Tips to mitigate public-key cryptography risk in a quantum computing world
Quantum computing is poised to transform the industry over the next decade. With its promise of breakthrough speed and power, it’s easy to understand why there is so much hype around this new technology.
But we must also consider the new cybersecurity risks that quantum computing potentially introduces—especially when it comes to encryption. Public-key cryptography is the traditional encryption method used to protect data, transactions, processes, and more. At a high level, it requires a pair of keys – a public key and a private key – which enables communicating parties to encrypt and decrypt data to protect it from unauthorized access. Public-key cryptography uses encryption algorithms that are designed in such a way that decoding them would take so long that they are theoretically unbreakable. This approach has been very effective in the current world of classical computing.
But quantum computers are significantly more powerful than classical ones. As this technology advances over the next decade, quantum computing is expected to expose vulnerabilities in public-key cryptography encryption algorithms within seconds.
The risk: Legitimate or uncertain?
The threat that quantum computing poses to public-key cryptography is not just fearmongering, it’s something every organization must take seriously. In fact, it’s such a risk that the U.S. Government is taking a proactive approach to mitigate it.
In October 2021, the Department of Homeland Security (DHS), in partnership with the Department of Commerce’s National Institute of Standards and Technology, released guidance to help organizations prepare for the transition to post-quantum cryptography. According to DHS, its roadmap will “help organizations protect their data and systems and to reduce risks related to the advancement of quantum computing technology.”
Risk mitigation best practices
When it comes to developing a cybersecurity plan to mitigate the security risks associated with quantum computing, the guidance from DHS is certainly a great place to start. Here are some other tips to consider.
Identify where and for what purpose public-key cryptography is being used within your organization, and then mark those systems as “quantum vulnerable.”
Here are a few questions to consider throughout this process:
- What is the system protecting – e.g., key stores, passwords, root keys, signing keys, personally identifiable information (PII)?
- What other systems does the one in question communicate with?
- To what extent does the system share information with other entities outside of the organization?
- Does the system support a critical national infrastructure sector?
- How long does the data need to be protected?
- Is the system a high-value asset based on organizational requirements?
- E.g., is the system essential for business continuity processes? Is it customer-facing? Could it impact organizational operations?
- In addition to IT systems, make sure to also consider facilities, housekeeping, fire prevention, physical security measures, environment control systems and other business systems and processes.
Develop a cybersecurity playbook to protect identified systems and limit risk.
Cybersecurity playbooks are specific response plans designed to mitigate zero-day vulnerabilities, such as quantum computing-related threats, and document specific response actions in the event of compromise. All playbooks should include detailed instructions regarding:
- Who to contact (e.g., technical teams, senior management, Legal, HR, etc.) in the event of compromise
- How to understand/triage the incident
- How to reduce the impact of the incident
- Steps to retain evidence or data, if required
- How to remediate and recover from the incident, and
- How to perform a post incident review
Designing and developing a cybersecurity playbook is only the first step in the process. Equally as important to documenting a plan is educating and training staff on their specific roles and responsibilities; continuously testing the plan; and putting reporting frameworks in place to ensure ongoing governance.
No time to act like the present
While it’s true that quantum computing isn’t expected to reach its full potential for a decade or so, it’s important that organizations prepare a post-quantum cybersecurity strategy now – especially auditing systems to identify “quantum vulnerable” systems / processes as such audits take some time to complete. If quantum computing will provide unprecedented speed and power to computing, then it is likely it will also bring cybersecurity risks and challenges.
To stay one step ahead, organizations should start preparing today. Only then will they be able to leverage the transformative power of quantum computing without impacting their security risk posture.