s standards to be implemented across the supply chain.
But in such a complex field, understanding where to even begin in this process is a challenge. Here are the actions organizations should take to make their systems quantum secure.
Examine External Risk Factors
Historically, there is a misconception that government bodies are solely responsible for protecting against the quantum threat, and that national security and defense sectors are the only sectors impacted. The truth is, if your data and intellectual property are currently at risk of a cyber-attack, you need to assess your exposure to the quantum threat.
However, the wider quantum security implications will be different for specific industries. For example, an area gaining attention is how to bake quantum-secure protocols into connected automotive vehicles manufactured in the next few years, as they will still be on our roads for decades. This can make them vulnerable to future quantum attacks, unless manufacturers start to integrate post-quantum cryptography to their products today.
In other areas of manufacturing, it will be increasingly important to assess how their assets are secured in the post-quantum era. Especially in production control, where manufacturers are often dependent on long-lasting, expensive and critical systems and equipment, controlling automated assembly lines, ensuring plant floor safety and protecting asset processes into the future will be a priority.
Meanwhile, within the pharmaceutical industry, there’s a broad range of risks beyond Personally Identifiable Information (PII) data being vulnerable. Quantum computing is expected to make attack methods like digital signature forgery easier, enabling criminals to order controlled substances.
These are just a few examples of how the advent of quantum computing can impact cybersecurity across different industries.
Assess Internal Processes
Regardless of the industry vertical, it’s essential to understand how cryptography impacts your organization and where it is being used. This will allow organizations to distinguish between issues that stem from internal systems and those across your supply chain. For the majority of businesses, the critical factor for a successful transition is assessing their supply chain – many banks trying to modernize their cryptography, for example, find that 80% of their vulnerabilities lie with their suppliers.
Read now: ‘Q-Day’ Countdown: HSBC Unveils Strategies to Secure Banking Systems
There’s no use solely focusing on your own business’ quantum-readiness if you’re relying on a supply chain that is exposed, so it’s vital to understand all of the suppliers involved across your business processes. Questions should be posed to them about the cryptography used in their products, assessing where they are on the journey to being post-quantum ready. Alternatively, you can partner with systems integrators to carry out this audit and factor this into an overall strategy for migration to quantum-proof cryptography.
Of course, vulnerabilities in the supply chain don’t need to prevent a business from assessing their own internal risk areas. This is not an easy task – legacy protocols may clash with the differing demands for power, storage and bandwidth required by post-quantum cryptography – but post-quantum specialists will be able to discover vulnerabilities rapidly and create a strategy for your migration to quantum-secure cryptography as you engage with suppliers.
Quantum-secure products will be in huge demand in the coming years, so the sooner manufacturers start factoring this into product design processes, the sooner they can understand the performance accommodations that will need to be considered.
The Road to a Quantum-Safe Future
Quantum computing is on the cusp of making current encryption obsolete. It’s vital we begin the process of modernizing the world’s digital infrastructure, but migrating from one encryption regime to another, across hundreds of thousands of organizations, will take years.
The good news is that governments and private businesses are starting to take the necessary action to safeguard the future of our data, and recognizing the importance of quantum-resistant cryptography.
However, in order to ensure all businesses and individuals are protected from the quantum threat, governments need to continue working with the cryptographic community on making current standards more robust against future threats, updating their guidance and enforcing timelines for transition.
In the meantime, private businesses across all industries must place migrating to quantum-secure cryptography on the agenda for 2024 and start building a clear plan, which includes looking beyond their internal systems, assessing their supply chain’s quantum-readiness. Only then will we have a wider ecosystem that is quantum secure.