Quantum Security - US Companies Must Prepare by 2030

What Happened

In a recent discussion, infrastructure and application leaders were asked about their reliance on RSA or elliptic curve cryptography. The results revealed that cryptography is embedded in many unexpected places, including API gateways and service meshes. This realization underscores the urgency for companies to address quantum threats now, rather than waiting for the technology to arrive.

Hackers are already stealing encrypted data with the intent to decrypt it later using quantum computers. This means that any sensitive information, such as personal data or proprietary information, could be at risk if companies do not act promptly. The shift in focus needs to be from a distant concern to an immediate priority, as the 2030 deadline approaches rapidly.

Why It Matters

The timeline for transitioning to quantum-resistant encryption is compressed by several factors. First, the risk of data being harvested and decrypted later is real, meaning companies must consider the longevity of their data's confidentiality. Second, government regulations are evolving, with the National Security Agency setting expectations for quantum-resistant algorithms by 2030. Lastly, the complexity of migrating cryptographic systems means that waiting until the last minute is not an option.

By adopting a hybrid approach now, organizations can integrate post-quantum algorithms alongside existing ones, allowing for a smoother transition. This proactive stance will help avoid the chaos that often accompanies last-minute changes in technology.

What to Watch

A hybrid strategy involves using both classical and post-quantum algorithms to ensure security. For example, combining classical algorithms with new post-quantum methods in TLS connections can provide a safeguard against future vulnerabilities. The IETF is already working on standardizing these hybrid approaches, which will be crucial for enterprises as they prepare for the quantum era.

Organizations should begin by assessing their current cryptographic dependencies and identifying areas where they can implement hybrid solutions. This includes internal service communications and VPNs, which are more manageable than external customer-facing systems.

Recommended Actions

To effectively prepare for quantum threats, companies should take several steps:

1. Build a Cryptography Inventory: Identify where cryptography is used across systems and map it to data classes.
2. Select Early Migration Areas: Focus on internal systems that can be controlled end-to-end for initial hybrid implementations.
3. Establish a Hybrid-Ready Lab: Create a testing environment to measure performance impacts and ensure rollback capabilities.
4. Upgrade for Crypto Agility: Standardize on modern TLS stacks and ensure that cryptographic choices are configurable.
5. Run a Limited Hybrid Pilot: Test hybrid solutions in a controlled setting to gather data and refine processes.
6. Incorporate Post-Quantum Requirements in Procurement: Ensure that future contracts account for the need for quantum-ready solutions.

By starting these initiatives now, companies can not only enhance their security posture against quantum threats but also streamline their cryptographic practices for the future.