One thing is certain: The day will come when quantum computers are powerful and reliable enough to render traditional encryption obsolete. What’s less certain is when it will arrive.
But it’s imperative that agencies prepare today. Wait too long, said Keyfactor’s Chris Hickman, and “you won’t have enough runway to keep your organization safe while you go through all the planning steps. It has to be done now.”
The National Institute of Standards and Technology (NIST) is set to release its post-quantum cryptographic standards later this year, which will mean better tools for quantum-resistant encryption.
But people aren’t always aware their data is already at risk of a quantum attack, according to Hickman. “We know data is being stolen now for decryption later,” he said. Hackers don’t need to invade your system to steal encrypted files; they can grab encrypted traffic from the internet and store the information until quantum can crack it, he explained.
The First Step Is Discovery
The Office of Management and Budget’s Memorandum M-23-02 offers guidance for federal agencies in meeting the requirements of the National Security Memorandum on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems. It calls for inventorying and prioritizing all cryptographic systems because every encrypted resource is vulnerable if it’s not upgraded to postquantum cryptography (PQC).
“The reality is, you’re only as good as your weakest link,” Hickman said. “And the problem we’ve seen most is that organizations still lack visibility. [Encryption] is in everything, and now you’ve got to go find it.”
That’s difficult because certificates and certificate authorities are salted throughout systems, such as in individual Internet of Things (IoT) devices in the field and inside open source code. “It’s important that you find [all of them] and that you continue to have that visibility,” Hickman said.
Keyfactor’s Command platform “has the ability to inventory certificate authorities from a number of different points,” Hickman said. “It’s able to connect to appliances and applications on the back end that may have certificates and inventory what’s present in those devices as well.”
Agile Encryption for an Uncertain Future
But it’s not one and done. The federal mandates call for agility in dealing with PQC, because cybersecurity remains an arms race with bad actors.
That requires continuous solutions. Keyfactor’s platform includes a lifecycle manager for encryption certificates that “detects them, finds them, brings them all in, and is able to manage them on an ongoing basis,” Hickman said. Keyfactor also offers an open source cryptography stack that allows organizations to implement post-quantum into their own custom software development, he said.
But the key is to start now.
“Don’t look at it as a tomorrow problem. The analogy I would use is the best time to plant a tree is 20 years ago,” said Hickman. “The next best time is today.”
This article appeared in our guide, “Quantum Computing 101: Getting Ready for Tomorrow’s Tech.” To learn more about this groundbreaking technology, including how and when it will impact you, download the guide here:
Leave a Reply
You must be logged in to post a comment.