Organizations soon need to transition to quantum-safe encryption to address new cybersecurity threats. Here’s how businesses can prepare. Credit: MF3D / Getty Images Security experts and scientists predict that quantum computers will one day be able to break commonly used encryption methods rendering email, secure banking, crypto currencies, and communications systems vulnerable to significant cybersecurity threats. Organizations, technology providers, and internet standards will therefore soon be required to transition to quantum-safe encryption. Upon this backdrop, NATO has begun testing quantum-safe solutions to investigate the feasibility and practicality of such technology for real-world implementations while the National Institute of Standards and Technology (NIST) launched a competition to identify and standardize quantum-safe encryption algorithms.Significant threats posed by quantum computingThe potential threats posed by a quantum future are considerable, assuming quantum computers reach their estimated potential. “The primary threat is to public-key encryption, which is based on certain one-way mathematical functions – easy to compute one way, but very difficult to solve in the other direction,” cybersecurity expert and visiting professor at the University of Surrey’s Department of Computer Science Alan Woodward tells CSO. “This is because of an algorithm first published by Peter Shor. Shor’s algorithm has since been generalized and shown to apply to any of the mathematical problems known as the hidden subset problems.”Andersen Cheng, CEO of UK-based tech firm Post-Quantum – whose hybrid VPN was successfully used by the NATO Cyber Security Centre to test secure post-quantum communication flows – concurs, adding that quantum computers are a “mega threat” that organizations and cybersecurity teams need to switch their attention to. “It has been theoretically proven that as quantum computers develop, they will be able to break today’s encryption standards (RSA/Elliptic Curve), which safeguard virtually all data flowing over networks,” he tells CSO.This poses an existential threat to digital commerce, secure communications, and remote access, Cheng adds. “When the day comes that quantum computers mature to the point where they are more powerful than classical computers (often referred to as Y2Q), everyone’s data will be at risk of theft and exploitation, potentially with unimaginably dire consequences – think of the shutting off of entire power grids and emptying bitcoin wallets. Even before Y2Q arrives, it is known that some bad actors are already harvesting data today so they can decrypt it later when quantum computing has advanced further.” Quantum-safe encryption key to addressing quantum threatsQuantum-safe encryption is key to addressing the quantum-based cybersecurity threats of the future, and Woodward predicts that a NIST candidate will eventually emerge as the new standard used to protect virtually all communications flowing over the internet, including browsers using TLS. “Google has already tried experiments with this using a scheme called New Hope in Chrome,” he says.Post-Quantum’s own encryption algorithm, NTS-KEM (now known as Classic McEliece), is the only remaining finalist in the code-based NIST competition. “Many have waited for NIST’s standard to emerge before taking action on quantum encryption, but the reality now is that this could be closer than people think, and the latest indication is that it could be in the next month,” says Cheng. Very soon, companies will need to start upgrading their cryptographic infrastructure to integrate these new algorithms, which could take over a decade, he says. “Microsoft’s Brian LaMacchia, one of the most respected cryptographers in the world, has summarized succinctly that quantum migration will be a much bigger challenge than past Windows updates.” Getting ahead in the quantum-safe encryption racePending NIST’s decision on which algorithms will become the new standard, there are things organizations can and should be doing to get ahead. For Woodward, understanding what data has the longest life and, if necessary, seeking advice on how this might be at risk at some future date is a sound starting point.Cheng echoes similar sentiments, adding that if companies are struggling with where to start, they should focus on identity. “You could secure all of your encryption, but if someone can access your identity system, then it doesn’t matter what else you do. Your systems will think they are the right person, so they can gain ‘legitimate’ access to your systems and infrastructure.”Cheng advises setting up Y2Q migration as a bespoke project and giving it the firepower it needs as, like any large IT program, migrating to a post-quantum world will need a dedicated team and resources to ensure success and a smooth transition. This team will need to take stock of where cryptography is deployed today across the organization and map out a migration path that prioritizes high-value assets, whilst also identifying any expected impact on operational systems, he says. “You’ll also need to ensure that you have the skills on board to execute the quantum migration.”From there, businesses should adopt a “crypto-agile” approach when thinking about any infrastructure overhaul. “Practicing crypto agility means that organizations use solutions that keep the tried and tested classical cryptography we use today alongside one or more post-quantum algorithms, offering greater assurance against both traditional attacks and future threats,” Cheng says. Related content feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff Dec 01, 2023 6 mins Technology Industry Technology Industry Technology Industry news Conti-linked ransomware takes in $107 million in ransoms: Report A ransomware campaign linked to the ostensibly defunct Conti malware group has targeted mostly US businesses, in a costly series of attacks. By Jon Gold Nov 30, 2023 4 mins Ransomware news Okta confirms recent hack affected all customers within the affected system Contrary to its earlier analysis, Okta has confirmed that all of its customer support system users are affected by the recent security incident. By Shweta Sharma Nov 30, 2023 3 mins Data Breach news Top cybersecurity product news of the week New product and service announcements from Wiz, Palo Alto Networks, Sophos, SecureAuth, Kasada, Lacework, Cycode, and more. By CSO staff Nov 30, 2023 17 mins Generative AI Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe