The Unpreparedness of Internet Systems for Quantum Safety: A Call to Action
Despite the rising awareness surrounding the risks associated with quantum computing and increasing pressure from various sectors to transition towards post-quantum cryptography (PQC), a significant proportion of internet-facing systems remain ill-equipped for the impending quantum era. This alarming finding emerges from the latest research conducted by Forescout Research – Vedere Labs, which highlights the urgent need for organizations to address this impending threat.
The report, released on [insert publication date], reveals that although there has been a notable acceleration in the adoption of PQC-capable technologies over the past year, the progress is far from uniform across both internet infrastructure and enterprise networks. This uneven pace poses a risk to the overall security of digital communications as quantum computing technology continues to advance.
A striking example of the current state appears in the realm of Secure Shell (SSH) servers. Globally, the number of SSH servers equipped to support post-quantum cryptography has witnessed a significant increase, jumping from approximately 11.5 million to over 19 million within only one year—a staggering 72% rise. Nevertheless, this growth is dampened by the fact that merely 11.8% of these internet-facing SSH servers are currently capable of supporting PQC, rising from just 6.2% the previous year. Consequently, almost 90% of identified SSH servers remain vulnerable to potential attacks from future quantum-enabled technologies.
The situation in the United Kingdom mirrors this global trend. With only 7.2% of SSH servers equipped for PQC, it is clear that the vast majority of internet-facing systems in the country have yet to embark on the necessary transition to quantum-safe cryptography. This lack of preparedness is especially concerning as governments and cybersecurity agencies worldwide continue to issue warnings about the looming threats associated with “harvest now, decrypt later” attacks. These attacks involve the collection of encrypted data today, which can be revisited and decrypted when powerful quantum computers become available in the future.
Signs of Progress But Not Enough
While the research does reveal some positive developments, it underscores that the pace of progress is insufficient. For instance, the adoption of TLSv1.3—currently the only version of the TLS protocol positioned to support post-quantum cryptography—has improved significantly, now operational on 30% of identified internet-facing servers globally, up from 19% last year. In the UK, this figure stands at 31%. However, researchers caution that merely upgrading protocols does not provide a guarantee of quantum readiness. Organizations must also identify and address areas where quantum-vulnerable encryption is still in use throughout their environments.
In enterprise networks, the level of preparedness exhibits dramatic variation between traditional IT assets and cyber-physical systems. Previous analyses from Forescout have shown that while 50% of IT devices can support PQC-capable SSH, the adoption rates sharply decline within operational technology (OT), Internet of Things (IoT), and Internet of Medical Things (IoMT) environments, which are typically more difficult to upgrade and maintain.
Daniel dos Santos, Head of Research at Forescout Research – Vedere Labs, commented on the findings, stating, “While many organizations are aware that quantum computing presents a future cybersecurity challenge, far fewer understand where quantum-vulnerable encryption exists across their environments today.” He emphasizes that inventory management, visibility, and risk prioritization are essential first steps for organizations gearing up for what is likely to be a prolonged migration effort.
Taking Action Towards Quantum Readiness
In response to these alarming findings, Forescout has announced the launch of new Post-Quantum Cryptography Readiness and Encryption Hygiene Dashboards. These tools aim to provide organizations with enhanced insight into their cryptographic posture across various environments, including IT, OT, IoT, and IoMT. The dashboards serve to help security teams identify areas where quantum-unsafe encryption is currently in use and which assets warrant priority attention for remediation.
These capabilities extend beyond traditional cryptographic discovery tools, which merely catalogue protocols and ciphers. Forescout’s dashboards offer organizations a deeper understanding of which encryption gaps pose the most significant risks, both operationally and security-wise.
Paul Kao, Chief Product Officer at Forescout, observes that enterprise security teams are increasingly pressed by boards, regulators, and auditors to demonstrate not just awareness but also tangible progress regarding post-quantum cryptography, long before large-scale migrations become feasible. “Organizations need practical methods to assess their current status, prioritize risks, and exhibit progress over time,” he states.
The Countdown to 2035
Guidance from organizations such as NIST, the G7, and the UK’s National Cyber Security Centre (NCSC) is increasingly indicating a critical window for the widespread adoption of quantum-resistant cryptography from 2030 to 2035. The NCSC’s migration roadmap calls upon organizations to initiate planning and discovery activities now, acknowledging that cryptographic migration across complex systems could span several years.
The latest insights reveal that many organizations have considerable strides yet to make. While the adoption of PQC-capable technologies is indeed on the rise, the overarching reality remains stark: the vast majority of internet-facing systems are still unprepared for the quantum era. For security leaders, the urgent challenge lies in identifying existing vulnerabilities and taking actionable steps toward ensuring a quantum-safe future.