Get quantum-ready today, or risk a smash-and-grab on your data

CIOs and CISOs who think quantum computers are too far in the future to worry about are exposing their organizations to massive risk from smash-and-grab raids on their enterprise data. Quantum computers powerful enough to break encryption may still be years away, but it will be too late if you wait for their arrival to protect enterprise data against the threat they pose. Most standards bodies estimate a quantum computer will be capable of breaking today’s encryption standards by 2030.

Faced with 2023’s real and urgent issues, enterprises may find it difficult to focus on this mid-term threat. But the migration of IT systems to post-quantum cryptography (PQC)—algorithms secured against attacks by quantum computers—is certainly not something to put on the back burner. Transitioning thousands of devices and their associated systems, software, and applications to PQC will be a multi-year journey.

The US government took the lead role in 2022 by setting up hard deadlines to migrate IT system landscapes to PQC, with federal agencies obligated to formulate detailed transition plans and update them annually. CIOs and CISOs in the private sector should take the threat of quantum computing seriously and do the same. Deploying PQC will not be without risks and will require gradual adoption. Enterprises must start developing well-thought-out roadmaps now.

2022 was the year of legislative awakening—2023 must be the year of action

In May last year, the US government released the National Security Memorandum 10 (NSM-10), setting the goal for all federal IT to be transitioned to post-quantum cryptography by 2035. In June, the G7 announced they would cooperate on post-quantum cryptography standards. This communication confirmed that the quantum threat was an international cybersecurity issue, demonstrating its priority worldwide.

In August 2022, the Cybersecurity and Infrastructure Security Agency (CISA) urged leaders to prepare for migration. In November, the US Office of Management and Budget (OMB) followed up on NSM-10 with a memo that set hard deadlines for transitioning Federal IT to PQC. And last but not least, the Quantum Computing Cybersecurity Preparedness Act became law in December 2022, requiring the OMB to prioritize migrating to IT systems with PQC. The Act also demands the White House to create guidance on assessing critical systems once the four selected encryption algorithms become part of NIST’s post-quantum cryptographic standard planned for 2024.

2022 was the year of “legislative awakening” on an international scale. Even if our data in Exhibit 1 demonstrates the field of quantum computing may not yet be mature, the fact that governments are engaged in collaborating with technology leaders and establishing standards confirms enterprises should pay close attention, and more should start piloting and preparing their mission-critical infrastructure for PQC.

Exhibit 1: Standards and international collaborations suggest more enterprises in the private sector will adopt quantum, moving their investments into the “pilot and prove” phase

Sample: HFS Research Pulse Study, H1 2022; 602 executives across Global 2000 enterprise
Source: HFS Research, 2023

Enterprises must wake up to the challenges that quantum computing poses on today’s cryptographic security protocols

“The calm before the storm” is the best way to describe the current enterprise climate regarding PQC readiness. Our latest cybersecurity study data in Exhibit 2 shows that only 19% of cybersecurity executives believe quantum computing will pose significant challenges to existing cryptography in the next three to five years. Eight of 10 don’t really care at the moment and will probably not rush to ask for a budget to start readiness activities. The fact that most enterprises don’t perceive quantum computing as a transformative force that will significantly impact cybersecurity should be of concern at the board level.

Quantum-based attacks are already occurring as “hack now, decrypt later” attacks. This type of cyber-attack occurs when hackers steal data today based on current encryption methods, intending to decrypt it later when future quantum allows them to do so. The target is usually data with a long shelf life, such as banking details and medical records.

Readiness activities must start now.

Exhibit 2: Board members take note: 80% of cybersecurity executives don’t believe quantum computing will pose significant challenges to existing cryptography within five years

Sample: HFS Research Cybersecurity Pulse Study, H2 2021; 150 cybersecurity executives across Global 2000 enterprises
Source: HFS Research, 2023

Deploying post-quantum cryptography will come with challenges—start defining your roadmap to quantum safety now

Enterprises using thousands of software and service providers must plan for an orchestrated and agile migration to assess the true impact of a move to the post-quantum world.

Although we expect the formal post-quantum cryptographic standard within about two years, CISA is urging organizations to prepare for the migration by following the Post-Quantum Cryptography Roadmap recently released by the US Department of Homeland Security (DHS).

Preparation requires considerable work, such as identifying data assets and current cryptographic methods, prioritizing systems for migration, speaking to vendors for off-the-shelf systems, and testing algorithms for home-grown systems. Now is the perfect time to ask your vendors about their plans for adopting PQC.

You must become crypto-agile

To embark on such a complex and uncertain journey, CIOs and CISOs should be pragmatic and embrace “crypto-agility.” Crypto-agility describes how easy it is to transition from one algorithm to another without making major changes to an underlying infrastructure. Enterprises that achieve crypto-agility can, theoretically, easily implement and test new quantum-resistant algorithms.

Large IT service providers such as Accenture and IBM have developed compelling service offerings to help their clients ensure crypto agility, quantum safety, and solid governance and risk policies. For example, Accenture created a crypto-agility accelerator to help its clients assess internal systems and functions and those of external cloud providers and ecosystem partners, identify cryptographic weaknesses, and make remediation plans.

The Bottom Line: Enterprise leaders must not wait to act until adversaries are using quantum computers. Plan your quantum-safe migration now.

There is an expiration date on today’s cryptography, and deploying PQC seems like a no-brainer with quantum computers on the horizon. Although we expect the final NIST standard to be published in 2024, CISOs must prepare for the complexity of migrating their infrastructure to a fully post-quantum position; this process will take many years. CIOs and CISOs must work closely to build a coherent strategy with crypto-agility at the center of its execution.