Navigating the quantum leap in cybersecurity

In this Help Net Security interview, we sit down with Dr. Atsushi Yamada, the newly appointed CEO of ISARA, a security solutions company specializing in creating quantum-safe cryptography. With over two decades of experience in cryptography and cybersecurity, Dr. Yamada discusses his vision for ISARA and shares his insights on the critical role of post-quantum cryptography (PQC) in fortifying our digital landscape.

Dr. Yamada, you’ve been with ISARA since 2015 and have been appointed CEO. How do you see your previous experiences within the company influencing your approach as the new CEO?

Having the historical context of the company helps a lot; where it came from, how it evolved. I bring extensive technical experience from overseeing the entire R&D department and have had lots of experience on the sales and business development side, including serving as the delivery executive.

I have also been in the cryptographic industry for a long time now — since 1997. That’s 26 years steeped in developing or selling cryptography! My previous experience with cryptographic migrations started at Blackberry.

I understand the industry and have seen how trends have developed over the years and have gained insights that will be valuable as we move the industry forward. As CEO, I can merge all my roles together with a holistic view of the company and our goals around cryptographic risk management.

Quantum Computing Cybersecurity Preparedness Act has been signed into law, emphasizing the significance of a switch to post-quantum computing. How does ISARA plan to address this urgency and support enterprises and government agencies during this transition?

We learned a long time ago that cryptographic migrations are critical. In fact, from the beginnings of ISARA, we have been experimenting with how to migrate cryptography in various systems and asking what are the pain points.

The Quantum Computing Cybersecurity Preparedness Act requires federal agencies to maintain an inventory of the cryptographic assets they have in use, assess their quantum vulnerabilities, perform proof-of-concept testing of post-quantum cryptographic algorithms, and then prioritize the migration of those assets. The Act also requests that the inventorying process be automated to the greatest extent possible, and that each agency repeats this process annually.

These are the exact problems ISARA has been focused on for several years now (it’s almost as if we wrote the Act!) In 2019, we launched our Advance Cryptographic Inventory and Risk Assessment tool to help enterprises discover the cryptography in use throughout an IT ecosystem, to understand and categorize the level of risk — be it from classical attacks or from quantum-attacks — and ultimately provide a way forward for organizations to futureproof these systems.

Our world-class software development kit and PKI solutions, supported by our highly experienced team of engineers and quantum experts, also allow organizations to do proof-of-concept testing of post-quantum cryptographic algorithms, to see how quantum-safe algorithms fit into their systems.

Given your background in cryptography and cybersecurity and your deep understanding of ISARA’s technologies, how do you see ISARA evolving its offerings to meet PQC and cryptographic risk management needs?

Cryptographic risks will continue to exist today, tomorrow, and after cryptographically relevant quantum computers (CRQCs) exist. Our goal at ISARA is to prepare enterprises and governments to transition their infrastructures to a quantum-safe state — and beyond — since quantum computers aren’t the only threats to systems.

At ISARA, we will keep evolving and improving our cryptographic inventory capabilities and reporting systems. We will keep building tools and components — and expanding services — that are needed to ensure migrations will be fast, efficient, and cost effective so that customers can easily mitigate risks today and in the future.

We will be able to more easily adapt because we already have the cryptographic risk management foundation in place.

Many of the IT systems in use today are decades old and are designed around outdated security design philosophies. Quantum-safe migration is part of a larger opportunity to modernize our IT ecosystems, remediate yesteryear’s security vulnerabilities, and adopt a sustainable model for managing our risks going forward.

Just think: 10-15 years from now, PQC is going to be just cryptography. It will be built into organizations’ risk management programs, much like zero trust. So, organizations need to think about PQC transitions as part of a larger movement.

At ISARA, we understand that. We are futureproofing systems for more than just a PQC perspective — it is longer-term than that. It is about being crypto agile for the long term.

Cryptographic migrations are enormous. The entire industry is learning a lot right now about what it means to undertake a cryptographic transition of this scale. We often talk about the parallels to the migration from the SHA-1 to the SHA-2 hash functions, specifically that the migration took decades (and is still underway in some places) and the Triple-DES to AES migration, which took 10 years. There are good experiences and lessons to learn from these, but the truth is that the PQC transition is much more intricate and complex.

With the recent changes in the leadership team, what is ISARA’s strategic direction for the next few years?

At ISARA, we have one goal, one focus: cryptographic risk management.

For us, it’s all about focus. Instead of doing 10 different things, and doing those 10 things mediocrely, we want to execute with a strategic focus around products and services that complement each other. This will include collaboration with the right partners.

Given the looming threat of quantum computers to current encryption standards, how prepared do you believe the tech industry is for this shift, and how does ISARA plan to lead this transition?

ISARA has been a leader in the cryptographic space since the beginning, and we plan to keep doing so by evolving our product and service offerings, working in collaboration with partners, keeping our focus, and executing on our strategic vision. For example, last year, we dedicated four hybrid certificate patents to the public, to help ease the path to quantum-safe security. Making critical digital certificate methodology available is part of the foundation we’re talking about, to expand crypto-agile security standards and ease the quantum computing migration path for organizations. We will continue to look for ways to increase crypto agility in secure systems now and in the future.

One of the biggest risks is authentication. Quantum computers have the potential to bring down a PKI system with one attack, which could mean a total breakdown of trust. That is why NIST is standardizing a suite of post-quantum signature schemes in parallel with key encapsulation/public key encryption algorithms.

If a CRQC were to appear tomorrow, the industry and its current security infrastructure would not yet be prepared. Fortunately, there is time for organizations and federal agencies to prepare systems now so they can switch over when needed. Additionally, the actions we are seeing from government — such as the Quantum Computing Cybersecurity Preparedness Act and the actions from NIST in PQC standardization — have really helped incentivize everyone, public or private, to take this critical migration problem seriously.