January 16, 2024 By Jai Arun 3 min read

Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.

A future cryptographically relevant quantum computer may be able to break public-key algorithms such as Rivest-Shamir-Adleman (RSA), Elliptic Curve Diffie-Hellman (ECDH) and the Elliptic Curve Digital Signature Algorithm (ECDSA), leaving sensitive information vulnerable to attacks. Even today, data not protected with quantum-safe cryptography is at risk of being stolen and stored until it can be decrypted. These are commonly called “harvest now, decrypt later” attacks.

Standards bodies worldwide have begun guiding the transition to quantum-safe cryptography — encryption algorithms based on math problems considered difficult for even a mature quantum computer to solve. In 2022, after a six-year-long submission and review process, the National Institute of Standards and Technology (NIST) selected four quantum-resistant algorithms for standardization, three of which were contributed by IBM researchers and partners. Recent guidance from NIST, the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) recommends that organizations create a quantum-readiness roadmap for transitioning to these standards, which NIST expects to publish in 2024.

While every organization, guided by its CISO, should create its own quantum-readiness roadmap, three steps are critical for every organization to undertake to become quantum-safe:

  1. Discover your cryptography
  2. Observe your cryptography
  3. Transform your cryptography.
Watch video 3 Steps to Become Quantum Safe with Crypto-agility

1. Discover your cryptography

The first step in the journey toward quantum-safe security is to gain a deep understanding of the vulnerabilities within the existing cryptographic infrastructure.

Discovery activities should identify at-risk cryptography and determine where the dependencies exist, translating these findings into robust cryptographic inventories. For example, IBM Quantum Safe Explorer scans source code to identify and inventory cryptography usage, formatting this information as a Cryptography Bill of Materials (CBOM) that can be shared with the software supply chain.

Cryptographic discovery should extend beyond applications to include network protocols, systems and assets, especially those that create and validate digital signatures. For third-party products, CISOs should work with their technology procurement specialists to gather information about embedded cryptography from vendors. After a thorough discovery process, CISOs might be surprised to learn how wide their quantum risk exposure is, given broad dependencies on public-key cryptography embedded within applications, networks and systems.

2. Observe your cryptography

Once security leaders have discovered the weaknesses in their cryptographic infrastructure, the next step is to observe the potential impact and identify the necessary steps to mitigate these risks.

With a dynamic perspective of their enterprise-wide cryptographic usage, CISOs can begin the work of cybersecurity risk assessments. This step involves working with cybersecurity and privacy managers to prioritize sensitive and critical data sets most at risk from “harvest now, decrypt later” attacks and with the highest business value and impact. To translate these insights into a quantum-safe strategy, security leaders should evaluate the business relevance in relation to the complexity of mitigation for specific assets so that they can plan their quantum-safe transition in a way that optimizes performance, compatibility and ease of integration.

3. Transform your cryptography

The final step in the journey to quantum-safe security is the transformation of cryptographic infrastructure to incorporate quantum-resistant cryptography.

Before deploying quantum-safe solutions to their stack, security leaders should equip their teams with the tools and education to test the new cryptographic protocols and evaluate the potential impact on systems and performance. Quantum-safe solutions that can be updated without having to overhaul their cybersecurity infrastructure will help CISOs establish crypto-agility and ensure they can proactively and seamlessly address potential quantum vulnerabilities. Security leaders should engage vendors to determine their timeline for migrating to quantum-safe cryptography for processes, services and systems secured with quantum-vulnerable cryptography embedded in third-party products.

By following the three steps of discover, observe and transform, CISOs can assess the vulnerabilities in their cybersecurity landscape and begin implementing quantum-resistant cryptography to safeguard their organization’s data for the coming quantum computing era. The time to embark on the journey to quantum-safe security is now.

More from Risk Management

Back to basics: Better security in the AI era

4 min read - The rise of artificial intelligence (AI), large language models (LLM) and IoT solutions has created a new security landscape. From generative AI tools that can be taught to create malicious code to the exploitation of connected devices as a way for attackers to move laterally across networks, enterprise IT teams find themselves constantly running to catch up. According to the Google Cloud Cybersecurity Forecast 2024 report, companies should anticipate a surge in attacks powered by generative AI tools and LLMs…

Mapping attacks on generative AI to business impact

5 min read - In recent months, we’ve seen government and business leaders put an increased focus on securing AI models. If generative AI is the next big platform to transform the services and functions on which society as a whole depends, ensuring that technology is trusted and secure must be businesses’ top priority. While generative AI adoption is in its nascent stages, we must establish effective strategies to secure it from the onset. The IBM Institute for Business Value found that despite 64%…

Ermac malware: The other side of the code

6 min read - When the Cerberus code was leaked in late 2020, IBM Trusteer researchers projected that a new Cerberus mutation was just a matter of time. Multiple actors used the leaked Cerberus code but without significant changes to the malware. However, the MalwareHunterTeam discovered a new variant of Cerberus — known as Ermac (also known as Hook) — in late September of 2022.To better understand the new version of Cerberus, we can attempt to shed light on the behind-the-scenes operations of the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today