Cryptocurrencies are not the only ones concerned about the potential impact of quantum computing on cybersecurity. The National Institute of Standards and Technology (NIST) in the US has been actively working on standardizing protocols through its post-quantum competition since 2017. Additionally, President Biden signed the Quantum Computing Cybersecurity Preparedness Act at the end of last year, and a White House memo has urged US agencies to conduct a cryptographic inventory. Legislation on post-quantum cryptography has also been proposed.
What should businesses do in response to this?
While it may take many years before quantum computing tools become available to the wider cybercriminal community, it is important for organizations to understand their risk level and take steps to protect encrypted data. Only a select few businesses are likely to be targeted by nation-state attackers, so the majority of organizations have little to fear from the advent of quantum computing.
That said, the benefits of quantum computing will outweigh the associated cybersecurity risks. Organizations should establish the risk level of their data and determine the necessary measures to protect it. CISOs or CIOs within the organizations bear the responsibility for this preparation. They should assess the sensitivity and long-term value of the data to determine the appropriate steps to be taken.
According to experts, if the lifespan of the data is short, such as two to three years, there is no immediate cause for concern. However, for data with a lifespan of four to seven years, extending the key lengths to 3072-bit can ensure data security until the 2030s. For data with a lifespan exceeding ten years, such as mortgages or financial instruments, a strategy for the introduction of quantum-safe encryption should be developed.
Preparing for the Post-Quantum World
Ultimately, all organizations need to be ready for the post-quantum era. It is crucial for businesses to start working on their strategies for post-quantum readiness, including the management of cryptographic assets such as certificates, keys, secrets, and crypto libraries.
Implementing organizational changes can be time-consuming, so it is advisable to start early. Past cryptographic transitions, such as the migration from SHA-1 to SHA-2, have proven disruptive and costly for organizations to implement. The transition to post-quantum encryption will be even more complex due to the fundamental differences between quantum cryptography and current cryptographic methods.
There is no simple drop-in replacement for existing encryption methods, as post-quantum algorithms have unique key generation, exchange, encryption, and decryption properties. Each business will have specific steps to take in order to ensure readiness for the quantum era, but every organization must be prepared