The looming cybersecurity threat posed by quantum computing has prompted the US government to start pressing for the public and private sectors to adopt stronger encryption standards.
The National Institute of Standards and Technology in late August released the first finalized set of encryption tools designed to withstand cyberattacks from quantum computers—machines exponentially faster and more powerful than those in current use. NIST’s standards include instructions for system administrators on integrating the new encryption algorithms’ code—as well as an emphatic call to start “immediately.”
The Cybersecurity and Infrastructure Security Agency on Sept. 27 publicly released its own guidance for federal agencies on migrating to what’s known as “post-quantum cryptography"—the replacement of old encryption algorithms with versions that are much harder to crack.
The government’s preparation for a new age of cyber threats highlights a sharp contrast between public and private sectors. While cloud infrastructure giants such as
Chief information and cybersecurity officers in business and government alike “have a tremendous amount to do—even if you’re up to par. And if you’re not up to par, you have a tremendous more amount to do as you’re trying to close those gaps,” Matthew Scholl, chief of the Computer Security Division in NIST’s Information Technology Laboratory, told Bloomberg Law. “So the question is, where does this fall in your priorities?”
Migration Ahead
Current encryption systems depend on how hard it is to mathematically find the prime factors of a very big number. Solving these problems takes today’s computers so long that it’s not worth the time and effort for most cybercriminals, explained Sudeep Kesh, chief innovation officer at S&P Global Ratings.
But if breaking a present encryption system’s security would take current computers months, a quantum computer could do it in an hour, Kesh said.
Quantum computing would mainly pose a threat to public-key cryptography systems such as the Rivest-Shamir-Adleman—RSA— and elliptic-curve encryption algorithms, which sign data using a pair of keys. They are broadly used to encrypt data in transit and authenticate customers in online transactions.
“There have been advances that mean the reality of quantum computers is actually no longer just sitting in some physics lab at MIT or IBM or wherever—it’s approaching that commercial world,” said Martin Whitworth, lead cyber risk expert at S&P Global Ratings.
NIST, CISA, and other federal agencies are urging the private sector to start a shift to post-quantum computing encryption standards. They suggest organizations first conduct an inventory to understand which encryption methods they use, where they’re deployed, and for what purposes. That step alone could be overwhelming, cybersecurity professionals warned.
“Cryptography is literally everywhere, in every device, in every piece of software, in every piece of critical infrastructure, and it’s also part of the foundational internet layer. It exists in application protocols,” said Phil Venables, chief information security officer at Google Cloud.
Once organizations have taken stock, fortifying their systems will require time, money, and close coordination with partners across the global supply chain.
“There will be a large amount of IT expenditure by all sorts of organizations,” said Nigel Smart, a researcher and chief academic officer at open-source cryptography company Zama. He added, “Everybody will need to update what they’re doing.”
Smart estimated it could “take maybe five to 10 years” for certain businesses to complete the shift to a more secure footing.
‘Big Disconnect’
Companies’ cybersecurity protocols—and how well they meet industry best practices and government standards—have been put under a microscope amid ever-increasing numbers of cyberattacks and data breach lawsuits.
This heightened scrutiny has shown that even Big Tech giants still can struggle with adhering to current encryption standards: Just last month
It may not be realistic to expect businesses and other organizations to immediately dive into a complete overhaul of security protocols to protect against quantum computing—especially before legally binding requirements have been set, said data privacy, artificial intelligence and cybersecurity lawyer Lily Li, founder of Metaverse Law.
“There is a big disconnect between the NIST standards and what private industry is trying to adopt,” Li said.
Expecting them to quickly shift their focus to post-quantum concerns may be a big leap, according to Li. Companies dealing with sensitive data privacy and security considerations—like those for hospitals and commercial airplanes—are still working to meet emerging government cyber requirements that are already falling behind a fast-evolving threat landscape.
“I do think that it’s important that NIST gives out this guidance, because it is a big risk, and companies need to game plan for it,” Li said. “But as far as our cybersecurity posture, we need to bring everyone up to even the minimum floor. Then let’s work on the next step.”
‘Crypto Agility’
The federal government’s push for the private sector to move to post-quantum computing encryption also includes urging the adoption of a new security infrastructure capable of what it calls “crypto agility"—being able to swap out encryption algorithms or keys as needed.
“We’re about to upgrade the planet for the first time, and it’s going to take a lot of work,” Venables said. “We can do the work in a way that permits the next upgrade to happen easier,” he added.
The concept of crypto agility calls for frequent updates to algorithms and standards as the relatively young branch of mathematics that includes post-quantum cryptography evolves.
“You have to be able to switch your algorithms at a moment’s notice, and you have to be able to know what algorithms you have and be able to assess and replace them,” Smart said.
It also fits within the scope of the Biden administration’s broader efforts to safeguard Americans’ data from foreign adversaries. Adopting more rigorous and sustainable encryption standards now would help protect data with long-term sensitivity or security needs going forward.
The bottom line for private sector organizations, though, is not to ignore the federal government’s calls to begin preparing for the age of quantum computing, cyber professionals said.
“In some sense, the exercise of doing your crypto audit and finding out what you’re using and where is a good thing to do,” Smart said. “And this post-quantum transition is forcing people to do what they should have been doing for the last 30 years anyway.”
To contact the reporter on this story:
To contact the editors responsible for this story: