Here’s why it’s important to build long-term cryptographic resilience

The UN has proclaimed 2025 to be the International Year of Quantum Science and Technology — cryptographic security is more important than ever.

• Quantum computing’s rapid progress, marked by breakthroughs in qubit technology and post-quantum cryptography (PQC) standards, promises transformative benefits.
• This does pose potential threats, however.
• Organizations must adopt cryptographic agility to address vulnerabilities while building defense-in-depth frameworks to ensure layered protection.

The UN has proclaimed 2025 to be the International Year of Quantum Science and Technology. With increased qubit counts, improvements in error correction and cloud access to quantum platforms, we saw many practical gains in quantum computing in 2024. As progress accelerates, industries are exploring applications where quantum computing can solve challenges beyond the capabilities of advanced classical computers and AI, such as modeling complex molecular interactions.

While quantum computing promises many benefits, its rapid advancement also poses a significant threat to the current cryptographic applications and infrastructures upon which the global economy relies.

As we stand on the brink of a quantum revolution, the urgent need to migrate our cryptographic infrastructure to a quantum-safe framework has never been more critical to ensure the security, privacy and availability of global digital communications.

Cryptography is an indispensable cybersecurity control providing confidentiality and integrity for information, systems and communications. In the 1990s, public key cryptography revolutionized our digital infrastructure by enabling secure and confidential communication over the internet, allowing for the safe exchange of information, digital signatures and the establishment of trust in online transactions without the need for a shared secret key. Today, we rely on cryptography more than ever before. However, a sufficiently powerful quantum computer could render much of our traditional cryptography obsolete.

On August 13, 2024, the US National Institute of Standards and Technology (NIST) announced three post-quantum cryptography (PQC) standards designed to replace current public key standards. This announcement marked a significant first step toward achieving cryptographic security in the quantum age, following eight years of dedicated international collaboration.

While PQC is crucial for safeguarding our digital future, the real challenge lies in effective risk management and implementing a more robust, proactive approach to protecting data, systems and infrastructure from all evolving threats. AI and quantum computing significantly enhance the capabilities of malicious actors, exacerbating the challenge of maintaining secure cryptographic solutions. To create a resilient cryptographic framework for both the present and future, it is crucial to consider all quantum-safe technologies and develop solutions that promote agility and the principles of defence in depth.

Cryptographic agility implies the ability to quickly respond to an algorithm being broken by switching to an alternative with minimal disruption. Because PQC algorithms are relatively new, crypto-agility is a key pillar of resilience in the quantum age. But agility won’t prevent losses and damage incurred before a break is detected and the switch is eventually made. The second pillar is a defence-in-depth approach, employing multiple security layers to prevent catastrophic outcomes should any one point of security fail. By implementing such a resilient cryptographic infrastructure, organizations can enhance their security posture, providing robust protection against a wide array of potential vulnerabilities. This strategy not only prepares organizations for the quantum future but also strengthens their defences against current and unforeseen challenges.

Many government entities and global businesses are advocating this multi-pronged approach. The US National Security Agency (NSA)’s Commercial Solution for Classified program specifies the use of symmetric key solutions using pre-shared keys as a substitute for or in conjunction with public key cryptographic solutions, especially when long-term data protection is required. The Monetary Authority of Singapore issued an advisory to financial institutions recommending that, in addition to PQC, they explore complementary quantum-safe strategies such as Quantum Key Distribution (QKD). JPMorgan Chase and other organizations across critical industries are also pursuing such a dual-remediation strategy.

As highlighted in the joint statement by 18 EU nations, Securing Tomorrow, Today: Transitioning to Post-Quantum Cryptography, “organizations and governments should start the transition now.” NIST has recognized that, historically, it has taken 10 to 20 years to fully implement cryptographic migrations. Compared to previous migrations, cryptographers worldwide have emphasized that transitioning to a quantum-safe infrastructure presents a far more complex challenge. Instead of merely swapping out algorithms, this transition requires revamping key management solutions, communication protocols, applications and systems that rely on or incorporate cryptography.

The stakes of a quantum-enabled cyber attack are potentially existential for businesses and exacerbated by the systemic nature of cryptographic vulnerabilities. It is imperative for senior business leaders to collectively champion the transition to a quantum-safe and resilient cryptographic infrastructure as a business requirement and empower their cybersecurity, IT, innovation and other teams to achieve it together. This strategic shift not only safeguards an organization’s data and systems but also reinforces trust and confidence among customers and stakeholders. It also protects the organization from the risk of non-compliance as regulatory standards evolve. By taking ownership of this transition and working with technology experts to understand the organization’s path to quantum safety, leaders can ensure that their businesses remain secure and resilient.

Because of the complexity of cryptographic migrations and the speed at which quantum computing is progressing, leaders must consider that they may not have an advanced warning of cryptographic failure. In April 2024, a paper was published purporting to have identified a vulnerability in lattice cryptography, a family of algorithms central to PQC. The claim was eventually disproved, but the possibility remains that unforeseen weaknesses in PQC could one day be exploited.

For that reason, business executives and security leaders must collaborate to probe the full extent of their resilience beyond merely adopting PQC algorithms and begin this process now. To guide this discovery phase, leaders should be asking:

• What are the implications for our organization if new PQC algorithms are broken without advanced warning?
• Do we have sufficient defence in depth so that short-term losses and disruptions would be survivable? Do we have alternative cryptographic capabilities to support our needs and protect our data?
• Do we have a recovery strategy that allows us to return to full operation in an acceptable amount of time?

Building a resilient cryptographic infrastructure and preparing for a world comprised of quantum computers and advanced AI is a long-term and ongoing endeavour requiring continual reassessment. Executives must initiate this transition now to ensure preparedness for future challenges. By embracing the long-term imperative of building a resilient and quantum-safe cryptographic infrastructure, organizations can secure their operations and maintain trust with stakeholders in an evolving digital landscape they can more aggressively capitalize on in the short-term.

Image credits: Unsplash

By: Michele Mosca (Chief Executive Officer, evolutionQ) and Donna Dodson (Senior Strategist, evolutionQ)
Originally published at: World Economic Forum

Source: zedreviews.com