Cybersecurity In-Depth

The Edge

Keep Today's Encrypted Data From Becoming Tomorrow's Treasure

Building quantum resilience requires C-suite commitment, but it doesn't have to mean tearing out existing infrastructure.

You may feel that encrypting data with current technology will offer robust protection. Even if there is a data breach, you may presume the information is secure. But if your organization works with data with a "long tail" — that is, its value lasts years — you'd be wrong.

Fast forward five to 10 years from now. Quantum computers — which use quantum mechanics to run operations millions of times faster than today's supercomputers can — will arrive and will be able to decrypt today's encryption in minutes. At that point, nation-state actors simply have to upload the encrypted data that they've been collecting for years into a quantum computer, and in a few minutes, they will be able to access any part of the stolen data in plaintext. This type of "harvest now, decrypt later" (HNDL) attack is one of the reasons why adversaries are targeting encrypted data now. They know they can't decrypt the data today but will be able to tomorrow.

Even though the threat of quantum computing is some years away, the risk exists today. It is for this reason that US President Joe Biden signed a National Security Memorandum requiring federal agencies, defense, critical infrastructure, financial systems, and supply chains to develop plans to adopt quantum-resilient encryption. President Biden setting the tone for federal agencies serves as an apt metaphor — quantum risk should be discussed, and risk mitigation plans developed, at the leadership (CEO and board) level.

Take the Long-Term View

Research analyst data suggests the typical CISO spends two to three years at a company. This leads to potential misalignment with a risk that is likely to materialize in five to 10 years. And yet, as we see with government agencies and a host of other organizations, the data you generate today can provide adversaries with tremendous value in the future once they can access it. This existential problem will likely not be tackled solely by the person in charge of security. It must be addressed at the highest business leadership levels owing to its critical nature.

For this reason, savvy CISOs, CEOs, and boards should address the quantum computing risk problem together, now. Once the decision to embrace quantum-resistant encryption is made, the questions invariably become, "Where do we start, and how much will it cost?"

The good news is it doesn't have to be a painful or costly process. In fact, existing quantum-resilient encryption solutions can run on existing cybersecurity infrastructure. But it is a transformational journey — the learning curve, internal strategy and project planning decisions, technology validation and planning, and implementation all take time — so it is imperative that business leaders begin preparing today.

Focus on Randomizing and Key Management

The road to quantum resilience requires commitment from key stakeholders, but it is practical and does not usually require ripping-and-replacing existing encryption infrastructure. One of the first steps is to understand where all of your critical data resides, who has access to it, and what protection measures are currently in place. Next, it is important to identify which data is most sensitive and what its sensitivity lifetime is. Once you have these data points, you can develop a plan to prioritize the migration of the data sets to quantum-resilient encryption.

Organizations must give thought to two key points when considering quantum-resilient encryption: the quality of the random numbers used to encrypt and decrypt data and the key distribution. One of the vectors quantum computers could use to crack current encryption standards is to exploit encryption/decryption keys that are derived from numbers that are not truly random. Quantum-resistant cryptography uses longer encryption keys and, most importantly, ones that are based on truly random numbers so they can't be cracked.

Second, the typical company has several encryption technologies and key-distribution products, and management is complex. Consequently, to reduce the reliance on keys, often only large files are encrypted, or, worse yet, lost keys leave batches of data inaccessible. It is imperative that organizations deploy high-availability, enterprise-scale encryption key management to enable a virtually unlimited number of smaller files and records to be encrypted. This results in a significantly more secure enterprise.

Quantum-resistant encryption is no longer a "nice to have." With every passing day, risk is mounting as encrypted data is stolen for future cracking. Happily, unlike quantum computing, it does not require a huge investment, and the resulting risk reduction is almost immediate. Getting started is the hardest part.