6 CRITICAL QUESTIONS TO PONDER TO MAKE SURE YOUR BUSINESS IS QUANTUM-SAFE
It is estimated that over 20 billion digital devices will have to be upgraded or replaced with new quantum-safe encrypted communication as technologically advanced quantum computers will soon be capable of cracking modern encryption.
Buzzwords like “post-quantum” and “quantum-safe” have been emerging in sensitive data encryption after the National Institute of Standards and Technology (NIST), a division of the US Department of Commerce, announced four new algorithms poised to become new encryption standards in 2024.
Processor qubits are multiplying in number and becoming more stable, and are getting ready to take on complex problems deemed insurmountable for classical machines. As quantum computers progress to their full potential, they also risk cracking modern encryption that could compromise sensitive data.
The time is now to implement quantum-safe cryptography
That’s where quantum-safe cryptography – based on the mathematics of lattices – comes in. Unlike today’s typical factor-based encryption techniques such as RSA, which relies on factoring complex, huge numbers, quantum-safe cryptography works instead with vectors – directions in a structured lattice.
The quantum threat to encryption is so serious that in May 2022, the White House issued a memorandum with the administration’s plan to secure critical systems against future quantum computers. This was followed by the National Security Agency’s (NSA) release of a new Commercial National Security Algorithm Suite (CNSA), detailing the use of new quantum-safe algorithms together with a timeline for replacement.
The World Economic Forum also estimated that in the next decade or two, more than 20 billion digital devices will have to be upgraded or replaced with these new forms of quantum-safe encrypted communication.
Some industries have already begun planning for the switch to quantum-safe protocols. Telecommunications industry organization GSMA formed a Post-Quantum Telco Network Taskforce last September, with IBM and Vodafone joining as initial members. The aim is to help define policy, regulations and operator business processes to protect telcos from future quantum threats.
The taskforce recently published a Post Quantum Telco Network Impact Assessment, an in-depth analysis of the quantum security threats facing the telecommunications industry and a detailed list of potential solutions to prepare for these threats.
While there’s been a lot of chatter about businesses being urged to “go quantum-safe”, for a typical company those words may raise more questions than answers. At IBM, we’re addressing them with a “quantum-safe roadmap” that takes organizations through the phases of discovery, observation, and transformation.
The answers to these six key questions could help make your business quantum-safe.
- How would you “discover” which data and systems to migrate to new algorithms?
Each company will have its own priorities when it comes to what to migrate and when. For some, it will be necessary to migrate to continue selling products and services to the US federal government. For others, it may be the risk that a future quantum event may put them out of business, for example in the case of a data breach. So first, it’s important to understand where and how old algorithms are used and to analyze the risks involved. This is ideally achieved through extending the use of secure software supply chain concepts that have also been the subject of an Executive Order on Improving the Nation’s Cybersecurity.
To help organizations at this initial stage, IBM developed a tool called Explorer, which scans the source code and object code to surface all cryptographically relevant artefacts, pinpoint their locations, and uncover dependencies. Explorer generates a call graph that catalogues cryptographic artefacts, producing a knowledge base that is arranged into a Cryptography Bill of Materials (CBOM).
- How do you “observe” your organization’s data and systems priorities?
In the “observe” stage, an organization takes what has been discovered and generates a cryptographic inventory enriched with context, to analyze the cryptographic state of compliance. This inventory provides a list of vulnerabilities based on industry-specific compliance policies and business priorities so an organization can more easily update its cryptographic infrastructure.
For this stage, we developed a tool called Advisor. It integrates with network and security scanners in an organization’s IT environment to consolidate and manage CBOMs and collect metadata from other network components to generate a comprehensive cryptographic inventory. With policy-based data, Advisor can generate a list of at-risk assets and data flows that equip businesses to analyze their cryptographic compliance status.
Companies can save cost and effort by aligning strategic modernization initiatives that simplify crypto migration and enhance security. A strategy that combines risk with strategic application modernization is the best route to becoming quantum-safe.
- How long will the quantum-safe “transformation” take?
It depends on what is being migrated. A complex legacy system may be very difficult to migrate. Application modernization is key in the journey to quantum safety.
When an organization is ready to “transform,” we have Remediator: a tool that allows businesses to test quantum-safe remediation patterns so that they understand the potential impact on systems and assets. Remediator helps address any pattern that suits the organization to be quantum safe.
It allows the organization to work with different quantum-safe algorithms, certificates and key management services. And it helps them to quickly adapt to changing policies and threats without significant operational or budgetary implications. Remediator also supports a hybrid implementation approach that allows organizations to use classical and quantum-safe cryptography in their transition toward quantum-safe algorithms.
- Can the transformation be done in the background of your normal operations?
With the right awareness and strategic governance, it is possible to gradually migrate a company with minimum impact. Take for example APIs that an enterprise might use internally or offer externally. It is very straightforward to use quantum-safe-enabled infrastructure components that provide access to these APIs, protected with quantum-safe algorithms. IBM used this approach to offer a second quantum-safe gateway to its IBM Cloud Key Protect services.
- What are the new NIST algorithms, and how do we know they really are more secure?
The best way to think about these algorithms is as the next generation of cryptographic algorithms. They have now been selected for future US federal use and will find their way into many other countries’ and industries’ regulations. The algorithms were developed by external consortia from around the world and submitted to a competition organized by NIST. This six-year process led to intense and open scrutiny of the algorithms and to four candidates being selected by NIST for standardization by 2024.
- Why should you invest in this migration now, when quantum computers are not yet fully practical?
We don’t know when a cryptographically-relevant quantum computer will be developed. But a new generation of cryptography to protect against this future is already here. The adoption of quantum-safe cryptography is finding its way into legislation and ecosystems, and most companies will have to support it.
Starting this journey today through awareness of the need to migrate at a strategic level has many advantages. Steps that simplify migration can be added to existing security initiatives and application modernization programs. This will minimize effort and save costs in the long run. Waiting, on the other hand, means that more at-risk legacy is being created, making it more difficult to eventually migrate.
That’s why you should start the journey to quantum-safe algorithms today.
Source: WEF