A call for organizations to take quantum security seriously has been sounded in a new report by Forrester Research.
The report titled “Quantum Security Isn’t Hype — Every Security Leader Needs It” acknowledged that the commercial availability of quantum computers that can crack traditional asymmetric cryptography is still five to 10 years away. However, it added that organizations must assess and prepare for the impact of quantum security now.
While the encryption market has a history of vendors publishing incredible claims like “unbreakable encryption,” the hype and interest around quantum is real because hackers are already using the “harvest now, decrypt later” approach, noted the report written by research director Merritt Maxim and analysts Andras Cser, Sandy Carielli, and Heidi Shey.
Organizations need to start preparing now to secure their resources from attacks from quantum computers since it will take them years to do it because the transition won’t be totally under their control, explained Carielli. “There’s a lot of reliance on third parties,” she told TechNewsWorld, “and reliance on vendors upgrading their technology so you can upgrade yours.”
“There are a lot of steps along the way,” she continued, “so I think you’re talking in terms of numbers of years, and that’s why we’ve always been saying start now, even if this is not something that will come into play for another five or 10 or whatever years. It will potentially take that long to complete the migration.”
Harvest Now, Decrypt Later
Jamie Boote, associate principal security consultant at Black Duck Software, an applications security company in Burlington, Mass., asserted that quantum computing would disrupt decades-old conventions in terms of how well current encryption algorithms can safeguard sensitive data.
“An entire generation of professionals has lived with the slow cycling of encryption algorithms in and out as computers grew faster at a predictable rate, and this is going to throw that cadence away,” he told TechNewsWorld. “This change isn’t going to be instant, and it’s not going to be easy, but the more we can prepare our infrastructure to just work in the post-quantum computing era, the fewer incidents stemming from unmaintained or older components will occur.”
“There’s a saying that ‘The best time to plant a shade tree was twenty years ago, the second-best time is today,’ but right now, we’re living at a point where it is the best time to plant that metaphorical shade tree of security to enjoy the benefits when the time is right,” he added.
Organizations should also be getting their quantum security efforts into gear because “harvest now, decrypt efforts” are being conducted by nation-states and cybercriminals. “Industries that have data that needs to remain private for years into the future are at most risk of harvest now, decrypt later,” explained Rebecca Krauthamer, co-founder and CEO of QuSecure, a maker of quantum-safe security solutions, in San Mateo, Calif.
“When it comes to data like national security information, bank account information, data that’s valuable year after year — when a quantum computer does come online, it can decrypt that stockpiled data,” she told TechNewsWorld. “That’s why we see governments and banks moving very quickly to start addressing the quantum threat, even though there is no quantum computer that exists today that will break today’s encryption.”
Valuable Exercise
Preparing for “Q-Day” — even if it never arrives — can be an incredibly valuable exercise, maintained Richard Stiennon, founder and chief research analyst at IT-Harvest, a cybersecurity industry analyst firm in Birmingham, Mich.
“You should be doing it anyway,” he told TechNewsWorld. “You should be discovering all the places you have encrypted data. That will tell you where your family jewels are. And it’ll tell you the size and scope of problems you’ve got.”
“Now you’ve probably got all this encrypted data all over the place,” he said. “You don’t know who owns the keys or how to get to them. They’re probably insecure. They’re probably old and need to be re-keyed. So, you have to think about getting your hands around this, right? How do you find all the encrypted data? Find the way it’s encrypted so you can decrypt and re-encrypt it if you need to?”
“When you talk to some end users, they don’t know what’s being protected by cryptography,” added Heather West, senior research analyst at IDC, a market research company in Framingham, Mass.
“For some, it’s a mixture of different types of solutions,” she told TechNewsWorld. “Some have band-aid solutions. Some just don’t know. So, you first need to understand what data and infrastructure are most at risk. Then you need to know what you’re doing to protect it and figure out which post-quantum cryptography algorithms would be best suited for protecting it.”
However, Luigi Caramico, co-founder and CTO of DataKrypto, a cloud encryption company in Burlingame, Calif., warned against investing too much effort today in quantum-resistant solutions.
“An encryption method considered quantum-proof today may not remain secure in the future,” he told TechNewsWorld. “Instead, I would prioritize addressing present-day vulnerabilities, such as the ‘encryption gap’ — the need to decrypt when it’s in use — which poses an immediate and tangible risk to data security.”
“Investing heavily in today’s “quantum-proof” solutions could also be risky,” he added. “Some of these algorithms may eventually be found vulnerable to classical attacks, let alone quantum ones. A better strategy is quantum agility — ensuring cryptographic systems can be updated as stronger and more thoroughly vetted algorithms emerge.”
Quantum Security Demands Crypto-Agility
Quantum security and crypto-agility — the ability to replace and upgrade cryptographic — algorithms in infrastructure, commercial and in-house-built applications — will improve the security of any information exchange, improve digital signatures, and mitigate the risk of “harvest now, decrypt later” attacks, the Forrester report noted.
Quantum security will force an overhaul of systems across an organization, and organizations will need to upgrade their entire security stack to ensure crypto-agility for the future to protect their data, it added.
“Crypto-agility is crucial in today’s fast-evolving digital environment, where new technologies, algorithms, and security challenges require constant adaptation,” said Tim Callan, chief compliance officer at Sectigo, a global digital certificate provider.
“Because algorithmic trust is imperfect, organizations must use this opportunity to design security that is modular and enable algorithms to easily be swapped in and out like security Legos,” Matt Mittelsteadt, a research fellow at the Cato Institute, a Washington, D.C., think tank, told TechNewsWorld.
“If any of these algorithms are found insecure, which is indeed possible, organizations that design with modularity in mind will be able to quickly swap in a replacement and maintain security,” he said.
Trillion-Dollar Risk
“The Forrester report is exactly right about the threat of quantum computers,” asserted Stefan Leichenauer, vice president of engineering at SandboxAQ, a developer of B2B and quantum software in Palo Alto, Calif.
“In as little as five years, we could see a quantum computer crack traditional cryptography, and because of ‘hack now, decrypt later’ attacks, the vulnerability exists today,” he told TechNewsWorld.
“Even if we have doubts about whether a quantum computer will arrive in that timeframe — maybe you think it’s only a 10% chance — a modest probability of a trillion-dollar-loss event is still a big problem,” he said.
“We’ve seen a number of recent announcements from the quantum computing industry showing that the roadmap is advancing, so our confidence that quantum computers are coming has only gone up,” he added.
“Every organization needs to evaluate their cryptographic posture, which begins with a careful inventory of their use of encryption and then a crypto-agile migration to post-quantum key exchanges. It’s a multi-year process, so the time to start is now.”
