The era of commercially available quantum computers capable of compromising today’s cryptography may not be fully upon us yet, but it is coming on faster than many believe. It is crucial for organizations to consider quantum threats now, not after they become a present danger. The coming of the quantum era has troubling implications for cybersecurity, especially if it is not adequately prepared for in the intervening years.
Global market research company Forrester recently published a report highlighting the importance of early investment in quantum security. The firm estimates the horizon of quantum threats to be five to ten years away, making now the best time to consider what it will mean for cybersecurity and how to prepare for it. The report outlines the risks of quantum threats, the advantages of protecting against them today, and guidance for doing so.
Quantum Security: Not Hype, But Urgent Reality
With a timeline of up to a decade, it can be tempting to assume that current talk of quantum threats is simply excitement or fearmongering about something that is not yet a pressing issue. This, however, is a myth; concerns about quantum security are far from premature. Attackers may not yet be able to reliably leverage quantum computing to crack current advanced cryptography, but they are laying the groundwork for the advent of the quantum era.
Even without access to quantum decryption technology, threat actors are able to use a “harvest now, decrypt later” approach to strongly encoded data. If they can steal encrypted files and keep them in reserve until quantum decryption technology is available to them, they can achieve massive payouts down the line. This means that quantum threats are already posing a clear and present danger to the sensitive information that organizations store today.
Key Findings from Forrester’s Research
According to Forrester, the timeline for commercial quantum computers capable of breaking asymmetric cryptography will take place over the next five to ten years. As quantum computing evolves and becomes available for common use, threat actors and security professionals alike will be attempting to navigate it and leverage it to their advantage. Quantum security depends on a variety of factors that will continue to develop during and after that time, including technological capabilities, regulations and standards, and market shifts.
As quantum threats can pose a variety of risks, it is necessary to treat quantum security with a multifaceted approach and maintain an ecosystem of different measures to address it. Quantum security includes a range of tools and practices for securing systems and resources against quantum threats, such as quantum-resistant key exchange and digital signatures, key generation and management, cryptographic algorithm discovery and inventory, certificate management and crypto agility, and quantum key distribution (QKD).
Areas of Security Most Impacted by Quantum Threats
Quantum threats could be a danger in various cybersecurity areas. Substantial amounts of fundamental cybersecurity measures and practices depend on strong encryption to protect sensitive resources against theft and exploitation by threat actors. With access to quantum computing technology for decryption, attackers could severely compromise both asymmetric and symmetric encryption methods currently in use by many organizations.
Modern identity and access management (IAM) systems, including certificate and key management as well as authentication mechanisms, rely on encrypting data to protect against unauthorized access to critical systems. Data encryption is a crucial part of protecting against data theft, leakage, and extortion, providing a layer of defense to prevent attackers from accessing sensitive information even if they are able to compromise files. Secure communications protocols like Transport Layer Security (TLS) are also essential for protecting vital business communications against hacking and surveillance. All of these areas could be significantly impacted by quantum threats endangering the cryptographic protocols currently in use.
Why Cryptoagility Is Critical
Crypto agility refers to the necessary technological and procedural capabilities for the smooth replacement and adaptation of cryptographic algorithms. A crypto agility strategy is built to ensure that cryptographic protocols can be upgraded and switched out to maintain resiliency over time without interrupting the system’s flow or security. Fortifying crypto agility to build a security architecture that’s future-proof and quantum-ready is one of the most important considerations in preparing for quantum threats.
Best practices for crypto agility include inventorying current cryptographic assets, developing a migration plan for post-quantum cryptography, and ensuring robust certificate lifecycle management. Using cryptographic methods that can adapt to new advances and threats requires visibility and understanding of all cryptographic assets in use. Fostering crypto agility means not only investing in dynamic cryptographic technologies but also actively and proactively preparing for coming shifts in the security landscape, such as advances in quantum computing.
The Urgency for Security & Risk Professionals
Despite the five-to-ten-year timeline, which sounds almost leisurely in light of the rapidly shifting technological and threat landscape, it is crucial for security professionals to make quantum security a priority today. Waiting is not an option if organizations wish to protect long-life data against catastrophic exploitation a few years down the line. The era of commercially available quantum threat technology will come on quickly, and the time to prepare for it is now.
The trajectory of regulations and standards shows that quantum preparedness is not just essential for protecting against future attacks but also advantageous for demonstrating a commitment to security for current and prospective peers, partners, and consumers. “With organizations like NIST finalizing PQC deadlines, vendors will need to show their preparedness to implement these standards and help customers transition smoothly,” according to Tim Callan, Chief Compliance Officer at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM). “These announcements will serve several strategic purposes, highlighting vendors' market leadership and differentiation, reinforcing their proactive stance on cybersecurity. By doing so, they are aiming to build customer confidence and ensure compliance with upcoming regulations.”
Next Steps: Building a Quantum Security Strategy
In order to build an effective quantum security strategy, organizations are encouraged to take steps today to adequately prepare for the coming quantum era. Some of the essential pillars of quantum security include:
- Inventorying and documenting all cryptographic assets to maintain visibility and insight into impacted areas.
- Conducting a cryptographic risk assessment.
- Developing a quantum-readiness roadmap.
- Engaging with vendors offering quantum-resilient solutions.
- Staying informed on emerging threats and technologies.
- Aligning security measures with quantum security standards and goals from cybersecurity institutions, such as NIST’s Post-Quantum Cryptography Standardization or the UK National Cyber Security Centre’s proposed timeline for post-quantum migration.
Preparing Today for Tomorrow’s Quantum Threats
Quantum threats are not widely considered an immediately pressing issue today, with a timeline of five to ten years making many complacent about the coming risk that is already influencing attack tactics today. The era of commercially available quantum technology will arrive faster than you may expect, and it is absolutely vital to begin preparing for it and hardening security against quantum threats now. Leading security professionals and institutions play a critical role in driving crypto agility and future-proof security architectures, and organizations are encouraged to follow expert advice in planning and implementing a quantum security strategy.
