Randy Purse has had a distinguished career in the Canadian Navy and then within the Communications Security Establishment and Canadian Centre for Cybersecurity where he was an instructor and strategic advisor for cybersecurity training and education. Following his 35+ years in public service, he moved to the non-profit sector where he could share his insights with others. He is currently the Senior Cybersecurity Advisor for the Rogers Cybersecure Catalyst at Toronto Metropolitan University focused on cybersecurity training and education for various audiences. He is also a part-time professor in cybersecurity and a consultant for Quantum-Safe Canada.
What is a quantum-threat?
There have been numerous articles discussing the potential benefits of quantum-computing. To be sure, the exponential increase in computational capabilities will change the computing landscape and it will break numerous barriers that have prevented us from fully exploiting technology. Like any technology, however, there can be a dark side. For quantum-computing one of the primary concerns relates to cybersecurity in that it can also be used to break commonly used cryptographic algorithms, such as those used in Public Key Infrastructure (PKI) and asymmetric key cryptographic systems. This is a significant vulnerability placing encrypted data, processes and systems at high risk.
As discussed in Global Risk Institute’s Quantum Threat Timeline Report (2022), experts estimate that a cryptographically relevant quantum threat will emerge from anywhere between 5 to 30 years. With the significant investment in research and development in both private and public sectors, there is potential for there to be breakthroughs in quantum-computing making it available even sooner. Another consideration is the current threat; bad actors can steal or copy encrypted data now with the intention of using quantum-computing to break the encryption once available. This has been colloquially termed ‘harvest now / decrypt later.’
Quantum-resistant or quantum-safe encryption algorithms and standards are being developed that are intended to eliminate or reduce the impacts of quantum-computing attacks. While these are not yet available, given the potential timeline, organizations should be planning for the financial investment and organizational effort that will be needed to properly implement quantum-safe technologies and processes once available. More urgently, however, organizations should be considering the implications of harvest now /decrypt later threats.
In short, any organization that depends on encryption and cryptographic systems to protect its data, processes, or systems, should be concerned with the quantum threat and start considering what actions they need to take to mitigate risks now and in the future.
What actions can you take now?
As with any cybersecurity strategy, there is no ‘one-size fits all’ approach. Every organization needs to consider their business, technical and threat context as well as their limitations and constraints. However, there are three key things that any organization can do right now to help determine what actions they should take.
First, whether you rely upon third-party IT, cloud or cybersecurity service providers or manage your own technical infrastructure, you should audit existing security controls that are protecting your valuable assets against the harvest now / decrypt later threats. For example, some best practices include:
- Ensuring an up-to-date asset inventory that identifies critical assets and helps identify which data, software or systems are protected by encryption.
- Keeping operating systems, software and security systems up to date (i.e., patched);
- Implementing a data loss prevention strategy or, at the least, ensuring that all sensitive data, software, and systems are monitored, appropriate access controls are in place, and privileges and passwords are responsibly managed.
- Conducting security training for staff to include recognition of potential threats, how to report them and what role they play in organizational cybersecurity and incident response; and
- Collaborating with partners and third-party suppliers to ensure that your upstream and downstream supply chain is also protected against such threats.
Second, you should know what is at risk and the timeline to quantum threats being realized. The primary tool for this is the quantum-risk assessment (QRA). There are various approaches and resources that you can adapt to your organizational context. However, the information from the QRA is critical to understanding what you might need to protect and the timeline in which you need to act. You should consider various scenarios including contingency mitigations in the event of breakthroughs that results in cryptographically relevant quantum-computing sooner than anticipated. Fortunately, if you already have a robust cybersecurity program, including the best practices above, you are well positioned to better manage the emerging risk.
Third, as there remains significant uncertainty as to when the quantum threat will be realized, you should remain situationally aware and be prepared to act. This means monitoring both the progress of quantum-safe technologies and the quantum-threat. It also means regularly checking in with partners and suppliers to ensure that they are keeping pace. This awareness will help ensure that you have needed information to keep your plan current and that you can adapt your security posture to meet the evolving threat and, in particular address the quantum threat.
“If you fail to plan, you plan to fail.”
These words from Benjamin Franklin are over 300 years old but are as applicable today as they were then. While society is eagerly awaiting the benefits that will follow the diffusion of quantum-computing, we also need to be exercising foresight and planning to address the negative consequences. One of these consequences is that common encryption systems and software become vulnerable. While we can expect that quantum-safe technologies and processes will be widely available prior to the threat being realized, a few critical cybersecurity actions now and a bit of planning and investment will go along long way to ensuring that you and your organization can remain cybersecure and weather the emergence of the quantum threat.