Secure Your Data for the Quantum Age
It is expected that within a decade, large scale quantum computers will be available that can attack currently used public-key cryptosystems. It can also take up to twenty years for new systems to be implemented and replace what is currently being used.
The National Institute for Standards and Technology (NIST) is currently in Round 2 of standardizing post-quantum cryptographic candidates than can withstand quantum computer attacks and are expected to replace currently used public-key cryptosystems. Round 3 is expected to begin April, 2020 so keep an eye on this progress.
So neither quantum computers or standardized quantum-safe cryptographic solutions are currently available, so why should you still be worried now?
As stated above, it takes decades to transition to new solutions. For example, look at embedded CPUs in the automotive industry. On average it takes over 10 years from beginning the design of a silicon chip to building and testing the car before it is ever sold. Once sold, the average life of a car today is between 8 and 10 years. This means we need to design CPUs today that will be secure against attacks in 2040 (or approximately 20 years) or there will need to be massive recalls (firmware updates do not solve all issues).
This is also the case for medically implanted devices and satellite systems, to name a few “hard to change” devices. While replacing a cryptographic algorithm is not equal to building an entire car, it is important to know exactly what electronic resources are needed and proof that they will all work together before the prototype is complete.
It is also a concern that many companies do not have a dedicated cryptographic team to understand and diagnose issues related to these new algorithms and thus will make the transition take longer. ‘Footgun’ is a term commonly used in cryptographic communities where the deletion (or addition) of a line of code to simplify its commands and understanding ultimately results in the entire code being compromised or attacked. This is already a concern and likely to increase as these quantum-safe solutions are in large part, more complicated (mathematically and engineering-wise) than their predecessors.
If solutions are not available, what can I do?
Implementing or changing security solutions to be quantum-safe is not the first step in the transition. An understanding of your current security risks and vulnerabilities is the place to begin. This can include your current network and your connected product line. Knowing what is at stake and what your current risks are, can help you determine what actions to take and when to take them.
Taking a look at how vulnerable you are currently, and will be when quantum computers are available is crucial. The first step is always to access your situation, only then can you proceed in the right direction, and get there as quickly and inexpensively as possible.