Traditional cryptography will soon be obsolete, says David Warburton, Director, F5 Labs Threat Research.
While computer scientists believe Q-Day, the day from which quantum computers will be able to break classical encryption systems, is still four to five years away, businesses can no longer afford to procrastinate on quantum-readiness strategies. Malicious actors aren’t sitting on their hands. They are already harvesting data, credentials, API keys and other sensitive corporate information, with a view to decrypting it once quantum computing matures.
Whereas classical computers would take millions of years to factor the large numbers employed by current cryptographic algorithms, the next generation of quantum computers could factor these numbers in a matter of hours.
Don’t be fooled into thinking there are more urgent security issues to address or that upgrading cryptography is a technical problem that can be handled by IT vendors or systems integrators. Preparing for Q-Day should be a strategic priority for any business or public sector organisation. Adopting quantum-resistant algorithms to secure sensitive data today is critically important to maintain customer trust in the future. In practice, that means making a holistic transition to post-quantum cryptography (PQC) now.
Wait and see isn’t a viable strategy
In some sectors, particularly those which are more heavily regulated such as financial services, many businesses appear to be waiting for regulators to tell them what to do. But Q-Day preparation is far more than a compliance issue, it’s a reputation issue and even a business continuity issue – a major data hack could paralyse an organisation, as customers and other stakeholders rush for the exit.
If businesses don’t prepare in time, Q-Day could even result in a ‘trust apocalypse’. Although that might sound like hyperbole, quantum computers could be used to decrypt sensitive communications, forge certificates and bypass digital signatures, causing widespread havoc. For example, a fraudster could create a fake certificate that fools your web browser into thinking it is visiting a legitimate e-commerce website and then entice you to input payment card details. Forging of digital certificates would also make it easy for malicious actors to distribute malware that bypasses antivirus defences or impersonate any digital identity.
Unfortunately, transitioning to PQC isn’t a simple, one-time switch. As Gartner points out, preparing for PQC will require more work than Y2K did. Making the transition will require careful planning, testing and ultimately crypto agility – the ability to quickly adopt new cryptographic algorithms as required. As the lift involved will be exacerbated by serious cryptography skill shortages, there is a real danger that many organisations will be underprepared for Q-Day.
Cryptography is everywhere
One of the biggest challenges is “crypto sprawl” – most organisations are using cryptography from many different vendors in many different places, spanning both on-premises servers and cloud services, and production and pre-production/test systems. In large enterprises, built through mergers and acquisitions, crypto sprawl can be particularly severe.
Furthermore, crypto spawl is an issue across both organisational IT systems and the devices they connect to. While most web browsers now support PQC, many Internet of Things devices, smart card readers and other access systems do not. Some of these devices may not support over-the-air updates.
In most cases, developers have implemented cryptography on an ad-hoc basis – there is no central log or record of what systems are being used where. Moreover, digital certificates are often hard–coded directly into a software application or device, making them difficult to alter. These issues are compounded by the fact that DevSecOps teams generally don’t understand cryptography, while older, more knowledgeable engineers have either retired or are fully occupied supporting legacy systems.
Where to start and what to prioritise
How do you begin to prepare for Q-Day? The first step is to set up a dedicated team to create acryptographic bill of materials, which logs the libraries, certificates and keys that all your different systems are using. Unfortunately, much of this work will need to be done manually, as automated tools capable of fully auditing an organisation’s cryptography simply don’t exist. A large organisation should allow up to a year to build a cryptographic bill of materials.
When it comes to implementing PQC, it is important to start by protecting mission-critical applications and data with a lengthy cover time – data that will still be sensitive, and therefore valuable to hackers, post 2029. Some data, such as health records, could have an open-ended cover time, whereas other data, such as credit card numbers, could have a cover time of less than a few years.
You should also prioritise legacy platforms, such as those that don’t support TLS 1.3 – the most secure version of the Transport Layer Security protocol which is needed in order to enable PQC cyphers. It is also important for developers to integrate strong certificate lifecycle management and crypto agility into their continuous integration/delivery pipelines.
In highly resource-constrained organisations, such as those in the public sector, PQC could be implemented in tandem with other IT upgrades. For example, if you are upgrading your web application and API protection (WAAP) or your identity and access management systems, upgrade the related encryption PQC at the same time. To maintain the trust of customers and citizens, quantum-safe identity and access solutions will be an absolute must.
In summary
Preparing for Q-Day is both a strategic priority and a time-intensive and resource-intensive exercise. Don’t put it off: The sooner you start, the better your chances of protecting your organisation’s reputation.
