“Post-quantum cryptography is about proactively developing and building capabilities to secure critical information and systems from being compromised through the use of quantum computers,” Rob Joyce, Director of NSA Cybersecurity, writes in the guide.
“The transition to a secured quantum computing era is a long-term intensive community effort that will require extensive collaboration between government and industry. The key is to be on this journey today and not wait until the last minute.”
This perfectly aligns with Baloo’s thinking that now is the time to engage, and not to wait until it becomes an urgent situation.
The guide notes how the first set of post-quantum cryptographic (PQC) standards will be released in early 2024 “to protect against future, potentially adversarial, cryptanalytically-relevant quantum computer (CRQC) capabilities. A CRQC would have the potential to break public-key systems (sometimes referred to as asymmetric cryptography) that are used to protect information systems today.”
The guide points to four steps (not surprisingly, they also align nicely with Baloo’s advice).
- Establish a Quantum-Readiness Roadmap. Employ proactive cryptographic discovery to identify the organization’s current reliance on quantum-vulnerable cryptography.
- Engage with technology vendors to discuss post-quantum roadmaps. Future contracts will ensure “new products will be delivered with PQC built in.” In addition, the mitigation strategies of vendors may be of utility to entities as they plan their own pathways to mitigation. This engagement should also include supply-chain discussion as well as the vendor technology responsibilities.
- Conduct an inventory to identify and understand cryptographic systems and assets. This means one must put together a comprehensive cryptographic inventory of current systems.
- Create migration plans that prioritize the most sensitive and critical assets. The organizations’ risk assessments and pathways to mitigation are not static.
When all voices are singing the same tune from the same choir loft, one should take note. CISOs should designate a point for their quantum migration project that will take place over a number of years. The first steps as recommended by the US government, Bayoo, Carson, and Gerhardt are all the same – figure out what you have and take inventory.
