Author:
Antonio Villalón, Chief Security Officer at S2GRUPO.
Strategic Analysis: Why Quantum Computing changes the rules of cybersecurity
While in conventional computing a binary value is either 0 or 1, in quantum computing a quantum bit (QUBIT) can be in superposition of 0 and 1. This is very useful for data processing and can exponentially speed up computational tasks. One of these applications is in the field of information security, to protect both the storage and transmission and processing of confidential information using encryption algorithms.
Conventional encryption relies on the complexity of specific mathematical
calculations to protect data. Simply put, breaking a robust encryption algorithm with a robust key on a conventional computer would take billions of years. However, with quantum computers, this problem could be solved in days or even hours. This means that conventionally encrypted data could be decrypted and exposed to the public. In the case of banking or medical information, this poses a serious problem, but in the case of classified data, it would represent a matter of national security. For example, all the encrypted information we deal with on a daily basis, all authentication algorithms, all secure communications with hospitals, banks or governments, all sensitive data managed by private companies or public institutions, and even our digital identities, used for authentication, would be decrypted and exposed.
Q-Day is coming – we just don´t know when
We all knew that the Y2K problem was going to hit on 1 January 2000. This meant that we were all able to prepare ourselves to deal with it properly. However, we do not know when quantum computing will emerge. That day, known as Y2Q or Q-Day, may come in a few decades… or in a few years. Today, many companies, and certainly many governments, are working to build a real quantum computer. We need to be prepared for that day, and the way to do that is to adopt post-quantum cryptography (PQC).
What is PQC and Why it matters to organisations
PQC is the set of encryption algorithms that are resistant to both conventional and quantum computers. Unlike conventional cryptography, which is based on the factorisation of large numbers, these algorithms are based on mathematical challenges that would be difficult to solve for both conventional and quantum computers.
Although we do not know when quantum computing will pose a real threat to information, it is important to implement PQC in organisations as soon as possible. When that time comes, all conventionally encrypted information will be unprotected. Furthermore, there is information so relevant that it is assumed to be valuable when Q-Day arrives, so the surveillance strategy is “collect now, decrypt later”;: acquire encrypted confidential information so that it is readable on Q-Day.
In short, PQC is a future threat, but countermeasures must be implemented today. If we wait until Q-Day, it will be too late.
From awareness to action: How organisations should prepare for PQC
To mitigate this threat, a number of initiatives must be put in place:
The first is to understand the extent of the problem in your organisation, and to do this, it is essential to conduct a cryptographic inventory: that is, the identification of encrypted data repositories and algorithms, both active and inactive.
This inventory should include both software and cryptographic hardware and allows organisations to realise what information is particularly relevant and where and how it is encrypted, thus laying the foundation for future risk assessments or PQC migration strategies.
These risk assessments are the second step in understanding your organisation’s situation. After identifying cryptographic resources (applications, algorithms, keys, agility, etc.), sensitive data repositories and third parties relevant to cryptography, an analysis must be performed to identify the organisation’s degree of PQC vulnerability. This analysis should be considered from a global perspective (economic, reputational, etc.) and its objective is to enable organisations to prioritise countermeasures to mitigate PQC risks.
Once the current situation regarding cryptography in your organisation has been identified, in particular its degree of vulnerability, it is time to define a PQC migration plan, identifying and defining priorities and technical or commercial constraints, estimated budgets, implementation strategies and technical issues related to algorithms and protocols. This will define the path to optimal PQC implementation in your organisation, establishing both the limitations and the appropriate timelines to minimise PQC risks.
And… voilà! At this point, it is just a matter of execution. Begin your PQC
migration right now!