Answers to these five questions will help security teams defend against attackers in the post-quantum computing era.

Tim Hollebeek, Industry and Standards Technical Strategist at DigiCert

October 29, 2020

3 Min Read

In October 2019, Google announced it had achieved "quantum supremacy" in a Forbes article entitled "Quantum Computing Poses An Existential Security Threat, But Not Today." The Google team had developed a quantum computer that could complete a computation in just over three minutes instead of the 10,000 years it would have taken on a traditional computer.

While large-scale commercial quantum computers today are still probably years away from achieving this landmark quantum benchmark, it's worth noting that cybercriminals with access to a sufficiently capable quantum computer can harness the technology to crack encryption protecting companies' data. The following questions and answers will help you get ready for the coming post-quantum computing (PQC) era.

Question 1: How can my organization prepare for quantum computing?
It's impossible to know where to go without knowing where you currently stand. Measuring your organization's current PQC level of maturity (knowledge of the threat plus action taken so far to mitigate it) is an important start to developing an action plan. Some companies have little to no knowledge and haven't prepared much, if at all, to address the threat, while those at the other end of the spectrum have made major strides in both areas.

In between are organizations that have a vast knowledge of the future threat but haven't taken action yet, those that have some knowledge and have taken some action, and those with advanced knowledge and the beginnings of a plan. Knowing where your organization stands will guide your company's future strategy. One of your most important first steps, once you're familiar with the threat, is to find all the places where cryptography is used within your organization. This allows you to evaluate and prioritize these uses, and develop a plan to replace them.

Question 2: Do my partners and vendors share my mindset?
Get the buy-in of people within your organization, including the executive team, in your quantum computing preparedness efforts, but look beyond your organization as well. Your vendors, partners, and third parties could inadvertently put you at risk if they haven't properly prepared for quantum threats themselves. All the time you've spent quantum-proofing your organization could be undone if the companies you partner with aren't secured against quantum attacks. Don't trust your data and information with these companies until learning if they share your perspective.

Question 3: Are you following encryption management best practices?
Effective encryption management offers insights into all your networks. Look for an encryption management platform that offers comprehensive reporting to ensure current systems are correctly configured and updated. Other useful features include digital certificate automation and full visibility into what's happening with your company's network and connected devices.

Question 4: Does your organization understand — and possess — crypto-agility?
Cryptographic agility, or crypto-agility, doesn't mean using different algorithms for encrypting and other essential functions. Instead, it involves understanding where encryption is used in your organization, how these encryption technologies are deployed, and how to identify and solve problems. This will put you in the right place to act fast when the time comes to replace outdated cryptography using an automated certificate manager.

Question 5: Does your company use Hardware Security Modules?
Hardware Security Modules (HSMs) — often in the form of a plug-in card or external device connected to a computer — have secure crypto processor chips. They protect and manage digital keys and enable companies to create custom keys. Opt for HSMs that can be upgraded to quantum-safe encryption.

Estimates vary on when cybercriminals will begin using quantum computing to challenge today's cryptography. It's clear, though, that software devices and encrypted data developed and used today will still be around when the quantum threat emerges. Tightening data encryption is going to be critical.

About the Author(s)

Tim Hollebeek

Industry and Standards Technical Strategist at DigiCert

Timothy Hollebeek has 19 years of computer science experience, including eight years working on innovative security research funded by the Defense Advanced Research Projects Agency. He then moved on to architecting payment security systems, with an emphasis on encryption and key management, and wrote the first implementation of AES DUKPT, which is used to derive keys to protect credit card and PIN debit transactions. He remains heavily involved as DigiCert's primary representative in multiple industry standards bodies, including the CA/Browser Forum, IETF, and ANSI X9 striving for improved information security practices that work with real-world implementations. A mathematician by trade, Tim spends a lot of time considering the coming transition to post-quantum cryptography.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights