As part of my hosting duties on the Entrust Engage podcast, I’ve had the pleasure of speaking to some outstanding guests on a variety of topics from the science behind quantum computers themselves, to impacts post-quantum will have on digital security. In the latest episode, I was pleased to get a perspective I hadn’t yet – that of an analyst – when I was joined by guest speaker, Forrester Principal Analyst Sandy Carielli. As we set up the discussion for the episode, here are some of the insights she provided on the state of post-quantum preparedness:
Samantha Mabey: Where do you currently feel like organizations are with looking at PQ and kicking off preparations to prepare against and mitigate the threat?
Sandy Carielli: Organizations are in the early stages of PQ preparation. The financial services and public sectors are the farthest ahead in this area, not surprising given the sensitivity of the data that traverses their systems. The Quantum Computing Cybersecurity Practices Act signed by President Biden at the end of last year speaks to the attention that government is placing on PQ, and the recently unveiled National Cybersecurity Strategy also stresses the importance of planning for the transition to post-quantum cryptography. However, even those industries paying close attention to PQ are at the early stages – aside from a few pilots and proofs of concept, organizations are primarily at the planning stage, with some kicking off cryptographic inventories.
SM: What do you foresee being some of the greatest challenges that organizations will face in preparing for the migration to post-quantum cyrptography?
SC: Cryptographic migration is never easy – previous migrations, such as from SHA-1 to SHA-256, have taken years. Even increasing the key size, such as moving from 1024 to 2048-bit RSA, doesn’t happen overnight. The migration from RSA or ECC to a post-quantum algorithm will be even more complicated – given how deeply embedded cryptographic functions are in code and devices, rip and replace is rarely simple. For software and systems that organizations develop themselves, development teams will need to replace existing cryptographic code with new libraries, but standard implementations of the NIST selected algorithms aren’t widespread. Then there’s the supply chain issue – organizations will rely on their partners and vendors to update cryptographic implementations in their own products before the organization can fully migrate to PQ.
SM: While there is a consensus that the threat (of a quantum computer being able to break traditional public key cryptography in use today) is possibly a decade away, there is a more immediate threat known as “harvest now, decrypt later”. Do you feel like there is a lack of awareness of this threat and that it further justifies that the need to prepare for PQ now?
SC: The “harvest now, decrypt later” threat is understood in pockets, such as government and financial services, and these are the areas where that threat is critical – customers’ bank account numbers and citizens’ government identification numbers are not likely to change in ten or twenty years. This is why these sectors have started to prepare and must continue to do so – they realize that they will need to have migrated to PQ long before a quantum computer is able to break traditional public key cryptography, and that attackers won’t be able to decrypt any PQ-encrypted data that they harvest. Outside of that, security leaders are not as aware of the “harvest now, decrypt later” threat – leaders must realize that any harvested data protected with RSA or ECC could be vulnerable later, including account information, intellectual property, and personal information (which an attacker could use as blackmail material). Broader awareness of the “harvest now, decrypt later” threat would help organizations support PQ preparation strategies.
To listen to the full Entrust Engage Episode “The Road to PQ Preparedness: The Analysts Perspective”, click here.