无忧传媒

Cybersecurity in the Quantum Risk Era

By and

The Threat

Quantum computers won鈥檛 be good at everything, but they excel at solving the problems adversaries need to overcome to break today鈥檚 public key cryptography. Cryptography encompasses a range of efforts to encode information in ways that keep secrets and prove identities. In the computer age, cryptography has become a science of computational security. Even with the power of all the world鈥檚 classical computers, there are specific problems鈥攁t specific scales鈥攖hat can鈥檛 be solved in our lifetime. These are the problems at the foundation of public key cryptography. Public key cryptography has long enabled people to:

  • Secure data against unauthorized access (confidentiality)
  • Ensure data is not altered by unauthorized parties (integrity)
  • Validate users鈥 identity (authentication)
  • Verify that data comes from a certain sender (nonrepudiation)

All this must be done without compromising the availability of critical assets. Unfortunately, quantum computers will solve the previously intractable mathematical problems at the heart of most widely used public key encryption algorithms. The need to counter this threat is hard to overstate.

The Solution

Since 2016, the National Institute of Standards and Technology (NIST) has worked diligently to identify robust solutions to the quantum cyber threat. This is what鈥檚 called (PQC). It鈥檚 designed to defend against classical and quantum attacks. It shifts the mathematical problems at the foundation of our cryptosystems from problems that are easy for quantum computers to ones that are believed to be hard. The solution is clear, but implementation won鈥檛 be easy. PQC has inherently different computational characteristics than the algorithms it will replace.

This transition will require careful performance and interoperability testing to ensure secure implementation, mitigate impacts on the availability of crucial network assets, and provide backward compatibility and interoperability during the transition. To achieve these goals, organizations must conduct robust planning and should consider early pilot testing before enterprise transitions. The federal government recognizes the vast scope of this undertaking and has set out specific requirements for agencies.

鈥淎n increasing number of mandates across the Executive and Legislative Branches require agencies to start preparations to ensure a swift transition to PQC when NIST standardizes the algorithms in 2024.鈥

You can see these requirements in , , and .听

The Danger of 鈥楬old Now, Decrypt Later鈥 Attacks

Federal agencies must act quickly to reduce their quantum attack surface. When discussing the quantum cyber threat, it鈥檚 important to differentiate quantum algorithms and quantum computers. A quantum algorithm uses quantum operations to create an advantage over the current state of the art. Seizing that advantage in the real world (e.g., launching an attack) requires a quantum computer powerful enough to run the algorithm at scale.

A quantum algorithm capable of cracking all public key encryption already exists. What鈥檚 still missing is a quantum computer powerful enough to run that algorithm against modern key and certificate sizes. That gives many organizations a small window to address these vulnerabilities before the quantum attack vector opens. Other organizations are already at an elevated risk due to the emergence of 鈥渉old now, decrypt later鈥 (HNDL) attacks. HNDL risks have been highlighted publicly in the Center for Strategic and International Studies鈥 report on .听

鈥淪ome national security data needs to stay secure for decades. While quantum computers aren鈥檛 powerful enough to break public key encryption today, it鈥檚 only a matter of time.鈥

If an adversary acquires information secured by classical public key encryption, they can store those assets for later decryption. It鈥檚 unknown when quantum computers will reach the capacity to break classical cryptography鈥攊t could be five years, or 10, or 20. But there are many cases where that timeline doesn鈥檛 matter.听

  • Corporations often depend on intellectual property (IP) for competitive advantage鈥攁nd the value of this IP can extend across decades.
  • Personal identifiable information (PII) and protected health information (PHI) must be kept secure throughout one鈥檚 life.
  • Some national security data needs to remain secure for decades.

HNDL attacks challenge old ideas around data breaches. In the past, when adversaries gained access to networks where data was protected by strong encryption, stakeholders considered those assets to be secure. That assumption changes in a quantum-enabled world. If that data was not secured by PQC, the breach鈥檚 impact is tied up in a cascading series of questions that become increasingly difficult to answer. These questions require diagnostics around what was taken, how it was encrypted, and鈥攏ow鈥攈ow long it needs to stay encrypted to ensure the compromised information does not harm an organization鈥檚 strategy or operations.听

鈥淎gencies have little ability to mitigate the impact of HNDL attacks once executed, and there may be little certainty whether HNDL is part of the intent for exfiltration.鈥

Organizations must act quickly to reduce these risks by moving to PQC. This will reduce the number of assets vulnerable to HNDL attacks.

A Strategic Framework for Moving to PQC

The move to PQC should start with a comprehensive assessment. Agencies must understand their cryptographic infrastructure and create a strategic plan for integrating new, quantum-resistant algorithms. The journey to PQC unfolds across three stages:

  1. Discovery and Prioritization: Review the cryptography you rely on to secure information in both high- and low-side networks. Collect cryptographic telemetry to identify data and communications vulnerable to quantum attack. With the risk of HNDL attacks in mind, prioritize your most sensitive assets for transition to PQC as soon as practicable.

  2. Performance and Interoperability Testing: Next, assess how integrating PQC algorithms will affect network and system performance and interoperability. PQC algorithms have different computational characteristics, increasing the required bandwidth and computational cost for encryption and authentication. Higher cost to compute can drive latency. In some cases, agencies may even need to buy new hardware. You will need to carefully test infrastructure and network upgrades to ensure they work seamlessly with existing systems and protocols, both in-house and through coordination with vendors.

  3. Transition: Ensure your legacy systems and vendors use the new PQC algorithms. Establish governance to enforce cryptographic agility throughout your enterprise. Along the way, align your use of cryptography with best practices by requiring proper key management, using forward secrecy, and conducting penetration testing against side-channel attacks. Ensure PQC enhances security without disrupting the mission-critical workflows it is designed to protect. Consider factors like algorithm selection, infrastructure dependencies, and user impact to create a balanced approach to PQC while maintaining operational continuity.

鈥淭his transition will require the collaborative efforts of government, academia, and industry and a 鈥渨hole-of-government鈥 and 鈥渨hole-of-society鈥 approach. The interconnected nature of our digital ecosystem creates a shared responsibility to protect it.鈥

Shaping the Future of Quantum Resilience

Quantum computers will break today鈥檚 public key encryption. It is a matter of when鈥攏ot if. The known risks of adversaries harvesting data for future decryption escalate the urgency of addressing these vulnerabilities.

Fortunately, you can use automated cryptographic discovery methods and tooling designed to work with your existing cyber telemetry. Deploying new cybersecurity sensors requires significant time and resources. That鈥檚 time many federal agencies don鈥檛 have, given the risks of HNDL attacks鈥攁nd resources they may not need to expend. Many organizations already deploy cybersecurity sensors that capture cryptographic metadata. Unfortunately, they cannot often parse this information in a meaningful way. 无忧传媒 recognized this problem early and developed a solution that has helped our federal and commercial clients use existing tools to gain the visibility they need into their cryptographic vulnerabilities. With a comprehensive understanding of their quantum attack surface, our clients have the information they need to prioritize high-impact use cases for performance and interoperability testing in 无忧传媒鈥檚 PQC Lab or an analogous sandbox we create within their environment.听 聽 聽

Contact Us

Learn how 无忧传媒 supports federal agencies and large commercial entities in their PQC transitions. Our PQC tools, services, and partnerships are grounded in a large portfolio encompassing quantum computing, quantum sensing, and quantum communications.听



1 - 4 of 8