Virtualization Technology News and Information
Merlin Cyber 2024 Predictions: Post-Quantum Cryptography Will Divide Organizations into Two Groups - Prepared and Unprepared


Industry executives and experts share their predictions for 2024.  Read them in this 16th annual series exclusive.

Post-Quantum Cryptography Will Divide Organizations into Two Groups - Prepared and Unprepared

By Philip George, Executive Technical Strategist, Merlin Cyber

This year, CISA, the NSA, and NIST have been leading the charge on Post-Quantum Cryptography (PQC) initiatives, publishing fact sheets and other helpful resources to address threats posed by quantum computing. Next year, NIST is set to publish its first set of PQC standards. This is an early step towards preparing federal agencies as well as private companies to adopt new encryption standards that are designed to protect systems from being vulnerable to advanced decryption techniques fueled by quantum computers. However, the need for this shift is much more immediate than much of the language and rhetoric currently surrounding PQC might suggest. In 2024, we will see a clear divide between companies and government agencies taking this threat seriously and beginning the proper preparations, and those that will find themselves sorely behind the eight ball.

NSA and other authorities have previously said the quantum risk is feasible by at least 2035. Commercial quantum computers do indeed exist today, although they have yet to demonstrate the projected computational scale without significant limitations. However, it is only a matter of time before our Years to Quantum (Y2Q) become months and days - not years.

Quantum computing carries very serious implications for cryptography, the foundation upon which functionally all modern cybersecurity relies. It renders most (asymmetric) cryptography ineffective, leaving sensitive data and critical systems exposed to anyone with the capability. The cryptography that many enterprises and public sector organizations currently rely on is trivialized by quantum computing, a capability that is truly just over the horizon for the more sophisticated and well-financed quantum operations, including those in state-sponsored cyber espionage groups.

Impending cryptanalytically relevant quantum computer (CRQC) capabilities should serve as a wake-up call for those in the IT & cybersecurity community who consider quantum computing to be in our distant future. We need to be careful that the forward-looking term "post," which has become synonymous with quantum computing, does not lead us down a precarious path of complacency. This threat is much closer than most realize.

In 2023, we've seen that organizations are hesitant and apprehensive to accept the threat as a reality without clear indication of relevancy to their business outcomes, hindering any actionable progress from occurring. There is an inherent gap in understanding the magnitude of the threat and specific connection to private and public entities alike.

The key takeaway for IT and OT system owners should be the critical need to establish an integrated quantum planning and implementation team.

Since organizations are ultimately responsible for their own PQC readiness, or lack-thereof, to delay inventory and discovery activities until the new PQC standards are finalized is to invite an inordinate amount of risk to its information security.

The need for early planning is predicated upon the reality that cyber threat actors are targeting encrypted data today - for decryption tomorrow - and crucial data with a lengthy protection lifecycle (Controlled Technical Information and Controlled Unclassified Information nuclear information, for example) will likely be impacted the most. Regardless of the resiliency of the cryptography in use, the information that adversaries are seeking is already readily accessible, and more so because of the public cloud services that more commercial entities are using.

The era of implicit cryptographic trust and reliance on an iterative standard process is ending. Time is the greatest asset in achieving post-quantum agility and if organizations don't start now, they will have nothing to show for it when time runs out. In 2024, agencies and organizations will recognize that the time is now to start mapping out cryptographic dependencies by conducting a full system cryptographic inventory. We will see that the results should then support a risk driven prioritization effort that identifies business critical processes and information - and ensure that we are presently prepared for our "post" quantum future.



Philip George

Philip George 

Philip George has led federal initiatives in mitigating the post-quantum cryptographic (PQC) threat for national security systems, as well as supporting software code assessments and the establishment of verifiable software bill of materials artifacts. He continues this effort with Merlin Cyber to ensure other government agencies understand the need for cryptographic visualization and vulnerability management. He actively works with government PQC POCs, the NIST NCCOE, and their partners to promote the establishment of enforceable cryptographic policies that incorporate agility into zero trust modernization efforts.

Published Thursday, December 07, 2023 7:34 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<December 2023>