The United States Congress unanimously passed a legislation named Quantum Computing Cybersecurity Preparedness on the 16th of December 2022, which then got signed into law by President Biden on 21st December 2022. The law is of critical importance to the United States governmental organisations which cannot afford to wait longer to secure themselves against cyberattacks initiated from advanced quantum computing devices. Although the purview of the law limits itself to United States government agencies, enterprises particularly based in the United States and around the globe have already started to take interest and invest in Quantum security to stay ahead in the game.
The importance & the implication of the U.S. Law
The United States law mandates that all U.S. government organisations should within the next 6 months establish & maintain a current inventory of information technology systems in use that is vulnerable to decryption by quantum computers, and within 1 year thereafter, develop a plan to migrate IT systems to post-quantum cryptography & ensure interoperability.
Majority of the G-8 countries have either formulated or in the process of formulating their own quantum computing security legislations. Most of the research in this area is currently being sponsored by large governmental grants to universities & research houses. Quantum computing is one of the most rapidly evolving technologies. Hardly a week goes by where new discoveries & their commercial applications aren’t announced. With this background, there is an immense sense of urgency that is being displayed to tackle the threat of quantum computers being used to decrypt & decipher sensitive data involving large corporations & nation states.
The Industry Response
There has been a concerted and ongoing effort by organisations like NIST & ISO to test & standardize post-quantum cryptography models, come up with cryptographic algorithms & standards which doesn’t let quantum computers break the code easily. The cybersecurity market has already started to see Quantum Key Distribution (QKD) devices which help prevent de-encryption of secure data by quantum computers. Currently 2 schools of thought- post-quantum cryptographic algorithms using digital signatures & Quantum Key Distribution using photonic technology are rapidly evolving from a research & development standpoint.
Quantum Threat Landscape
Harvest Now, Decrypt Later (HNDL) attacks are increasing exponentially with the commercial evolution of quantum computing. Today, adversaries are aware that stealing sensitive encrypted data using classical computers can help them decrypt it user powerful quantum computers in the near future. They are playing the long game.
Quantum computing has the potential to fundamentally alter the cybersecurity landscape, both for the better and for the worse. These powerful systems backed by the laws of physics could greatly accelerate the pace of cyber innovation and can also render some of the current encryption methods useless. As Arvind Krishna, the CEO & Chairman of IBM puts it “anyone that wants to make sure that their data is protected for longer than 10 years should move to alternate forms of encryption now.”
Frost & Sullivan’s Perspective
It can be a slow & painful process to develop failproof quantum safe encryption methods. It is critical to get deeper insights into the evolving global landscape and maturity of quantum cybersecurity. The threat from quantum computers to existing security architecture is real & organisations should start evaluating their current state of cybersecurity maturity in a holistic manner.
There are some fundamental activities that enterprises can start now for quantum-proofing their data, such as using large keys on symmetric cryptographic algorithms and larger output sizes on hash algorithms. Implementing cryptographic agility within protocols along with suitable cryptographic hardware implementation will be important. The entire concept of Zero Trust mechanism can be elevated to a newer level of maturity to prepare for the quantum world. We see many governments & regulatory bodies actively define and update their cybersecurity policies in view of the threat landscape. Quantum cybersecurity will see active regulatory action in the next 1-3 years and enterprises need to be prepared to deal with the change.
It is crucial for all organisations to take stock of their current inventory, assess their current state and develop a practical & workable plan to sustain in a future shaped by Quantum computing.