Cybersecurity experts agree that a new era of cryptography is dawning with the advent of quantum computing. Quantum computing is making continuous advances, and Gartner estimates that by 2029 it will be able to weaken existing cryptographic systems to the point that they can no longer be used securely.
NIST has selected the following four methods to replace current algorithms with quantum-secure ones, these are:
CRYSTALS-KYBER (key making) and CRYSTALS-Dilithium (digital signatures) were chosen for their high security and excellent performance.
- FALCON will also be standardized by NIST as there may be use cases for which CRYSTALS dilithium signatures are too large.
- SPHINCS+ will also be standardized to avoid relying solely on lattice-based cryptography for signatures.
In the US numerous US federal agencies have already begun to address this risk. Last May, US President Joe Biden issued a national security memorandum outlining the government’s strategy to address the threats posed by quantum computing. In July 2022, Congress passed the Quantum Computing Cybersecurity Preparedness Act, which legally requires US agencies to improve their cybersecurity to prepare for the threats posed by quantum computing. The Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST) have formed a working group to help organizations protect their data and systems:
As NIST has initiated developing new post-quantum cryptographic standards, organizations should now take stock of their current cryptographic systems and the data they are protecting and prioritize the transition of their systems. These early preparations will ensure a seamless and efficient transition once the new post-quantum cryptographic standards are available.
DHS and NIST have defined the following six steps to help crypto teams with the implementation:
- Organizations should create an inventory of the most sensitive and important datasets that need to be secured over time. This information can be used to analyze which data is at risk of being decrypted by a cryptographically relevant quantum computer in the future.
- To ensure a seamless transition in the future, organizations should also take inventory of all systems using crypto technology.
- Businesses should review which procurement, cybersecurity, and data security regulations must be updated to meet post-quantum requirements.
- Companies should use inventory lists to determine where and why public key cryptography is being used and label those systems as quantum vulnerable.
- Prioritize the cryptographic transition based on the organization’s business divisions, goals and needs.
- Organizations should use inventory and prioritization data to design a transition plan for their systems.
The Concept Of The Crypto Center Of Excellence
For a successful post-quantum strategy, CISOs and other IT security leaders need support from other lines of business. State-of-the-art equipment is ineffective without the right people and processes. Other teams must understand the basics of quantum-safe cryptography so that the IT security team is only partially responsible for securing the digital organization.
According to analysts at Gartner, the most successful strategy for managing and controlling cryptography is to build a knowledgeable central team that formulates the appropriate policies for the organization. This is where the concept of the Cryptographic Center of Excellence (CCoE) comes into play. While those responsible for security and risk management are used to making these decisions, poor management of these measures can have costly and unforeseen consequences.
The CCoE mission can be defined as people, processes and technology. It is about educating and preparing the employees in the business units. In addition, initiatives should be initiated to encourage other business units and communicate the organizational department’s requirements, timelines and needs so that they can be incorporated into the post-quantum transition strategy. Regarding technology, it is about an assessment of the security aspects of each business unit, as well as compliance and crypto requirements.
ALSO READ: Benefits And Risks Of Cloud Computing
Crypto agility is an essential component of CCoE. This is a practice that increases a company’s resilience to crypto threats. It allows organizations to respond quickly and recover from an attack or vulnerability with minimal service disruption.
In the post-quantum era, crypto agility is critical as organizations must protect against quantum attacks on crypto algorithms. The post-quantum era may still be some time away, but companies can already use crypto agility to help avoid expensive follow-up costs in the future.