In 2023, CISA, the NSA, and NIST published several fact sheets and other helpful resources to address threats posed by quantum computing. In 2024, NIST is set to publish its first set of Post–Quantum Cryptography (PQC) standards. This is an early step towards preparing both federal agencies and private companies to adopt new encryption standards that are designed to protect systems from being vulnerable to advanced decryption techniques fueled by quantum computers. The need for this shift is much more immediate than much of the language currently surrounding PQC might suggest. 2024 is the year we will see companies and government agencies taking this threat seriously and taking active steps toward proper preparation.
Top CIO Influence Insights: How Security Culture Will Define Success in the Era of AI
NSA and other authorities have previously said the quantum risk is feasible by at least 2035. This countdown is often referred to as Years to Quantum, or Y2Q. Commercial quantum computers do indeed exist today, although they have yet to demonstrate the projected computational scale without significant limitations. However, it is only a matter of time before the Y2Q countdown becomes months and days – not years.
Quantum computing carries very serious implications for cryptography, the foundation upon which functionally all modern cybersecurity relies. It renders most (asymmetric) cryptography ineffective, leaving sensitive data and critical systems exposed to anyone with the capability. The cryptography that many enterprises and public sector organizations currently rely on is trivialized by quantum computing, a capability that is truly just over the horizon for the more sophisticated and well-financed quantum operations, including those in state-sponsored cyber espionage groups.
Impending cryptanalytically relevant quantum computer (CRQC) capabilities should serve as a wake-up call for those in the IT & cybersecurity community who consider quantum computing to be in our distant future. We need to be careful that the forward-looking term “post,” which has become synonymous with quantum computing, does not lead us down a precarious path of complacency. This threat is much closer than most realize.
In 2023, we’ve seen that organizations are hesitant and apprehensive to accept the threat as a reality without a clear indication of relevance to their business outcomes, hindering any actionable progress from occurring. There is an inherent gap in understanding the magnitude of the threat and specific connection to private and public entities alike.
The key takeaway for IT and OT system owners should be the critical need to establish an integrated quantum planning and implementation team.
Since organizations are ultimately responsible for their own PQC readiness, or lack thereof, to delay inventory and discovery activities until the new PQC standards are finalized is to invite an inordinate amount of risk to its information security.
The need for early planning is predicated upon the reality that cyber threat actors are targeting encrypted data today – for decryption tomorrow – and crucial data with a lengthy protection lifecycle (Controlled Technical Information and Controlled Unclassified Information nuclear information, for example) will likely be impacted the most.
Regardless of the cyber resiliency of the cryptography in use, the information that adversaries are seeking is already readily accessible, and more so because of the public cloud services that more commercial entities are using.
The era of implicit quantum cryptographic trust and reliance on an iterative standard process is ending. Time is the greatest asset in achieving post–quantum agility and if organizations don’t start now, they will have nothing to show for it when time runs out. In 2024, agencies and organizations will recognize that the time is now to start mapping out cryptographic dependencies by conducting a full system cryptographic inventory. The results of this inventory should then support a risk-driven prioritization effort that identifies business-critical processes and information. We cannot afford to wait until the last minute to be prepared for our post–quantum future.
The time to begin post–quantum readiness is now.
AI Automation Recommended News: InOrbit Brings RobOps to Advanced Robot Simulations Powered by NVIDIA