The Case for Implementing Post-Quantum Cryptography Today
As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories—Rebecca Krauthamer, the Co-Founder and Chief Product Officer at QuSecure, shares some expert insights on the value of implementing post-quantum cryptography.
Public-key cryptography has become an indispensable component of our global communication digital infrastructure in the past three decades. This technology keeps our data safe and scrambles data by plugging one number into an encryption algorithm, which then descrambles the data when another number is introduced. The former is the “public key,” and the latter is the “private key.” Large-number factoring is the foundation of today’s encryption standards powering public-key encryption. It is mathematically impossible to reverse engineer a private key with a “brute force” calculation on today’s computers.
At least, that’s what it looks like today, but powerful quantum computers will emerge on the near horizon (as soon as three years) that will change things. Quantum computers can slice through data like no computer can today and breakthrough code causing massive data breaches. Classical computers use digital bits to process data as zeros and ones. These computers are typically set for general or special purposes, programmed to perform various tasks. Quantum computers use qubits, which can simultaneously represent any combination of zeros and ones. The logic of a quantum computer offers possibilities beyond that of a traditional computer because it does not have to reduce data to a string of zeros and ones by using sub-atomic properties like superposition and entanglement.
These mega computation devices will unlock too many valuable opportunities to count. And they are also incredibly good at solving precisely the kind of math that has kept public key encryption unbreakable for so many years.
Potential Impacts on Organizations
Imagine a bad actor being able to intercept encrypted enterprise intellectual property, private financial information, personal health data, or sensitive personally identifiable information (PII) that flows across the globe, reading it as quickly as you can read this article. Secrets could be unlocked and leveraged the way we did after cracking the Nazi Enigma codes.
Banks, government agencies, healthcare organizations, other enterprises, or anyone trusted with sensitive information should think not just about preparing for the future but about the SNDL—store now, decrypt later—scenario happening today. Aaron Moore, Co-Founder of Optimized Talent, said, “The immediate threat is that an attacker can record data encrypted using asymmetric encryption now in preparation for breaking the encryption later, once scalable quantum computing is available. This is particularly threatening for long-lived information assets (think bank account numbers, for example). Post-quantum resilience is needed today.”
Widget not in any sidebars
Even if the ability for quantum computers to decrypt data is several years away, data still has a shelf life. Leading organizations understand people need to be able to trust that their data, private health records, and bank account information need to remain secret today and 5 to 10 years from now.
In 2021, the average cost of a data breach was $4.2 million, but the threat is much more significant in quantum. Last year, the Hudson Institute used an 18,000-point econometric model and found that the first quantum computing breach of a top financial institution in the US could start a cascading financial failure that would cost nearly $2 trillion and impair up to 60 percent of the US financial assets. This result would not be a typical data breach and would mean that a hacker has deployed the capability to break down the number one line of trusted defense: encryption.
Organizations have both a financial and ethical responsibility to protect the sensitive data they are trusted with. It is essential to take the threat seriously, and the fix is available. The good news is that you do not need a quantum computer to stop a quantum attack. Organizations can utilize classical math to eliminate holes exposed by quantum computers. NIST (the National Institute of Standards and Technology) is standardizing a new set of quantum-resilient cryptographic algorithms. These algorithms will be the standard in a post-quantum computing world when made official.
This is not theoretical and is an already defined, necessary upgrade. For example, this past January, the White House issued an executive order to put near-term requirements in place for federal agencies to start a quantum resilient upgrade. The memo states that it is now mandatory for government data to be post-quantum secured.
In March 2021, Secretary of the Department of Homeland Security Alejandro Mayorkas outlined his vision for cybersecurity resilience and identified the transition to post-quantum encryption as a priority. The Department of Homeland Security also released policy guidelines to drive their preparedness efforts. Discussions in previous years were much more fragmented, but the executive order makes things clear. Organizations will soon have to upgrade to post-quantum security technology.
Highly regulated industries like healthcare, pharmaceuticals, finance, critical infrastructure, and energy will soon need to follow suit. It is also crucial for organizations that work closely with the government or provides goods and services to anticipate their requirements to become post-quantum compliant.
But even before NIST’s standards and the executive order requirements take effect, there is an opportunity to get ahead of the curve now. A new study from Harvard Business Review (HBR) Analytic Services-The Digital Dividend – First Mover Advantage outlined how organizations can secure the first-mover advantage in terms of public recognition and trust among customers, clients, and revenue. Historically the revenue growth of early adopters is “more than three times the growth experienced by ‘cautious’ technology adopters (those that wait until a technology is well-established).”
Post-quantum cyber-attacks are a real threat we must take seriously, and we need to start right away. But it is an entirely solvable problem for organizations with the proper steps in place.