As NIST’s post-quantum standards roll out, tech firms are scrambling to future-proof their encryption before the quantum threat becomes reality.
The looming threat of quantum computing poses a fundamental challenge to modern cryptography. Today’s most widely-used cryptographic systems, including RSA and Elliptic Curve Cryptography (ECC), rely on mathematical problems that are computationally intensive for classical computers to solve. RSA’s security, for instance, is based on the difficulty of factoring large numbers, while ECC depends on the discrete logarithm problem.
However, quantum computers, leveraging quantum mechanical principles like superposition and entanglement, could theoretically break these systems with relative ease. In 1994, Peter Shor developed a quantum algorithm that could efficiently factor large numbers and compute discrete logarithms – precisely the mathematical problems that underpin current cryptographic systems. This means that once sufficiently powerful quantum computers are built, they could decrypt data that was encrypted using today’s standard methods.
Particularly concerning is the ‘harvest now, decrypt later’ strategy, where adversaries could be collecting and storing currently encrypted data, waiting for quantum computers to become available to decrypt it. This poses a serious threat to sensitive information that needs to remain confidential for many years, such as government secrets, personal medical records, or corporate intellectual property. Even if quantum computers are still years away, the need to protect against this future threat is immediate and urgent.
With the National Institute of Standards and Technology (NIST) publishing new PQC standards in 2024, it’s more important than ever for companies to begin to prepare themselves for the potential impact of quantum computing on security – especially as Thales research finds that 61% of organisations are yet to define a strategy for a post-quantum world.
Indeed, quantum computing has the potential to enable bad actors to launch brute force attacks against the cryptographic keys used in a majority of today’s encryption methods, compromising our sensitive data.
Here, Technology Magazine hears from security experts on the NIST standards and the importance of being proactive – especially when organisations are facing the next generation of cybersecurity threats.
Full Name: Todd Moore
Job Title: Global Lead for Data Security
Company: Thales
With NIST publishing new PQC standards in August 2024, it’s more important than ever for companies to begin to prepare themselves for the potential impact of quantum computing on security – especially after Thales research found 61% of organisations are yet to define a strategy for a post-quantum world.
Todd Moore is a respected cybersecurity professional, with over 28 years’ experience in helping organisations protect their most sensitive data.
Todd has deep understanding of security challenges and defence technologies, having spent almost two decades with Harris Corporation. He has a proven track record of developing business cases and market analysis for new security products and delivering them to market. He routinely develops strategies for new product development and execution.
“It is critical for organisations to begin securing their data and infrastructure with these new standards. With risks such as Harvest Now, Decrypt Later attacks where cyber criminals steal and store data in preparation for quantum computing capabilities, it is essential that organisations prepare immediately for this unprecedented cryptographic transformation by adopting crypto agile solutions that support these new Quantum-safe algorithms.”
Full Name: Taher Elgamal
Job Title: ‘The Father of SSL’ and Senior Advisor
Company: SandboxAQ
Cybersecurity threats such as ransomware, Advanced Persistent Threats (ATPs) and data leaks are continuously evolving and growing more sophisticated, and are now being powered by advanced AI techniques. Cryptography, being a foundational component in cybersecurity infrastructure, plays a pivotal role in this landscape.
Taher Elgamal is a recipient of the RSA Conference 2009 Lifetime Achievement Award, and he is recognised as the “father of SSL,” the Internet security standard Secure Sockets Layer. Taher has been issued several patents in online security, payments and data compression. Taher founded many companies, including NokNok Labs, InfoSec Global and Securify. He previously was the director of engineering at RSA Security Inc. Prior to that, Taher served as Chief Scientist at Netscape Communications from 1995 to 1998 where he was a driving force behind SSL.
“The NIST PQC Standardisation marks a critical advancement in securing our digital infrastructure. By adopting these standards, we safeguard sensitive data, ensure privacy, and maintain trust in digital communications. This proactive approach not only prepares us for the quantum era but also fortifies our current cybersecurity measures.”
Full Name: Roger Grimes
Job Title: Data-Driven Defence Evangelist
Company: KnowBe4
“Every organisation will be undergoing a huge Y2K-like post-quantum cryptographic migration…whether they realise it or not, that will likely impact every piece of software and firmware they have in their environment protecting critical data. Every organisation, if they have not already done so…and most have not done so…will be creating a multi-year post-quantum migration project involving far more resources than they have experienced in decades.
“NIST has been telling organisations over and over for nearly a decade to create a post-quantum migration project. What was needed for most organisations to care and start creating their very necessary, required, post-quantum project, was THIS announcement.
“NIST announcing the ‘official’ NIST post-quantum standards is the policy equivalent of a long-awaited starter’s pistol firing the shot that allows everyone to start their own post-quantum migration products. Now there is no reason for anyone to not have a post-quantum migration project. The only question now might be why you haven’t already started yours?”
Full Name: Dr Adam Everspaugh
Job Title: Cryptography Expert
Company: Keeper Security
“The finalisation of NIST’s Quantum Resistant Cryptography (QRC) standards is a pivotal step forward in safeguarding digital environments against the threat posed by quantum computing. Quantum computing has the potential to revolutionise various fields but also threatens current public key encryption methods. The primary attack of concern is store-and-crack, where attackers may capture and store encrypted information and web traffic now, and then, when quantum computers are available, break the encryption to read the data that is stored. If this information is still valuable in the future, attackers can use it to exploit sensitive systems.
“At Keeper Security, we are actively tracking these developments and updating our product roadmap to ensure we’re ready to integrate these cryptographic standards as soon as production software libraries fully support them.
“The challenges for IT and security teams are significant, from ensuring compatibility with existing systems to managing the transition of cryptographic keys. However, the urgency of this shift cannot be overstated. The potential for quantum computers to break widely used encryption algorithms is a very real threat that could compromise the security of sensitive data worldwide.”
Full Name: Dr Colin Soutar
Job Title: Managing Director of Deloitte & Touche LLP and Deloitte’s Global Quantum Cyber Readiness Leader
Company: Deloitte
After the NIST announced three encryption standards that are believed to be resistant to decryption from quantum computers, it has been estimated that 20 billion digital devices globally will likely need to be upgraded or replaced with quantum-safe alternatives. While quantum computers may not be widely available for another decade, updating cryptographic algorithms is a lengthy process that can also take 10 years or more. Therefore, planning for quantum cyber readiness must begin now.
“Quantum computing could be significantly beneficial to society, delivering breakthroughs in drug discovery and financial modeling, however, quantum computing could also undermine numerous existing public-key encryption methods if realized on a large scale,” Dr Colin Soutar commented.
“For many years, Deloitte has been activating the quantum cyber readiness industry, including collaborating with the World Economic Forum to establish a quantum security program in 2021, and hosting a number of discussions with leaders from both government and industry. We need to look at this topic less about speculating exactly when a CRQC will be available, and more about what organizations can do to prepare for it.”
Full Name: Chris Hickman
Job Title: CSO
Company: Keyfactor
“Security leaders are well aware of the threats to come with quantum computing – with each day we get closer to a quantum computer that could break current encryption methods that every business relies on. Encryption protects everything from banking and retail transactions to valuable business data and does not discriminate.
“With the finalisation of the first suite of NIST cryptographic algorithms, organisations now have the tools to safeguard against the quantum threat. While Q-day may seem years away, security leaders need to keep in mind that AI capabilities increase the need to transition to PQC algorithms.
The finalisation of NIST’s three of four algorithms marks the starting line in the race to secure against the threat of quantum computers for many – and the preservation of digital trust is on the line. Now, more than ever, it will be vitally important for organisations of all sizes to adequately plan and test for the adoption of these new algorithms, which includes conducting security assessments to verify how prepared their supply chains to ensure a smooth transition over the coming years.”
