CISOs urged to push vendors for roadmaps on post-quantum cryptography readiness

CISOs have been urged to demand clear post-quantum cryptography (PQC) readiness roadmaps from vendors and partners to combat the looming threat of cryptographically relevant quantum computers.

Quantum computers capable of large-scale cryptographic attacks are yet to be developed but recent advances mean the threat is moving from theoretical to near-term reality, possibly within five years.

During a panel at this week’s Infosecurity Europe conference, experts urged security professionals to begin transitioning to PQC sooner rather than later, alongside calls to focus on supply chain readiness.

Sufficiently powerful quantum computers would be capable of breaking current asymmetric encryption, undermining the security protections underpinning the security of financial transactions, sensitive data, and secure communications. Even in advance of the arrival of sufficiently capable quantum computer (an event sometimes described as Q-Day), adversaries could carry out harvest now, decrypt later attacks.

Preparing for Q-Day

Organizations, especially those handling long-duration secrets, and sectors such as finance, critical infrastructure, healthcare, and telecommunications are most at risk, the Infosecurity Europe panel agreed.

Karl Holmqvist, founder and chief executive of Lastwall, a provider of quantum-resilient cybersecurity products, told delegates that Q-Day will not be announced and businesses need to take action now in the face of a growing threat.

“An orderly transition will cost less than emergency planning,” Holmqvist said. “It’s like Y2K but without an actual date.”

Encryption methods such as RSA and ECC are considered unbreakable by classical computers because breaking them relies on factoring the products of large prime numbers or comparable tasks. Based on a fundamentally different computing architecture than classical computers, quantum computers, however, are capable of solving problems intractable to even the most powerful supercomputers, such as breaking widely used encryption methods.

The threat has driven the development of quantum-resistant cryptography algorithms. The US National Institute of Standards and Technology (NIST) approved three post-quantum cryptography (PQC) standards last year for applications including digital signatures and key exchange.

Organizations need to update their cryptographic systems, libraries, and hardware (such as hardware security modules) to support the new standards.

The UK’s National Cyber Security Centre (NCSC) has published guidance for phased migration to quantum-secure systems by 2035.

Examples of early adoption include Google’s quantum-safe digital signatures in Cloud KMS (key management services) and Cloudflare’s commitment to integrate the new PQC standards into their services, but much remains a work in progress.

The IETF is working on revising and standardizing key internet protocols — such as TLS, SSH, and VPNs — to support PQC algorithms, which generally have longer key sizes and tougher performance characteristics.

Some vendors are introducing hybrid PKI solutions to ensure backward compatibility and smooth migration to PQC.

“CISOs need to start asking vendors if they are PQC-ready,” Holmqvist advised.

Daniel Cuthbert, global head of cybersecurity research at Santander, argued quantum advancements are forcing organizations to ask critical questions about where and how cryptography is used, an often overlooked task.

Quantum can be used as the stick that will allow security professionals to get approval to carry out a cryptographic inventory at their organization, alongside projects that will allow them to improve their cryptographic agility more generally, Cuthbert advised.

As a first step organizations can prepare a cryptographic bill of materials to audit the use of encryption technologies by their organization.

No ‘forklift upgrade’ needed

There is a misconception that change is difficult but the task of modernizing systems to make them PQC-ready can be broken down into chunks, advised Anne Leslie, cloud risk and controls leader for EMEA at IBM.

“Businesses can only go as fast as partners and suppliers,” Leslie cautioned.

Madelein van der Hout, senior analyst at Forrester, who was not on the panel, told CSO that organizations should start to prepare for post-quantum cryptography over a five-year horizon.

Van der Hout acknowledged that businesses have many priorities to balance so the speed of adoption should be aligned to their risk tolerance, internal business goals, and wider strategy.

For a look at how to get started, see “The CISO’s guide to establishing quantum resilience.”