Security experts and industry leaders are facing an urgent call to action regarding the transition to post-quantum cryptography (PQC). Rik Ferguson, Vice President of Security Intelligence at Forescout, expressed significant concerns during his address at Infosecurity Europe on June 3, emphasizing the critical need for organizations to accelerate their plans in this arena. He highlighted that merely 8% of SSH servers globally currently support PQC, a figure that has only marginally increased by 2% over the past year. This stagnation raises critical questions about organizational preparedness for the inevitable advancements in quantum computing.
Ferguson underlined a fundamental dilemma, framing it not as a question of "when will quantum day arrive?" but rather, "will organizations be ready when the moment comes?" He urges leaders to begin their journey towards quantum readiness. This perspective is echoed by new research from EY, which reveals that while 87% of business leaders anticipate significant disruption from quantum computing by 2030, only 35% have prioritized it strategically for the next five years. Interestingly, 59% of these leaders doubt that quantum technology will mature sufficiently before 2030.
From a security vantage point, the timeline to cryptographically relevant quantum computers (CRQCs) is more pressing than many realize. Ferguson mentioned that U.S. agencies, such as the National Security Agency (NSA), have been alerting organizations about the potential for harvest-now-decrypt-later (HNDL) attacks since 2021. These attacks involve the collection of encrypted data with the intention of decrypting it later, once quantum capabilities allow for such actions.
Ferguson’s discussion referenced the notorious Snowden leaks, suggesting that both the U.S. and its adversaries are currently amassing encrypted data in anticipation of future advancements in quantum computing. The classified Muscular and Tempora programs, collaboration between U.S. and UK intelligence agencies, further demonstrate the significant surveillance operations underway. Ferguson posits that similar operations are likely being conducted by countries such as China, given past incidents of extensive internet traffic redirection.
Moreover, Ferguson pointed out the ongoing efforts by actors such as Salt Typhoon, which may involve the theft of encrypted data as part of long-term strategies. He cautioned that many of the greatest threats in cybersecurity are those that remain hidden or unacknowledged. Although HNDL schemes remain unconfirmed, Ferguson insists that the capabilities for executing such malign activities are documented and credible.
In light of these revelations, businesses are urged to begin planning for PQC immediately. Although HNDL risks primarily target long-lived data, the clock is ticking, and proactive measures are essential. A roadmap from a G7 Cyber Expert Group, published in January, echoed this urgency. However, the timeline provided indicates that essential planning phases, including strategy development, inventory assessments, and migration processes, are not projected to commence until 2028-2029—coinciding with IBM’s commitment to launch its Starling fault-tolerant quantum computer.
With the countdown to quantum day rapidly approaching, Ferguson outlined three critical actions that organizations should undertake without delay:
-
Asset Inventory: Companies must thoroughly catalog all encryption-dependent assets within their networks. This involves identifying what is on the network, its functions, and whether it is compatible with PQC. A continuous, real-time visibility approach is essential for maintaining an accurate understanding of cryptographic resources.
-
Procurement Process: Organizations must incorporate cybersecurity considerations into their procurement processes. Ensuring that every purchase is evaluated through the lens of quantum readiness allows for seamless integration of security measures at scale, effectively addressing potential vulnerabilities without necessitating a standalone program.
- Crypto Agility: Businesses should develop capabilities for crypto agility, which might include transitioning to protocols such as TLS 1.3 that are compatible with PQC standards. This does not require immediate changes to existing ciphers; rather, it emphasizes the establishment of a flexible framework that can accommodate future advancements.
In summary, as the quantum computing landscape evolves and presents new challenges, organizations must prioritize the integration of post-quantum cryptography into their strategic frameworks. By taking decisive action now, businesses can ensure they are prepared for the shifts that lie ahead in the cryptographic arena, safeguarding their data against the potential threats posed by future technologies.