How to Start Your Quantum Migration Journey

If quantum migration were a train, it would be a cryptoagility train with the destination quantum readiness. All aboard!

Quantum computers are on the not-too-distant horizon, and they will be capable of breaking the underlying public key cryptography and public key infrastructure (PKI) at the core of every secure information exchange and transaction conducted today. This will jeopardize enterprises’ and individuals’ most sensitive information. Imagine the authentication and validation that occur behind the scenes for every purchase on Amazon, every classified email sent from the US Department of Defense (DoD) and every password validation to a bank account.

The quantum threat to public encryption is enormous. General applications that rely on current cryptography for security include intelligence, communication, administration, command and control, automation, governance, diplomacy, law enforcement, science, engineering, manufacturing, finance, commerce, advertising, and entertainment.

“An intelligence adversary with the right kind of machine could potentially break RSA, decrypt classified data, and forge digital signatures. All networks and applications on those networks, public and private, using vulnerable cryptography would be put at risk.”¹

A system that is vulnerable now will be at exponentially greater risk when quantum technologies arrive. Consider the impact on a nuclear plant, an autonomous vehicle or an embedded pacemaker. As an IBM researcher warns, “Anyone that wants to make sure that their data is protected for longer than 10 years should move to alternate forms of encryption now.”²

Cryptography and Encryption: Flashing Red Lights Ahead

Quantum computers pose an unprecedented problem for the encryption and authentication processes that enterprises trust today. Cryptography is the foundation of digital trust, and a threat to cryptography is a serious threat to that trust. In today’s increasingly connected ecosystem, broken cryptography can result in unauthorized access to sensitive information, lack of control over connected devices and, potentially, great danger.

Imagine a pyramid with cryptography at every layer—the glue holding everything together (figure 1). Today’s exploits generally happen in the top layers: through the negligent actions of users and administrators and, of course, threat actors. With quantum computing, the most trusted element—PKI cryptography, which is the foundation of identity/trust infrastructure—becomes easier to attack. For many years, this foundation has been safe, with few changes required. PKI could be trusted, and there was no need to monitor its integrity. Quantum computing makes this trusted element vulnerable for the first time—an unprecedented threat. This could wreak havoc on trust infrastructures in every industry and sector, including government, military, energy, aviation, financial services and automotive.

Waiting for the development of large-scale quantum computers and for quantum tech to mature could mean that organizational change will occur too late, especially when it comes to government agencies and national security. “Such a revolutionary method of computing offers a whole new set of military and scientific possibilities—as well as challenges.”³

Are We There Yet?

The US National Institute of Standards and Technology (NIST),⁴ the American National Standards Institute (ANSI), and other industry experts are estimating that quantum technology will be capable of breaking current cryptography by 2030. Industry heavyweights including IBM research speculate that quantum technology will hit even earlier, in a little more than five years.⁵

A SYSTEM THAT IS VULNERABLE NOW WILL BE AT EXPONENTIALLY GREATER RISK WHEN QUANTUM TECHNOLOGIES ARRIVE.

To prepare for the future, enterprises must take proactive measures to protect their data and systems. The goal is to realize all the benefits of quantum technology without compromising data and system security. NIST’s National Cybersecurity Center of Excellence (NCCoE) has already implemented several practices “to ease the migration from the current set of public-key cryptographic algorithms to replacement algorithms that are resistant to quantum computer-based attacks.”⁶

NIST is currently undergoing a “selection round” for its postquantum cryptography program, wherein they will select a suite of postquantum algorithms to standardize.⁷ After spending more than three years⁸ examining new approaches to encryption and data protection that could defeat an assault from a quantum computer, NIST has winnowed the 69 submissions it initially received down to a final group of 15, which will enter the selection round to eventually form the core of the first postquantum cryptography standard.

What can enterprises do now to strengthen and future-proof their cryptographic infrastructures? The answer lies in cryptoagility. Preparing for quantum computing requires more than simple migration. In fact, the migration itself will take years of planning, especially for enterprises with large, complex PKIs and mission-critical information such as the DoD and large corporate enterprises such as Amazon. Bridging the gap between current and quantum-safe security requires a new approach. Many enterprises are looking to adopt a cryptoagile posture without a wholesale disruption of existing systems, standards and end users.

There is a cryptoagile methodology for creating an enhanced X.509 digital certificate that simultaneously contains two sets of cryptographic subject public keys and issuer signatures.⁹ Enhanced X.509 certificates are compliant with industry standards and enable enterprises to seamlessly transition their infrastructures and systems to a quantum-safe state in phases, while maintaining full backward compatibility with legacy systems. Enterprises can perform a gradual migration by upgrading their most critical, at-risk assets in stages.

Consider cars, airplanes, satellites and energy grids. These durable, critical devices are highly vulnerable to attack because they have long in-field lives. They will require software updates and updated certificates to understand next-generation quantum-safe encryption. Imagine a state-sponsored attacker hacking into a satellite system and tricking it into accepting its own malicious code instead of the authentic update. Long-life devices need to be agile and capable of handling whatever cryptographic changes come their way. Security measures need to be future-proofed, beginning right now.

The unknown is where enterprises are most vulnerable. Enterprises need to know what is at risk and where threats are lurking. When it comes to quantum preparedness, a good first step for organizations is to inventory existing systems and locate and identify what type of cryptography is used, where it is deployed and whether it is vulnerable to future threats.

Quantum Migration Urgency

To determine the urgency of quantum migration, it is important to ask these questions:

• How many years does the device need to be secured?
• How long does the information need to remain confidential?

If the answer to either question is seven or more years (e.g., jet engines, pacemakers, cars), it is necessary to start preparing for quantum migration immediately. If an enterprise manages a device that requires mission-critical security, including PKI and digital certificates, hardware security modules (HSMs), or physically embedded roots of trust, it is also necessary to start preparing for quantum migration as soon as possible.

“It is critical to begin planning for the replacement of hardware, software, and services that use public-key algorithms now so that the information is protected from future attacks.”^{10, 11} For example, the following segments have high-stakes security requirements:

• Critical infrastructure, including energy and satellites
• Military
• Automotive industry
• Airline industry
• Financial services

Because of the real risk posed by quantum computing—and despite its uncertain arrival time—many chief information officers (CIOs) and chief information security officers (CISOs) have tasked their information systems (IS), IT or cryptography teams with investigating the threat and recommending a mitigation strategy.

LONG-LIFE DEVICES NEED TO BE AGILE AND CAPABLE OF HANDLING WHATEVER CRYPTOGRAPHIC CHANGES COME THEIR WAY.

How to Begin the Quantum Migration Journey

Enterprises should take six steps to prepare their IT ecosystems for the quantum migration journey:

1. Research—Conduct research to determine how large-scale quantum computing will impact public key cryptography and how it will impact the enterprise.
2. Catalog—Perform a search to determine where cryptography is located and how it is used in the enterprise.
3. Prioritize—Identify and prioritize high-value assets for migration.
4. Strategize—Collaborate with the internal team to build a strategy and create a migration plan.
5. Partner—Look for tools and partners. Share the enterprise’s needs with key vendors to ensure that their objectives align.
6. Plan—Allow enough time to plan a strategy and prepare an attack. Starting early will help mitigate risk.

As standards bodies, government agencies and research centers weigh in on quantum computing’s threat to encryption, the best bet is to start planning and preparing with cryptoagile solutions for the journey ahead.

Endnotes

¹ Lindsay, J. R.; “Surviving the Quantum Cryptocalypse,” Strategic Studies Quarterly, Summer 2020, p. 49–73, https://www.airuniversity.af.edu/Portals/10/SSQ/documents/Volume-14_Issue-2/Lindsay.pdf
² Foremski, T.; “IBM Warns of Instant Breaking of Encryption by Quantum Computers: ‘Move Your Data Today,’” ZDNet, 18 May 2018, https://www.zdnet.com/article/ibm-warns-of-instant-breaking-of-encryption-by-quantum-computers-move-your-data-today/
³ Routh, A.; J. Mariani; A. Keyal; S. Buchholz; “Preparing for the Coming Quantum World (Pragmatically),” Nextgov, 12 June 2020, https://www.nextgov.com/ideas/2020/06/preparing-coming-quantum-world-pragmatically/166089/
⁴ Chen, L.; S. Jordan; Y-K Liu; D. Moody; R. Peralta; R. Perlner; D. Smith-Tone; Report on Post-Quantum Cryptography, National Institute of Standards and Technology (NIST), USA, April 2016, https://nvlpubs.nist.gov/nistpubs/ir/2016/nist.ir.8105.pdf
⁵ Op cit Foremski
⁶ National Cybersecurity Center of Excellence (NCCoE), “Crypto Agility: Considerations for Migrating to Post-Quantum Cryptographic Algorithms,” National Institute of Standards and Technology, USA, https://www.nccoe.nist.gov/projects/building-blocks/post-quantum-cryptography
⁷ National Institute of Standards and Technology (NIST), “NIST’s Post-Quantum Cryptography Program Enters ‘Selection Round,‘” USA, 22 July 2020, https://www.nist.gov/news-events/news/2020/07/nists-post-quantum-cryptography-program-enters-selection-round
⁸ National Institute of Standards and Technology, “NIST Asks Public to Help Future-Proof Electronic Information,” USA, 20 December 2016, https://www.nist.gov/news-events/news/2016/12/nist-asks-public-help-future-proof-electronic-information
⁹ ISARA, “Managing Cryptographic and Quantum Risk”
¹⁰ Op cit NIST
¹¹ Lucier, P.; “Six Steps to Start Readying for Quantum,” ISACA, 10 August 2020, https://www.isaca.org/resources/news-and-trends/industry-news/2020/six-steps-to-start-readying-for-quantum

Paul Lucier

Is vice president of sales, business development and marketing at ISARA Corporation. He has spent more than 20 years in the field of information and communications technology, opening up new global markets in Africa, Europe, the Middle East, North America and Russia; streamlining operations; managing teams; and directing sales and business development growth. His expertise is networking and navigating successful sales in the US government, specifically the US Department of Defense.