Today’s CIOs need to get their companies ready for quantum-secure cryptography
IBM Post Quantum Cryptography
After years of pure study, quantum computers are now becoming practical instruments. They are utilized by organizations and enterprises to investigate the limits of problems in high energy physics, materials development, optimization, sustainability, and healthcare and life sciences. But when quantum computers get bigger, they will also be able to tackle some challenging mathematical issues that are the foundation of modern public key cryptography. Globally utilized asymmetric encryption techniques that now aid in ensuring the confidentiality and integrity of data as well as the authenticity of system access could be broken by a future cryptographically relevant quantum computer (CRQC).
A CRQC carries a wide range of hazards, including the potential for data breaches, disruptions to digital infrastructure, and potentially extensive worldwide manipulation. These quantum computers of the future will be one of the most dangerous threats to the digital economy and present a serious cyberthreat to companies.
Today, the risk is already present. The “harvest now, decrypt later” threat refers to the practice of cybercriminals gathering encrypted data today with the intention of decrypting it later when a CRQC is available. They can obtain illegal access to extremely sensitive data by retrospectively decrypting the data if they have access to a CRQC.
The rescue of post-quantum cryptography
Thankfully, post-quantum cryptography (PQC) techniques have been standardized and are able to secure today’s systems and data. The first three standards were just published by the National Institute of Standards and Technology (NIST):
- A key encapsulation technique called ML-KEM is chosen for broad encryption, like that used to access secure websites.
- Lattice-based algorithms like ML-DSA are used in general-purpose digital signature systems.
- A stateless hash-based digital signature system is called SLH-DSA.
IBM collaborated with outside parties to establish two standards (ML-KEM and ML-DSA), while a scientist who joined IBM co-developed the third (SLH-DSA).
Governments and businesses worldwide will use those algorithms as part of security protocols like “Transport Layer Security” (TLS) and numerous others.
The good news is that we can use these algorithms to guard against the risk of quantum errors. The bad news is that in order to implement these new PQC rules, businesses will need to relocate their properties.
Programs to migrate cryptography algorithms in the past required years to finish. How long did your organization’s SHA1 to SHA2 migration program last? Have you upgraded the PKI trust chain key size from 1024-bit to 2048-bit, 3072-bit, or 4096-bit keys as part of your public key infrastructure (PKI) upgrading program? How long did it take for your intricate corporate environment to implement all of that? A few years?
Quantum computing and the application of post quantum cryptography standards have a wide range of effects on every aspect of your company. Numerous additional systems, security tools and services, apps, and network infrastructure are impacted by the risk of quantum computing. To protect your assets and data, your company must make the switch to PQC standards right away.
Adopt quantum-safe cryptography right now
IBM recommends implementing a quantum-safe transformation procedure to safeguard your company from “harvest now, decrypt later” threats. Use services and begin implementing solutions to enable you to implement the newly released post quantum cryptography encryption requirements.
IBM has created a thorough quantum-safe software approach that is presently being used by dozens of clients in dozens of countries, including national governments, and important businesses.
It suggest that clients implement a program that includes the following crucial stages:
Phase 1: Establish your organization’s priorities and provide your cyber teams with quantum risk awareness to get them ready.
Phase 2: Get your company ready for the PQC transfer by transforming it.
Phase 3: Implement the PQC migration for your company.
Phase 1: Get your teams ready
Focus on important areas during the first phase of the program, such as developing an organizational-wide awareness campaign to inform security subject matter experts (SMEs) and stakeholders about the quantum risk. Assign “ambassadors” or “champions” who are knowledgeable about quantum risk and its evolution, serve as the program’s main point of contact, and assist in establishing the enterprise strategy.
After that, evaluate the quantum risk to your company’s cryptographically relevant business assets, which include any asset that makes use of or depends on cryptography in general. For instance, among other things, your risk and impact evaluation should evaluate the asset’s economic significance, the complexity of its environment, and the difficulty of migration. Determine the company assets’ weaknesses, along with any necessary remedial measures, and then provide a report outlining the results to important stakeholders so they can comprehend the organizational quantum risk position. This can also be used as a starting point for creating the cryptography inventory for your company.
Phase 2: Get your company ready
In step 2, provide your stakeholders with guidance on how to handle the priority areas that have been identified, as well as any potential quantum threats and cryptographic flaws. Next, describe corrective measures, like pointing out systems that might not be able to handle post quantum cryptography algorithms. Lastly, outline the migration program’s goals.
At this point, IBM assists customers in creating a quantum-safe migration roadmap that outlines the quantum-safe actions necessary for your company to accomplish its goals.
As IBM counsels its clients: Prioritize systems and data for PQC migration and include important projects in your roadmaps, including creating a cryptographic governance structure. Utilize post quantum cryptography in the design and production of Cryptography Bills of Material (CBOMs) by updating your secure software development procedures and guidelines. Collaborate with your vendors to comprehend cryptography artifacts and third-party dependencies. To avoid creating new cryptographic debt or legacy, update your procurement procedures to concentrate on services and solutions that support post quantum cryptography.
“Cryptographic observability,” a cryptographic inventory that enables stakeholders to track the adoption of post quantum cryptography over the course of your quantum-safe journey, is one of the essential necessary capabilities. Data collection, analysis, and risk and compliance posture management should all be automated to enable such an inventory.
Step 3: Execute your migration
Your company implements efforts based on strategic objectives, delivery capacity, risk/cost, priority systems, etc. Throughout phase 3 of the quantum-safe migration program. Create a quantum-safe plan that is upheld by the information security guidelines and rules of your company.
Use standardized, tried-and-true reference architectures, migration patterns, journeys, and blueprints to carry out the technological migration.
Implement cryptographic decoupling by abstracting local cryptography processing to centralized, controlled, and readily adjustable platform services, and incorporate the facilitation of cryptographic agility into the development and migration solutions.
Incorporate a feedback loop with lessons learnt into your software. Permit the development and quick testing of fresh ideas and solutions to help the migration effort in the years to come.
Obstacles to anticipate when transitioning to PQC
Migrating many pieces is difficult. For instance, it will be more difficult to move essential internet infrastructure elements including wide area networks (WANs), local area networks (LANs), VPN concentrators, and site-to-site links. As a result, these components need more care than those that aren’t used often in the company. It is difficult to transfer core cryptography services like PKI, key management systems, secure payment systems, cryptography apps, or backends like mainframes, link encryptors, and HSMs. Dependencies on various hardware and programs, as well as problems with technology interoperability, must be taken into account.
To help guarantee compatibility and performance acceptability and spot any issues, you should also think about performance testing the post quantum cryptography standards against your internal systems and data operations. For instance, PQC occasionally calls for larger key, ciphertext, or signature sizes than are currently employed; this must be taken into consideration during integration and performance testing. Migrating to PQC standards may be challenging or impossible for certain organization-critical systems that still use outdated cryptography. It may be necessary to restructure and refactor the application.
Additional difficulties include a lack of paperwork or expertise, which has led to knowledge gaps in your company. The migration process will be made even more difficult by hardcoded data in systems, configuration files, scripts, etc.
Verify the tracking and management of your digital certificates and encryption keys. The migration will be made more difficult by poor management.
International post quantum cryptography working groups will test some use cases but not others. Your businesses will have a variety of technology configurations and combinations, therefore you must properly evaluate your systems from the standpoint of an end-to-end process.
Avoid waiting for regulations to change
It must expect that regulation outside of the US will happen soon after NIST has published the first set of post quantum cryptography standards. In the financial industry setting, such examples are:
- Quantum risks are specifically mentioned in a regulatory technical standard for ICT risk management under the Digital Operations Resilience Act (DORA) in the EU.
- It is imperative that “senior management and relevant third-party vendors understand the potential threats of quantum technology,” according to the Monetary Authority of Singapore (MAS). The necessity of “identifying and maintaining an inventory of cryptographic solutions” is also mentioned.
- “A current inventory of all cryptographic cipher suites and protocols in use, including purpose and where used,” is now required by a control point in the Payment Card Industry Data Security Standard (PCI DSS) v4.0.1.
As a result, it suggests that you concentrate on creating your cryptographic governance framework, which includes creating a quantum-safe plan for your company. It ought to be in line with your company’s strategic goals, vision, and deadlines. The transformation initiative should include guidance and support from a center of excellence. Key pillars including your organization’s regulatory monitoring, cryptographic assurance and risk management, delivery capacity building, and PQC education should be the focus of the governance structure. It should offer technical design review boards, security architectural patterns, and assistance in implementing best practices within your application development process.