Preparing for the quantum migration
Imagine a nations' entire energy infrastructure going offline, bank accounts emptied, and military systems turned against the very people they are protecting. This apocalyptic scenario may seem like it only exists in the realm of Netflix Original movies; however, it may be closer to reality than we'd like to admit.
Quantum computers capable of cracking today’s encryption standards, which protect industries from finance to defence, are commercially available, with functional machines with code-breaking capability likely to be operational within the next five years. This once in a generation event will render the entire world’s data vulnerable to theft and exploitation.
Compared with today’s machines, quantum computers are capable of perfoming vast amounts of computations in parallel rather than solving one problem at a time. As such, quantum computers can derive knowledge from very limited datasets, which will allow them to break encryption. Those working in sensitive industries such as drug discovery or as the custodian of financial assets are at risk of a ‘harvest-decrypt’ attack — where a rouge nation-state or individual can steal data today to decrypt it with a quantum computer once they have been deployed. Now is the time to prepare governments and businesses for the quantum threat.
Mitigating the quantum threat
More than four years ago, the National Institute of Technology (NIST) launched a global competition to develop new algorithms that will withstand the quantum threat. Since then, immense progress has been made — it is expected that a new encryption standard will be ready in early 2022 that will eventually replace today’s standards.
Post-Quantum’s proposal is one of four finalists in the encryption and key exchange category and the only finalist in the code-based sub-category. While it might be likely this algorithm protects the world’s data in the years to come, there are practical steps that can be taken now to prepare for the quantum threat.
Leverage a quantum-safe VPN
To protect data flowing between businesses and their staff — who are likely to remain working from home for the foreseeable future — a hybrid, quantum-safe VPN is a good option. Recently, the Internet Engineering Taskforce (IETF) developed a set of specifications for such VPN products, with our team playing a central role in the original creation and development of those specifications.
Crypto-agile and supporting the hybrid key establishment that enables post-quantum algorithms to work alongside today’s standards, the IEFT specifications ensure users are protected from traditional threats. It also provides for the negotiation of one, or more than one post-quantum key establishment schemes for those organisations seeking a double layer of post-quantum cryptography. While these solutions are beginning to emerge, be aware that choosing a backward-compatible product will be the best option for limiting disruption.
Practice crypto-agility
Recommended by the NSA and NIST, crypto-agility enables organisations to leverage alternative cryptographic algorithms without the need for infrastructure change. Crypto-agility means classic cryptosystems we use today, such as RSA, can run alongside one or more post-quantum algorithms. We do expect some organisations will apply more than one post-quantum algorithm concurrently to enhance security.
Prioritise your Y2Q crypto-migration project now
An event like year to quantum (Y2Q) —when quantum computers reach the point of cracking encryption — only happens once every few decades. It will need a dedicated team, resources and a comprehensive project plan. The first step should be taking an inventory of where cryptography is deployed today across the organisation to set out a path that prioritises high-value assets whilst identifying any expected impact on operational systems. A communication plan is also needed so developers and application managers can take ownership of the cryptography operating in their domain.
Organisations, whether businesses or governments, that have become quantum-safe will avoid last-minute firefighting and secure the likely post-quantum talent vacuum we’re likely to see. Don’t become a Netflix disaster movie victim.
Author:
Andersen Cheng is the CEO of Post-Quantum, a start-up working to develop and commercialise quantum-safe encryption and identity solutions. Previous roles include Head of Credit Risk at JP Morgan, Head of Corporate Development at LabMorgan (JP Morgan’s FinTech investment unit) and also COO of the Carlyle Group’s European Venture Fund. More recently, Andersen ran TRL, which was the only provider of top secret grade hardware crypto solutions to the British government – TRL was subsequently sold to L-3, the US Defence Group.
Laura Foster
Laura is techUK’s Associate Director for Technology and Innovation.