Cryptography is dying—long live cryptography

 

By April H. Burghardt

Enterprise data is only safe if encryption is working, yet cryptography in the enterprise is routinely taken for granted and rarely evaluated or checked. 

As the digital landscape continues to evolve and the age of quantum computing nears, the need for hardened cryptographic solutions in organizations has become more critical than ever. 

With the ongoing advancements of mathematics and computing, the long-standing dependence on public key encryption (PKE) could be nearing its end, leaving inherent vulnerabilities in legacy encryption methods. But despite the fractured state of the existing cryptographic system, many decision-makers have turned a blind eye, embracing complacency as strategy when it comes to enterprise cryptography.  

The Securities and Exchange Commission’s (SEC) recent regulations, requiring organizations to disclose any major cybersecurity incidents, could catalyze a much-needed shift in perspective and prompt enterprises to take more proactive action to manage cryptographic risk by adopting more forward-thinking practices and policies.

The approach of the quantum era

Even if one disregards the quantum threat, modern cryptography suffers from everyday weaknesses like human error, poorly installed libraries, and a lack of key rotation. The list goes on. But considering the quantum era is fast approaching, there’s no escaping the need to replace legacy encryption. Simply put, organizations must deal with the complexities that modern attacks will invariably bring. The SEC regulations are just part of the iron fist in a velvet glove approach taken by the U.S. administration to prepare national infrastructure for the post-quantum world.

Of course, when a commercial quantum computer does arrive, it will transform business and society, ushering in new medical breakthroughs, engineering feats, and technical advancements unthinkable today. But that does not mean organizations can rest on their laurels and wait it out until that day arrives. Threat agents are already leveraging sophisticated tools at scale and embracing quantum technologies to compromise systems, networks, and data.

For its part, the government has started taking an active role in preparing and protecting federal networks for these uncertain, quantum times. Beyond the SEC, mandates like the National Security Memorandum 8 and 10 and the passing of the Quantum Computing Cybersecurity Preparedness Act (H.R. 7535) already require the adoption of quantum-resistant algorithms by all federal agencies. This will soon see government suppliers and partners under pressure to match these requirements.

But with such promise comes a mammoth security challenge. A quantum computer will have the power to break today’s encryption standards, creating an unprecedented threat to the security of our nation, global economy, and digital infrastructure. What makes this a complex issue is how many organizations still do not know what type of encryption they are using.

As a starting point, cryptographic clarity will be critical in the coming years as enterprises make the challenging transition to replacing quantum-vulnerable PKE with National Institute for Standards and Technology (NIST)-backed post-quantum cryptography (PQC). Having complete visibility of existing cryptographic systems and processes has now become a non-negotiable in preparing the modern business for a future-proof security stance.

To put the magnitude of the problem into perspective, PKE enables more than 4.5 billion internet users to securely access 200 million websites and engage in $3 trillion of retail ecommerce annually. Clearly, there’s much at stake.

Understand the security standards

NIST has sponsored the PQC project to determine the standards and migration guidelines needed to augment and ultimately replace asymmetric key encryption methods. But organizations simply cannot take their eye off the proverbial post-quantum compromise fastball heading into their strike zone.

History shows past cryptographic transitions are difficult and can take years to complete. For example, it took more than 20 years for the advanced encryption standard (AES)—selected as a federal government standard in 2002—to completely replace data encryption standard (DES) and 3DES, which had been the gold standard, much like RSA-2048 is today, since 1977. 

The PQC migration will be a major undertaking and require the largest global cryptographic transition in the history of computing. NIST warns another 5 years to 15 years will be needed after final standards are published (expected in 2024) for a full transition to be complete. This means organizations that don’t begin to act now could be putting their critical systems and long-duration data at risk of compromise.

 

Building the foundation for a quantum future

Gartner has highlighted how boards of directors are willing to accept greater risk in expanding product lines, transforming ways of working, and entering new markets. But as has been made clear by the SEC regulations, neglecting fiduciary duties when it comes to cyber defenses can now have much more significant and public consequences.

We live in a time when enterprise security has never been so complex. Government enforcement of data security standards and required reporting of cybersecurity risks and incidents, along with shareholder derivative action, have intensified after each headline-making breach. The added oversight required by the SEC will introduce significant complexities to reporting and necessitate that organizations work harder to keep their infrastructure secure. Cryptography can no longer be ignored or taken for granted. 

Corporate governance should include cryptographic risk management and quantum preparedness as a component of data security and risk mitigation. Officers and directors need to take proactive measures to mitigate the risk of both present-day cryptographic vulnerabilities and a quantum-crypto assault. Here’s why:

    Cryptography suffers daily from single points of failure, i.e., bugs, leaked keys, weak entropy sources.  

    A quantum computer may be available before PQC standards are finalized and fully implemented. There is no guarantee that the selected cryptographic standards will not be broken by adversaries or vulnerable to implementation errors. More work must be done to provide adequate redundancies through cryptodiversification as a proactive measure of bolstering cybersecurity.

    All math-based encryption standards are subject to advances in mathematics and computing power that will eventually weaken or outright break the cipher.

    “Harvest today, decrypt tomorrow” attacks are happening now.

    Significant risk exists in cryptography outside of the cryptoalgorithms themselves, i.e., implementation errors, weak passwords, poor security hygiene practices, skills shortage, etc.

    Major cybersecurity breaches can have a lasting, often crippling, effect on businesses in the form of lost revenues, brand reputation, customer loyalty, and share value.

Fundamentally, the transition to quantum-safe encryption provides organizations with an opportunity to modernize their crypto infrastructure by rethinking their governance approach, especially in the wake of evolving government requirements. Now is the time to establish a Cryptographic Center of Excellence capable of driving cryptographic discovery, assessment, and validation across the enterprise—continuously and through policy. 

Start with an inward focus

Board officers and directors have a huge part to play in helping organizations plan for quantum readiness and ensure action is taken and milestones are met. The quantum promise will change how companies do business, but change is slow. The time is now to discover and prioritize cryptographic risk and to understand the security implications of quantum computers and plan accordingly.

Here are several recommendations to empower leadership with the insights necessary to discuss, debate, and ultimately execute on quantum readiness:

    Large, legacy systems are fraught with old and outdated cryptographic standards that are still in use years after they’ve been deemed inefficient for purpose. An extensive internal audit must be prioritized to identify these weak points and weakly signed or expired certificates.

    Security teams must practice cryptoagility and inject significant redundancies across their infrastructure real estate through diversification and the adoption of quantum-safe cryptography.

    Organizations need to combine today’s proven and certified (e.g., FIPS cryptography) with tomorrow’s quantum-safe crypto by implementing candidate PQC algorithms and/or a FIPS 140-2 and 3 certified, quantum-safe management platforms.

    Protect critical, long-duration data with quantum-enhanced keys to avoid harvesting attacks.

    Get to know and understand your partners’ cryptographic risk management and quantum-crypto strategy to ensure they are quantum-ready.

    Don’t wait. Organizations must focus on risk remediation, maintaining compliance, enforcing policies, and improving their overall security posture through proactive cryptographic risk assessment and policy control. 

Fortunately, there are good third-party validated, technology independent, vendor-agnostic solutions available today that will work with existing cryptographic infrastructures and investments to make it immediately quantum safe. 

Of course, the quantum threat is very real. But what remains concerning is the weakening of existing cryptography due to a lack of awareness, planning, board oversight, and accountability. But this will change as organizations feel the pressure from an evolving regulatory environment to start investing in protecting their most valuable assets from the risks brought by the continued advancement of mathematics and computing.

April H. Burghardt is chief marketing and communications officer at Quantum Xchange.

Fast Company

(14)