Post-quantum computing is an inevitable threat to cybersecurity. We know there will be a quantum computer powerful enough to break the RSA and ECC cryptographic algorithms that are being used today. What we don’t know is when this is going to happen.
In an effort to gain clarity on when this threat might become real, the Global Risk Institute did a global study where they surveyed a diverse set of leaders and experts in relevant areas of quantum science and technology. Predicting the timeline is difficult, and as expected, the opinions varied. But there were some patterns that emerged from their responses.
Source: Quantum Threat Timeline Report, Global Risk Institute (2019)
While the results suggest the threat is likely a decade or more away, it’s good to start planning now to get ahead of it. As stated in the report:
The urgency for any specific organization to complete the transition to quantum-safe cryptography for a particular cyber-system relies on three simple parameters:
- the shelf-life time: the number of years the data must be protected by the cyber-system;
- the migration time: the number of years to migrate the system to a quantum-safe solution;
- the threat timeline: the number of years before the relevant threat actors will be able to break the quantum vulnerable systems.
If the threat timeline is shorter than the sum of the shelf-life time and of the migration time, then organizations will not be able to protect their assets for the required years against quantum attacks.
This is why it’s important to understand the threat timeline, and flag this as an issue now, since the migration from RSA to something new could take several years. One thing you can do today is to perform a cryptographic inventory to assess and understand what algorithms are in use, in which of your systems. Some examples of things to look for:
- Are the devices and systems in use capable of having their cryptography (certificates and keys) updated?
- Are the devices and systems that are unable to take updates isolated in terms of their exposure or limited in their interaction with sensitive systems?
- What is the life expectancy of the deployment of your cryptography?
- Are any algorithms hard coded into your systems?
From there you can begin to develop and implement strategies to improve crypto agility, segmentation and understanding within your organization.
The Global Risk Institute plans to update this report on an annual basis, to track the evolving opinions of leaders in this space. Entrust Datacard actively engaged in research for Post-Quantum technology which we will continue to share, as well as providing resources and information to help you and your organization prepare.
Download the Quantum Threat Timeline report from the Global Risk Institute.