Encryption & Key Management
,
Security Operations
The Quantum Clock Is Ticking, But Is the C-Suite Ready?
Quantum computing has been hovering just out of reach of the enterprise technology world for years.
See Also: Securing Patient Data: Shared Responsibility in Action
“Not to age myself, but I went to college and got a computer science degree that focused on information security back in 1998 and quantum computing was right around the corner then, and it’s still right around the corner now,” said Nick Kathmann, CISO at LogicGate.
For many technology leaders, it still feels like tomorrow’s problem.
“It is so far down on my list of priorities that I’ve not devoted any time to thinking about it,” said Donald Welch, CIO of New York University.
But for others, preparing for a post-quantum security landscape is imperative.
“You can prepare now or you can prepare later, but you still have to do it,” said Dan Wilkins, CISO at the Arizona Dept of Economic Security. “The fact of the matter is it’s going to happen whether we want it to or not.”
These two extremes capture the current state of post-quantum cybersecurity planning in the C-suite. No one knows with certainty when quantum computers capable of breaking complex encryption algorithms like RSA will become a real threat – so for some industries and organizations, it isn’t a priority. But for others, preparing for the post-quantum world is already underway.
Business Risk Cloaked as a Technical Problem
“Post-quantum cryptography is a business risk cloaked in a technical problem because it impacts how trust and encryption have been built into our global economy,” said Anand Oswal, executive vice president of network security at Palo Alto Networks.
If the basis for a half-century of cryptography collapses under a quantum assault, “then the ‘invisible shield’ protecting everything from financial transactions to communications, national secrets to critical infrastructure also breaks,” he said.
CIOs and CISOs need to start worrying about this now, he said, because of two primary reasons: the threat posed by “harvest now, decrypt later,” and the complex quantum migration process.
Wilkins sees “harvest now, decrypt later” as a clear and present danger for Arizona’s citizens. The state has personally identifiable information on millions of people, in some cases records spanning decades.
“Harvest now, decrypt later. Those are real concerns,” he said. “The risk increases significantly because you have a massive amount of sensitive information for a long period of time, and we’re stuck with today’s technology on protecting it. That’s a challenge.”
Waiting for definitive proof of quantum breakthrough risks compressing a multiyear effort into a crisis response.
“Large-scale cryptographic migrations are notoriously difficult and can take five to 10 years to complete across the thousands of devices, infrastructures and applications found in a large enterprise. Waiting until the hardware arrives will leave your core systems years behind and your long-shelf-life data permanently exposed,” Oswal said.
The Preparedness Gap
The industries that are beginning to prepare are those that think they have the greatest risk. Early movers include those with long-lived, sensitive data or that operate in highly-regulated environments.
“Nobody can say, you know, on March 1st, 2031, this is D-Day. And that makes it very difficult to get your head around when there are so many other priorities competing for your attention,” said Sandy Carielli, an analyst at Forrester. “My expectation is that the early adopter industries are government and finance.”
Venice Goodwine, CIO and product owner at Arlo Solutions and former CIO of the U.S. Air Force and Department of Agriculture, said defense agencies also treat post-quantum readiness as a top priority.
“We cared about it more because we rely more on cryptography than probably any other industry,” she said. Nation-state adversaries “want to do harm in the technology space, and part of that is quantum,” she said.
She agrees that financial services should also be prepared. “I would tell a finance [CIO], yes, you need to think about being quantum ready, quantum resistant, quantum compliant,” she said. “Our financial sector could be heavily hit.”
Yet with so much on their plates, from artificial intelligence initiatives to managing resilience in the face of geopolitical instability to cutting costs and keeping the board happy, enterprise tech leaders are often focused elsewhere.
“The AI puzzle… has really taken a lot of focus for a lot of folks,” said Nauman Abbasi, senior director analyst at Gartner. Unless there is a dramatic breakthrough, quantum “probably won’t get a lot of priority and focus until then,” he said.
For those who choose to wait and see, the consequences could be dire.
“By the time you wait and see, it will be too late for your existing data,” Carielli said. “If you wait and see and you wait, everyone else will see your data.”
Drawing a Post-Quantum Roadmap
For those who are at the start of a quantum-readiness journey, experts advise taking an asset inventory and then creating a plan. “You really have to start with discovery because you can’t do anything unless you know what you have,” Carielli said.
Arizona began the process by taking stock of its environment, Wilkins said. “You can’t make decisions unless you know what you’re working with.” His teams also worked backwards with an exercise that assumed data had been compromised, and reverse engineered a strategy. They white-boarded attack paths, reclassified data and revamped storage and immutability controls.
The far-reach of cryptography across the enterprise complicates this process, Oswal said. Cryptography is deeply embedded in applications, libraries and third-party software. “Establishing a baseline of truth is the first step because you cannot secure what you cannot see – and candidly, most CIOs are going to find this challenging,” he said.
Not all data will require the same level of attention, and teams should prioritize encrypting the most sensitive, longest-lasting records. “Don’t take the scapegoat answer of ‘well, just encrypt everything,'” said Wilkins. “We don’t need to be encrypting grandma’s cookie recipes and last year’s vacation photos.”
Threat modeling is essential, said Kathmann. “It’s contingent on the data that you’re trying to protect and how valuable you consider the data,” he said. “Make sure your threat model is correct.”
Carielli agrees. “Unless you take the time to really threat model this and understand what systems you have and how to prioritize, it would be very easy to dismiss,” she said.
Another major part of any post-quantum cyber strategy is preparing for crypto agility, and for being able to adopt new algorithms and adapt on the fly. “We baked it into our process because we don’t operate in a bubble,” said Wilkins. “Things change and we have to be able to adjust accordingly.”
While enterprises are embarking on this journey, they also need to ensure that their technology vendors are walking the same path. Certificate authorities and vendors need to be in lock-step and have quantum road maps that they can communicate to customers, Wilkins said.
“We can’t progress without the reliance on this other party,” Wilkins said. “What does your quantum road map look like? Where are you at in this journey?”
For Carielli, it’s important that organizations begin, even if they don’t perceive current risk. Government agencies like the National Institute of Standards and Technology have published guidelines that set timelines, putting very real time pressure on post-quantum migrations.
“A lot of government entities have to some extent taken it out of our hands to have to make that call, because they have put the guidelines in place,” she said. “Whether one believes it’s happening in five years or 10 years or 15 years or later, what is it that government leadership is seeing that is pushing them to enforce those dates?”