Search
Close this search box.
Search
Close this search box.

Cyber Security In the Quantum Era: Where To Start

Atsushi Yamada Headshot
Photo Courtesy of Atsushi Yamada
'The risk-averse approach is to ensure your organization is protected as soon as possible,' says Atsushi Yamada, CEO of quantum cybersecurity outfit ISARA.

Quantum computers, in contrast to the classical computers we are all familiar with, leverage the principles of quantum mechanics to perform computations. While they hold tremendous potential for solving certain problems exponentially faster, a threat looms over the core foundations of our digital security. As we usher in an era of unprecedented computational power and speed, the traditional cryptographic protocols that have safeguarded our sensitive information for decades are now under siege.  

But fear not, there are tangible steps IT leaders can take to protect their organizations, according to Atsushi Yamada, CEO of ISARA, a security solutions company based in Ontario, Canada. Their mission:  To create a crypto-agile and quantum-safe world where the possibilities and benefits of quantum computing are realized without giving up digital trust and privacy. He shares a bit of his best thinking as we head into this very unknown unknown.

What do CIOs and CISOs need to know about quantum computing’s impacts to security and IT?

Quantum computers have the potential to break current cryptographic algorithms, compromising the confidentiality and integrity of sensitive data. All industries and government sectors that rely on cryptography to protect sensitive data, secure communications, or manage transactions will be impacted.

Today, classical cryptographic algorithms are used almost everywhere, and post-quantum cryptographic algorithms are still being standardized. Eventually, the classical algorithms that we rely on today will be obsolete. 

IT networks typically use cryptographic mechanisms to ensure that only designated personnel can access network resources. After all, you can’t let just anyone go read or modify data, change system configurations, and so on. This authentication uses quantum-vulnerable cryptography—meaning your valuable data is at risk from attacks using quantum computers.

In some cases, attacks against a single resource or asset can cause widespread damage, disrupt business operations, and can be difficult and expensive to remediate. An example here could be an attack against the root of trust in a public key infrastructure. If the root certificate authority’s private key is compromised, then there can suddenly be a complete breakdown of trust throughout the PKI.

There are numerous other examples I could also give, such as forging of credentials, fabricating authentic-looking documents, or decrypting sensitive and private communications. This is why it is so important for organizations to compile an inventory of their cryptography now. Where are you using it? How are you using it? Is it vulnerable? What happens if it is successfully attacked?

The good news is that an industry-wide effort has been underway since 2016 to develop and standardize cryptographic algorithms that will replace current quantum-vulnerable standards. This effort has included researchers, standards organizations, industry stakeholders, government entities and policymakers. The initial selected cryptographic algorithms are currently going through the final phases of the standardization process and are expected to be published sometime in 2024.

Why is it important for organizations to embrace post-quantum cryptography now?

I see four primary reasons why embracing post-quantum cryptography now is critical: to protect data, reduce risks, control costs, and create or maintain competitive advantages.

The migration to post-quantum cryptography will be a complex and time-consuming process requiring thorough testing and evaluation before implementations can be done. By starting now, the migration can be better planned, costs can be controlled, and errors can be kept to a minimum. A rushed migration can be error-prone and costly.

Because we can’t predict exactly when a quantum computer large enough to break currently used cryptography will emerge—reasonable estimates are in the 10–15-year range, but it could be less—the risk-averse approach is to ensure your organization is protected as soon as possible.

Delaying the migration leaves organizations vulnerable to potential attacks. In some cases, threat actors may already have your encrypted data and are waiting until they have the quantum capabilities to decrypt it. If you’re manufacturing devices or equipment that are expected to be operational for a long time, then you need to make sure they are quantum-safe before they go into the field. This means including post-quantum cryptography into the development plans now.

Eventually, using standardized post-quantum cryptography will be a requirement. Your customers will demand it, regulation will likely require it, and it will just make good sense from a business operations perspective. We have seen how costly business disruptions from cyberattacks can be, and this seems like a threat we can work to avoid. Organizations that are quantum-safe will have clear advantages over those who are not.

What does a migration to post-quantum cryptography entail?

Just think about the enormity of cryptographic migrations in the past. We often talk about the parallels to the migration from the SHA-1 to the SHA-2 hash functions or from the Triple-DES to the AES encryption algorithm, specifically that the migrations took decades and in some cases are still ongoing. The reality is the post-quantum cryptography migration is even more intricate and complex.

While I can’t give you a complete answer here about how to do a migration, I will give you some highlights. The migration to post-quantum cryptography involves a comprehensive and phased approach to replace existing cryptographic algorithms with quantum-resistant alternatives. This means updates to software libraries, protocol standards, network infrastructure and other components to support the use of quantum-resistant algorithms.

Organizations must first conduct a thorough risk assessment—I like to call this an inventory—of their cryptography to evaluate the potential impact of quantum computing on their systems and infrastructure. This will help identify and prioritize the systems, applications, and data that are most critical and vulnerable.

Organizations must then select suitable post-quantum replacements. This process involves evaluating different quantum-resistant algorithms based on their security, performance, interoperability, and suitability for specific use cases. It is critical to consider factors such as algorithm maturity, ongoing research, standardization efforts, and the requirements of your customers or suppliers.

Once the proof-of-concepts have been completed, the solutions identified, and the plans made, the next step is to start implementing the migration plans. It can also involve acquiring new assets such as cryptographic libraries, digital certificates, hardware security modules or other pieces of software and hardware. Continual testing is required throughout the process to ensure things are going properly and as expected, and the migration plans should be adjusted or updated as necessary.

How can organizations kickstart their post-quantum cryptography migrations?

It starts at the top. The migration to post-quantum cryptography involves critical decisions around technology, budget and resource allocation, and governance. That’s why it’s important to take things one step at a time. I recommend taking a phased, iterative approach as organizations evolve their infrastructures and environments. This will help ensure that you can assess changes, mitigate risks, and minimize errors and costs.

Start by gathering the stakeholders for strategic alignment, decision-making, risk management, communication and stakeholder engagement. Bringing together the organization’s leaders ensures that everyone is on the same page regarding the significance and impact of post-quantum cryptography. It allows for a shared understanding of the need for migration and the strategic goals behind it.

By aligning stakeholders and appointing a person or a team to lead the migration efforts, organizations can develop a unified approach and vision and get their migration roadmaps in order.

Taking steps to embrace the post-quantum migration now provides organizations with the necessary lead time to do the testing, conduct proof-of-concepts, gain the required expertise, train staff, and smoothly transition from quantum-vulnerable to quantum-safe.


MORE LIKE THIS

  • Get the CEO Briefing

    Sign up today to get weekly access to the latest issues affecting CEOs in every industry
  • upcoming events

    Roundtable

    Strategic Planning Workshop

    1:00 - 5:00 pm

    Over 70% of Executives Surveyed Agree: Many Strategic Planning Efforts Lack Systematic Approach Tips for Enhancing Your Strategic Planning Process

    Executives expressed frustration with their current strategic planning process. Issues include:

    1. Lack of systematic approach (70%)
    2. Laundry lists without prioritization (68%)
    3. Decisions based on personalities rather than facts and information (65%)

     

    Steve Rutan and Denise Harrison have put together an afternoon workshop that will provide the tools you need to address these concerns.  They have worked with hundreds of executives to develop a systematic approach that will enable your team to make better decisions during strategic planning.  Steve and Denise will walk you through exercises for prioritizing your lists and steps that will reset and reinvigorate your process.  This will be a hands-on workshop that will enable you to think about your business as you use the tools that are being presented.  If you are ready for a Strategic Planning tune-up, select this workshop in your registration form.  The additional fee of $695 will be added to your total.

    To sign up, select this option in your registration form. Additional fee of $695 will be added to your total.

    New York, NY: ​​​Chief Executive's Corporate Citizenship Awards 2017

    Women in Leadership Seminar and Peer Discussion

    2:00 - 5:00 pm

    Female leaders face the same issues all leaders do, but they often face additional challenges too. In this peer session, we will facilitate a discussion of best practices and how to overcome common barriers to help women leaders be more effective within and outside their organizations. 

    Limited space available.

    To sign up, select this option in your registration form. Additional fee of $495 will be added to your total.

    Golf Outing

    10:30 - 5:00 pm
    General’s Retreat at Hermitage Golf Course
    Sponsored by UBS

    General’s Retreat, built in 1986 with architect Gary Roger Baird, has been voted the “Best Golf Course in Nashville” and is a “must play” when visiting the Nashville, Tennessee area. With the beautiful setting along the Cumberland River, golfers of all capabilities will thoroughly enjoy the golf, scenery and hospitality.

    The golf outing fee includes transportation to and from the hotel, greens/cart fees, use of practice facilities, and boxed lunch. The bus will leave the hotel at 10:30 am for a noon shotgun start and return to the hotel after the cocktail reception following the completion of the round.

    To sign up, select this option in your registration form. Additional fee of $295 will be added to your total.