Organizations soon need to transition to quantum-safe encryption to address new cybersecurity threats. Here’s how businesses can prepare. Credit: MF3D / Getty Images Security experts and scientists predict that quantum computers will one day be able to break commonly used encryption methods rendering email, secure banking, crypto currencies, and communications systems vulnerable to significant cybersecurity threats. Organizations, technology providers, and internet standards will therefore soon be required to transition to quantum-safe encryption. Upon this backdrop, NATO has begun testing quantum-safe solutions to investigate the feasibility and practicality of such technology for real-world implementations while the National Institute of Standards and Technology (NIST) launched a competition to identify and standardize quantum-safe encryption algorithms.Significant threats posed by quantum computingThe potential threats posed by a quantum future are considerable, assuming quantum computers reach their estimated potential. “The primary threat is to public-key encryption, which is based on certain one-way mathematical functions – easy to compute one way, but very difficult to solve in the other direction,” cybersecurity expert and visiting professor at the University of Surrey’s Department of Computer Science Alan Woodward tells CSO. “This is because of an algorithm first published by Peter Shor. Shor’s algorithm has since been generalized and shown to apply to any of the mathematical problems known as the hidden subset problems.”Andersen Cheng, CEO of UK-based tech firm Post-Quantum – whose hybrid VPN was successfully used by the NATO Cyber Security Centre to test secure post-quantum communication flows – concurs, adding that quantum computers are a “mega threat” that organizations and cybersecurity teams need to switch their attention to. “It has been theoretically proven that as quantum computers develop, they will be able to break today’s encryption standards (RSA/Elliptic Curve), which safeguard virtually all data flowing over networks,” he tells CSO. This poses an existential threat to digital commerce, secure communications, and remote access, Cheng adds. “When the day comes that quantum computers mature to the point where they are more powerful than classical computers (often referred to as Y2Q), everyone’s data will be at risk of theft and exploitation, potentially with unimaginably dire consequences – think of the shutting off of entire power grids and emptying bitcoin wallets. Even before Y2Q arrives, it is known that some bad actors are already harvesting data today so they can decrypt it later when quantum computing has advanced further.” Quantum-safe encryption key to addressing quantum threatsQuantum-safe encryption is key to addressing the quantum-based cybersecurity threats of the future, and Woodward predicts that a NIST candidate will eventually emerge as the new standard used to protect virtually all communications flowing over the internet, including browsers using TLS. “Google has already tried experiments with this using a scheme called New Hope in Chrome,” he says.Post-Quantum’s own encryption algorithm, NTS-KEM (now known as Classic McEliece), is the only remaining finalist in the code-based NIST competition. “Many have waited for NIST’s standard to emerge before taking action on quantum encryption, but the reality now is that this could be closer than people think, and the latest indication is that it could be in the next month,” says Cheng. Very soon, companies will need to start upgrading their cryptographic infrastructure to integrate these new algorithms, which could take over a decade, he says. “Microsoft’s Brian LaMacchia, one of the most respected cryptographers in the world, has summarized succinctly that quantum migration will be a much bigger challenge than past Windows updates.” Getting ahead in the quantum-safe encryption racePending NIST’s decision on which algorithms will become the new standard, there are things organizations can and should be doing to get ahead. For Woodward, understanding what data has the longest life and, if necessary, seeking advice on how this might be at risk at some future date is a sound starting point.Cheng echoes similar sentiments, adding that if companies are struggling with where to start, they should focus on identity. “You could secure all of your encryption, but if someone can access your identity system, then it doesn’t matter what else you do. Your systems will think they are the right person, so they can gain ‘legitimate’ access to your systems and infrastructure.”Cheng advises setting up Y2Q migration as a bespoke project and giving it the firepower it needs as, like any large IT program, migrating to a post-quantum world will need a dedicated team and resources to ensure success and a smooth transition. This team will need to take stock of where cryptography is deployed today across the organization and map out a migration path that prioritizes high-value assets, whilst also identifying any expected impact on operational systems, he says. “You’ll also need to ensure that you have the skills on board to execute the quantum migration.”From there, businesses should adopt a “crypto-agile” approach when thinking about any infrastructure overhaul. “Practicing crypto agility means that organizations use solutions that keep the tried and tested classical cryptography we use today alongside one or more post-quantum algorithms, offering greater assurance against both traditional attacks and future threats,” Cheng says. Related content news UK’s revamped surveillance rules become law despite industry opposition A new law expanding the Investigatory Powers Act, the UK’s already-controversial surveillance and data access rules, became law last week. By John Leyden Apr 29, 2024 4 mins Government Mobile Security Security feature Finding the perfect match: What CISOs should ask before saying ‘yes’ to a job Sometimes it's not really clear why a company wants to hire a CISO or the role lacks authority. There are some key questions that CISOs can ask to avoid taking a job with too many red flags. By Aimee Chanthadavong Apr 29, 2024 8 mins CSO and CISO Careers opinion Navigating personal liability: post data-breach recommendations for CISOs CISOs can avoid being liable for data breaches by following legal advice, communicating effectively with internal and external stakeholders, and demonstrating commitment to avoid future incidents. By Daniel B. Garrie and Richard A Kramer Apr 29, 2024 8 mins CSO and CISO Data Breach Legal news 2024 CSO30 ASEAN Awards: Call for nominations By Xiou Ann Lim Apr 29, 2024 2 mins Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe