Quantum Computing: A Looming Threat to Organizations and Nation States

"Preparing for a Post-Quantum World" is the topic of a panel presentation at SecureWorld Denver on September 19, and with good reason. Quantum computing poses a potential threat to current cybersecurity practices, which are based on encryption algorithms that can be broken by quantum computers.

Quantum computing uses the principles of quantum mechanics to perform calculations that are exponentially faster than what is possible with traditional computers. This is why "quantum readiness" is a fairly new buzz term, referring to the ability of an organization to protect its data and systems from the threats posed by quantum computing.

As for the panel presentation at SecureWorld Denver, it features Edgar Acosta, Experienced Cybersecurity Professional (former CISO at DCP Midstream); Craig Hurter, Sr. Director of Information Security, State of Colorado Governor's Office of Information Technology; and Toby Zimmerer, Sr. Demand and Delivery Director, Optiv.

The panel will tackle topics and questions, including:

• The potential risks quantum computing poses to current cryptographic methods. When will these risks come to fruition, and who are the main threat actors?
• Industry standards organizations, such as NIST and ISO, are developing standards and frameworks for addressing quantum ready algorithms and management frameworks. What perspectives do you have on these proposed quantum standards and frameworks, and how do you see organizations adopting these new approaches into an their current operating model?
• We, as cybersecurity professionals, tend to focus on the potential risks and threats posed by quantum computing, yet cybersecurity is only a part of the equation when we look at quantum across an organization as a whole. This begs the question: Is quantum computing a cybersecurity problem? Is it a business problem? Is it compliance problem?
• Cryptography vendors are proposing new solutions that are slated to be ready for the "post-quantum" world. How effective will these proposed technology solutions be against quantum computing, and what are the potential challenges with adopting these new cryptographic solutions and algorithms?
• Organizations continue to move forward even as the current state and future state security concerns, such as quantum, are identified. What should organizations consider doing and prioritizing as they continue on their journey forward? (Future proofing, broader cyber controls to build and extend layers, plan and prepare, etc.)

We asked a handful of cybersecurity vendor experts their thoughts on quantum computing and quantum readiness.

Dr. Adam Everspaugh, Cryptography Expert at Keeper Security, said:

"Although a post-quantum apocalypse sounds like the plot from a science-fiction thriller, the threat posed by adversarial cryptanalytically-relevant quantum computers should not be taken lightly. CISA, the NSA, and NIST's readiness document is a positive step forward for national prioritization and broader awareness of the threats that quantum computing could pose to modern cybersecurity.

Quantum computers that can break modern cryptography are likely to be a reality within the next decade and the superiority of quantum computing capabilities is anticipated to pose a very real threat to nation-states, organizations, and individuals alike. Quantum computers theoretically have the potential to break public key cryptography, including RSA and elliptic curve cryptography, by efficiently solving the underlying hardness problems on which these cryptosystems rely. To address this risk, academic researchers have proposed quantum-resistant cryptography and NIST is working to standardize secure, safe versions.

The next practical steps for the cybersecurity industry are to monitor NIST's progress and watch for these finalized versions, as well as for production software library support. Then, the industry must design and integrate these new cryptographic standards. This process may take a year or more, which is why attention and investment must happen now, and not when it's already a critical problem. The multi-agency call for organizations and the cybersecurity community to put this on their roadmaps helps ensure the industry is prepared when that time comes."

Glenn Kapetansky, Senior Principal & Chief Security Officer, Trexin:

"For those who predict that quantum computing will break InfoSec, I want to point out that very smart people have been working equally long on next-gen cyber techniques that work in a post-quantum computing world. I don't mean to sound complacent; my point is that even now, you can and should engage your vendors in a discussion of their post-quantum plans."

Jon Paterson, CTO at Zimperium:

"As technology continues to improve, and cryptography evolves, it is important that organizations not just consider the specific cryptographic standard in use, both in a pre- and post-quantum world, but also the larger security architecture of their crypto key management. Ultimately, regardless of how standards and technology continue to evolve and adapt, the shortest way to break encryption is to obtain the key. Protecting the key, both at rest and in use, is part of a larger security strategy in how to implement cryptography into any application. Organizations need to consider the overall security architecture, and use cryptographic approaches that are appropriate for the technology and use cases, but also protect them and the keys at rest and in use, as well."

Philip George, Executive Technical Strategist, Merlin Cyber:

"The memo's key takeaway for IT and OT system owners is not to delay the establishment of an integrated planning and implementation team. This team should be comprised of cyber specialists, data stewards, and post-quantum cryptography (PQC) vendors with the goal of developing a risk-informed prioritization and implementation plan to adopt PQC approved algorithms. The need for early planning is predicated upon the reality that cyber threat actors are targeting encrypted data today for decryption tomorrow, and data with a lengthy protection lifecycle will be impacted the most."

Sounil Yu, Chief Information Security Officer at JupiterOne:

"There are many who believe that it will be at least a decade or more before quantum computers are practical and affordable to break strong encryption that is currently being used. Nevertheless, organizations should take action today on crypto-agility initiatives to ensure that they can easily swap out cryptographic trust anchors. Irrespective of when quantum computers become capable of breaking today's encryption, crypto-agility is a capability that is required these days. It's something that organizations can place emphasis on now because we've already suffered failures of our cryptographic trust anchors. This reveals how painful of an exercise it can be without a lifecycle understanding of our cryptographic components."

There are a number of things that organizations can do to improve their quantum readiness, including:

• Evaluating their current cybersecurity posture and identifying areas where they are vulnerable to quantum attacks
• Migrating to post-quantum cryptography, which is a new generation of encryption algorithms that are resistant to attack by quantum computers
• Investing in quantum-safe technologies, such as quantum-resistant hardware and software
• Educating their employees about quantum security risks and best practices

By taking these steps, organizations can help to protect themselves from the threats posed by quantum computing and ensure the continued security of their data and systems.

There are several methods bad actors can deploy via quantum computing to attack organizations of all sizes, including:

• Breaking the encryption used to protect sensitive data, such as financial information and medical records
• Cracking passwords and other authentication methods
• Forging digital signatures and other security tokens
• Attacking the underlying infrastructure of the internet, such as the Domain Name System (DNS)

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the National Institute of Standards and Technology (NIST) created this fact sheet to inform organizations—especially those that support critical infrastructure—about the impacts of quantum capabilities, and to encourage early planning for migration to post-quantum cryptographic standards by developing a quantum-readiness roadmap.

A snippet from the fact sheet:

"Having an inventory of quantum-vulnerable systems and assets enables an organization to begin the quantum risk assessment processes, demonstrating the prioritization of migration. Lead by an organization's Information Technology (IT) and Operational Technology (OT) procurement experts, the inventory should include  engagements with supply chain vendors to identify technologies that need to migrate from quantum-vulnerable cryptography to PQC."