Practically speaking, quantum computers are still years away, but the US Cybersecurity and Infrastructure Agency is still recommending that organizations begin preparations for the migration to the post-quantum cryptographic standard.
Quantum computers use quantum bits (qubits) to deliver higher computing power and speed, and are expected to be capable of breaking existing cryptographic algorithms, such as RSA and elliptic curve cryptography. This would impact the security of all online communications as well as data confidentiality and integrity. Security experts have warned that practical quantum computers could be possible in less than ten years.
The National Institute of Standards and Technology announced the first four quantum-resistant algorithms that will become part of the post-quantum-cryptographic standard in July, but the final standard is not expected until 2024. Even so, CISA is encouraging critical infrastructure operators to begin their preparations in advance.
“While quantum computing technology capable of breaking public key encryption algorithms in the current standards does not yet exist, government and critical infrastructure entities—including both public and private organizations—must work together to prepare for a new post-quantum cryptographic standard to defend against future threats,” CISA says.
To help organizations with their plans, NIST and the Department of Homeland Security developed the Post-Quantum Cryptography Roadmap. The first step should be creating an inventory of vulnerable critical infrastructure systems, CISA said.
Organizations should identify where, and for what purpose, public key cryptography is being used, and mark those systems as quantum-vulnerable. This includes creating an inventory of the most sensitive and critical datasets that must be secured for an extended amount of time, and all systems using cryptographic technologies. Having a list of all the systems would ease the transition when it comes times to make the switch.
Organizations will also need to assess the priority level for each system. Using the inventory and prioritization information, organizations can then develop a systems transition plan for when the new standard is published.
Security professionals are also encouraged to identify acquisition, cybersecurity, and data security standards that will need to be updated to reflect post-quantum requirements. CISA encourages increasing engagement with organizations developing post-quantum standards.
The agency’s focus on the inventory echoes the recommendations made by Wells Fargo at RSA Conference earlier this year. In a session discussing the financial giant’s quantum journey, Richard Toohey, technology analyst at Wells Fargo, suggested that organizations begin their crypto inventory.
“Discover where you have instances of certain algorithms or certain types of cryptography, because how many people were using Log4j and had no idea because it was buried so deep?” Toohey said. “That’s a big ask, to know every type of cryptography used throughout your business with all your third parties — that’s not trivial. That’s a lot of work, and that’s going to need to be started now.”
Wells Fargo has a “very aggressive goal” to be ready to run post-quantum cryptography in five years, according to Dale Miller, the chief artchitect of information security architecture at Wells Fargo.
Migrating industrial control systems (ICSs) to post-quantum cryptography will be a major challenge for critical infrastructure operators, mainly because the equipment is often geographically dispersed, CISA said in the alert. Even so CISA urged critical infrastructure organizations to include in their strategies the actions needed to address risks from quantum computing capabilities.
CISA is not the only one sounding the alarm about getting started. In March, the Quantum-Safe Working Group of the Cloud Security Alliance (CSA) set a deadline of April 14, 2030, by which companies should have their post-quantum infrastructure in place.
“Do not wait until the quantum computers are in use by our adversaries to act. Early preparations will ensure a smooth migration to the post-quantum cryptography standard once it is available,” CISA said.
