Organizations soon need to transition to quantum-safe encryption to address new cybersecurity threats. Here’s how businesses can prepare. Credit: MF3D / Getty Images Security experts and scientists predict that quantum computers will one day be able to break commonly used encryption methods rendering email, secure banking, crypto currencies, and communications systems vulnerable to significant cybersecurity threats. Organizations, technology providers, and internet standards will therefore soon be required to transition to quantum-safe encryption. Upon this backdrop, NATO has begun testing quantum-safe solutions to investigate the feasibility and practicality of such technology for real-world implementations while the National Institute of Standards and Technology (NIST) launched a competition to identify and standardize quantum-safe encryption algorithms.Significant threats posed by quantum computingThe potential threats posed by a quantum future are considerable, assuming quantum computers reach their estimated potential. “The primary threat is to public-key encryption, which is based on certain one-way mathematical functions – easy to compute one way, but very difficult to solve in the other direction,” cybersecurity expert and visiting professor at the University of Surrey’s Department of Computer Science Alan Woodward tells CSO. “This is because of an algorithm first published by Peter Shor. Shor’s algorithm has since been generalized and shown to apply to any of the mathematical problems known as the hidden subset problems.”Andersen Cheng, CEO of UK-based tech firm Post-Quantum – whose hybrid VPN was successfully used by the NATO Cyber Security Centre to test secure post-quantum communication flows – concurs, adding that quantum computers are a “mega threat” that organizations and cybersecurity teams need to switch their attention to. “It has been theoretically proven that as quantum computers develop, they will be able to break today’s encryption standards (RSA/Elliptic Curve), which safeguard virtually all data flowing over networks,” he tells CSO. This poses an existential threat to digital commerce, secure communications, and remote access, Cheng adds. “When the day comes that quantum computers mature to the point where they are more powerful than classical computers (often referred to as Y2Q), everyone’s data will be at risk of theft and exploitation, potentially with unimaginably dire consequences – think of the shutting off of entire power grids and emptying bitcoin wallets. Even before Y2Q arrives, it is known that some bad actors are already harvesting data today so they can decrypt it later when quantum computing has advanced further.” Quantum-safe encryption key to addressing quantum threatsQuantum-safe encryption is key to addressing the quantum-based cybersecurity threats of the future, and Woodward predicts that a NIST candidate will eventually emerge as the new standard used to protect virtually all communications flowing over the internet, including browsers using TLS. “Google has already tried experiments with this using a scheme called New Hope in Chrome,” he says.Post-Quantum’s own encryption algorithm, NTS-KEM (now known as Classic McEliece), is the only remaining finalist in the code-based NIST competition. “Many have waited for NIST’s standard to emerge before taking action on quantum encryption, but the reality now is that this could be closer than people think, and the latest indication is that it could be in the next month,” says Cheng. Very soon, companies will need to start upgrading their cryptographic infrastructure to integrate these new algorithms, which could take over a decade, he says. “Microsoft’s Brian LaMacchia, one of the most respected cryptographers in the world, has summarized succinctly that quantum migration will be a much bigger challenge than past Windows updates.” Getting ahead in the quantum-safe encryption racePending NIST’s decision on which algorithms will become the new standard, there are things organizations can and should be doing to get ahead. For Woodward, understanding what data has the longest life and, if necessary, seeking advice on how this might be at risk at some future date is a sound starting point.Cheng echoes similar sentiments, adding that if companies are struggling with where to start, they should focus on identity. “You could secure all of your encryption, but if someone can access your identity system, then it doesn’t matter what else you do. Your systems will think they are the right person, so they can gain ‘legitimate’ access to your systems and infrastructure.”Cheng advises setting up Y2Q migration as a bespoke project and giving it the firepower it needs as, like any large IT program, migrating to a post-quantum world will need a dedicated team and resources to ensure success and a smooth transition. This team will need to take stock of where cryptography is deployed today across the organization and map out a migration path that prioritizes high-value assets, whilst also identifying any expected impact on operational systems, he says. “You’ll also need to ensure that you have the skills on board to execute the quantum migration.” From there, businesses should adopt a “crypto-agile” approach when thinking about any infrastructure overhaul. “Practicing crypto agility means that organizations use solutions that keep the tried and tested classical cryptography we use today alongside one or more post-quantum algorithms, offering greater assurance against both traditional attacks and future threats,” Cheng says. Related content feature DDoS attacks: Definition, examples, and techniques Distributed denial of service (DDoS) attacks have been part of the criminal toolbox for over twenty years, and they’re only growing more prevalent and stronger. By Josh Fruhlinger May 17, 2024 10 mins DDoS Cyberattacks news FCC proposes BGP security measures Protecting the Border Gateway Protocol is as important as protecting the border. By Gyana Swain May 17, 2024 1 min Regulation Network Security feature Cyber resilience: A business imperative CISOs must get right With ransomware at an all-time high, companies need to understand that being cyber resilient means going beyond compliance to considering all aspects of a business, from operational continuity to software supply chain security. By Andrada Fiscutean May 16, 2024 12 mins Regulation Incident Response Supply Chain news US AI experts targeted in cyberespionage campaign using SugarGh0st RAT Threat actors use phishing techniques to obtain non-public information about generative artificial intelligence. By Lucian Constantin May 16, 2024 4 mins Phishing Data and Information Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe