As governments map a path toward next-generation cryptography, businesses must take steps today to ensure the integrity of their most important data before quantum decryption opens the door to all of today’s secrets.
In recent months, there has been a welcome acceleration in government planning for a post-quantum world. The Australian federal government launched the National Quantum Strategy in May, which clearly states the three key categories of quantum technology as it impacts our future: quantum sensing, quantum computers, and quantum communications.
While there are many elements of quantum technology that sit on a long horizon, it feels important for every business to understand, as soon as possible, what will change when stable quantum computing arrives. Within quantum computation lies the age of post-quantum cryptography, and whether your business directly deploys quantum computers or not, it will bring fundamental change to the nature of cybersecurity.
We have probably all heard the core concept – today’s most powerful encryption algorithms will soon see a day when an adversary has the power to break the key in minutes or even seconds. This is a Y2K tier concern, with even more certainty that the crisis will have real impact but little certainty on when exactly it could be. Ten years? Five years? One year?
What we do know is that motivated adversaries with nation-state-level resources will be eager to be the first to achieve this level of quantum technology. Once it is available, there will be those who intend to use it both in real-time online and to decrypt stolen data they have held for some time but have not yet been able to crack.
In the absence of direct solutions today, enterprise security should be building as much visibility as possible on its specific cryptographic trust profile. Like so many other areas of technology, we cannot build a clear roadmap for something we haven’t measured. For digital trust in our modern, connected world, that means building an inventory of the certificates that underpin every secure digital asset and communication protocol. It involves having the crypto agility in place to be able to seamlessly find and replace encrypted assets with updated ones when necessary.
We know that the average large business has thousands of certificates, with global-scale enterprises holding into the tens of millions across an organisation. But how many know exactly where they all are and analyse them for potential risk factors?
Through tools like our own DigiCert Trust Lifecycle Manager, any organisation can identify and manage its certificates and PKI services in a centralised way. This is an essential step toward knowing where all your digital assets lie, what algorithms are being used to protect them, how your certificates are currently managed, and when they expire.
By creating an inventory, it becomes possible to prioritise for a post-quantum future. Which digital assets are your most important for long-term protection? What is most at risk? We know that asymmetric algorithms like RSA and ECC are under threat, while symmetric keys like AES-256 look to be quantum-safe. Across our networks, services and devices, we can build an understanding of where we need enhanced protection and how to prioritise our most critical assets.
How do you ensure your most valuable secrets are hard to find in a world without locks? We can consider these questions today to put plans in place before quantum-safe algorithms are a must and before it is too late.
As an industry, we need to continue to build our understanding of the change that is to come and to know what it means to be as prepared as possible. For our part, DigiCert is working closely with industry and government agencies, like the National Institute for Science and Technology in the USA on defining next-generation standards that will deliver the protection we need in that post-quantum era.
Ideally, we will have new solutions in place ahead of the quantum technology being available. But today’s standards have been built over the course of the past two decades, so while there is cause to move quickly, every new standard needs to be carefully considered and rolled out to ensure we get it right – especially given the stakes of a post-quantum era.
We know there’s a lot on the plate of CIOs and CSOs today. But achieving visibility as your starting point to building plans for the next era of cybersecurity should become an important tool in your arsenal when questions begin to land from the board on whether you have taken any steps to understand your organization’s readiness for a post-quantum future.