CSA prepares enterprises for quantum computing cybersecurity threats
The Cloud Security Alliance’s (CSA) latest paper brings quantum computing and cybersecurity to the forefront of enterprise leaders’ minds as it tackles some of the biggest questions around the subject.
As the quantum age draws nearer, discussions on how to utilise the technology and, most importantly, protect organisations against the risks it poses are moving out of the hypothetical and into the practical. Part of this process is to educate key stakeholders about these opportunities and threats; something we discussed after the Hudson Institute released a guide offering business leaders guidance on quantum-secure cybersecurity.
To continue this awareness drive, the Quantum-Safe Security working group of the Cloud Security Alliance (CSA), co-chaired by IDQ’s Bruno Huttner, has released ‘Preparing Enterprises for the Quantum Computing Cybersecurity Threats’. The paper looks to inform enterprise leadership and cybersecurity experts of the actions they must take in order to protect their organisations from impending quantum threats. It does this by answering some of the biggest questions around the subject, before outlining six key steps – spanning both technology and people – that leadership must take to ensure their security is prepared for the quantum age.
The impact of quantum computing on cryptography
The paper begins by conveying both the benefits and risks of quantum computing; highlighting the challenges that must be overcome. One such challenge is that faced by current cryptographic methods; while the paper reports that quantum computing’s impact on symmetric encryption and hash functions can be mitigated by larger key sizes and outputs, the same is not true of asymmetric encryption.
The CSA states that this technique, used in public key infrastructure (PKI), will face catastrophic consequences as a quantum computer with enough qubits will be able to crack the algorithms currently in use. This means that the likes of RSA, DSA and elliptic curve are all vulnerable to attack.
The paper goes on to discuss why the time to prepare for the quantum age is now, citing key research that shows the history behind quantum resistant cybersecurity and explaining why leadership teams need to plan for a cybersecurity landscape that features quantum computers. While the timeframe for a mainstream device is not exactly known yet, the report demonstrates why organisations must begin the lengthy upgrade process now, in order to avoid both ‘live’ and ‘harvest and decrypt’ quantum attacks.
Lastly, the paper discusses the cybersecurity industry’s response to this emerging threat, giving NIST’s drive to standardise quantum-resistant public key algorithms. This process is continuing, and NIST expects draft standards to be available between 2022-24.
Preparing for the post-quantum era
The CSA then provides practical advice on the actions that enterprises should take in order to ready their quantum cybersecurity strategy. It describes six key steps:
- Acknowledge the severe impact of a powerful quantum computer on cryptography: As a precursor to actively mitigating quantum computing risks, organisations must first acknowledge quantum computing as a threat; indeed one that could become active in as little as five years.
- Inventory impacted IT assets: A quantum attack could focus on data at rest as well as in motion, and target everyday hardware, software and IoT devices alongside the communications infrastructure itself. A quantum computer has the potential to impact each of these devices differently, so organisations must ensure rigorous inventory of their IT assets and understand the risks.
- Pursue cryptographic agility: Cryptographic agility refers to how nimble organisations are to replace existing crypto algorithms with newer ones. As time goes by and existing algorithms degrade or become vulnerable, it’s key that enterprises can adopt new primitives quickly. To help ensure agility, the paper recommends that organisations ask vendors to share their quantum-resistant product roadmap.
- Implement hybrid cryptography: To protect against both classical and quantum attack, the paper suggests implementing a hybrid cryptography solution. A hybrid approach combines different types of solution, for example a classical and a quantum security principal, such as Quantum Key Distribution (QKD). This approach is especially useful for enterprises who store sensitive data for long periods of time, as this information would be secured against attacks whereby encrypted data is stolen today and cracked using a quantum computer once it is commercially available.
- Explore the use of alternative technologies: The paper suggests enterprises look to build layers of defence through alternative technologies. Examples of such innovations include data tokenization and certain types of zero-knowledge proof systems which can then be combined with conventional quantum-resistant technologies.
- Plan on building organisation capacity in quantum computing and quantum technologies: Alongside technologies, the paper also advocates enterprises growing skills and knowledge around quantum computing. This can be done by training existing staff and employing people with a background in quantum physics, mathematics and classical and quantum programming languages.
Starting the quantum journey today
The paper concludes by reaffirming the need for enterprise leadership to begin taking these steps and addressing these challenges today, as delaying them until tomorrow could mean that it is too late.
“Monitoring the development of quantum computing stack, the standardization of post-quantum cryptography by NIST and the implementation of alternative cryptographic methods is imperative for all stakeholders. Although a quantum computer capable of cracking RSA will likely not arrive for another decade or more, the consequences of inaction are so dire that cybersecurity professionals and decisionmakers should plan and act now.”
Download the full guide here.