Your data is at risk from quantum computers right now. Here’s why.
Quantum computers exist as we speak. While their full potential will still be years in the making, your business needs to start upping the ante on the encryption game without delay.
Contents
Quantum computer technology is taking big leaps
Why does the quantum threat matter?
How can your organization get quantum-safe now and why does it make sense?
First steps on your journey to becoming quantum-safe
Quantum computer technology is taking big leaps
Modern computers cannot crack currently established encryption algorithms. And neither can current quantum computers. But big tech companies, like IBM and Google, are investing millions into quantum computers, just like many nation-states. Considering the amount of money and resources put into their advancement, what is called a cryptographically relevant quantum computer (CRQC) is likely knocking at our doors soon.
This has created a paradigm shift called the “quantum threat”.
Why does the quantum threat matter?
A CRQC is a computer that is capable of cracking existing advanced encryption algorithms in a matter of minutes. This simply spells the end of all secrets in digital communications, which is an existential threat to public and private organizations alike, unless we take action now. Fortunately, there are steps that you can take to protect your business already now.
“Regardless of whether we can estimate the exact time of the arrival of the quantum computing era, we must begin now to prepare our information security systems to be able to resist quantum computing.”
- National Institute of Standards and Technology (NIST)
How can your organization get quantum-safe now and why does it make sense?
1. Your biggest risk: "Harvest now - decrypt later" attack
Naturally, criminal organizations have also noticed an opportunity to profit from corporate and governmental data. They are already harvesting data of long-term value to be decrypted once powerful enough quantum technology is ready to be utilized.
Examples of information with long-term value include:
-
Financial information (such as account numbers, credit card numbers, PANs)
-
Governmental information (such as diplomatic correspondence, national secrets)
-
Personal and medical information (such as social security ID, health information, medical records)
Potential consequences of data breaches concerning long-term value information are, for example, financial losses and loss of trust among shareholders.
This is how quantum computers affect our secrets even though a fully functioning CRQC doesn’t exist yet. This is also why preparing in good time saves both time and money and is only sensible.
2. Quantum-safe cryptography (QSC) for the rescue
The good news is that the first QSC solutions are already here.
Current encryption algorithms can be hacked by CRQC. Their calculation capacity exceeds any efforts to make current encryption algorithms secure. Therefore, the only option is to change the logic and create new types of algorithms that can outsmart quantum computers.
Those algorithms exist already and are ready to be deployed to your environment.
3. QSC protects classic computers and data
One of the misconceptions of quantum security is that it relates to protecting quantum computers. The reason why first-mover companies and organizations are developing standardized algorithms and offering quantum-safe solutions is that our existing assets and technology need protection right now.
4. The migration to quantum-safe secure communications is rather straightforward
While there are elements in moving to full-scale quantum security that are hard to implement, ensuring that your data-in-transit is quantum-safe is not one of them. Identifying the most critical connections and upgrading their encryption with quantum-safe algorithms is possible with little effort.
Organizations can enclose their long-term secrets inside quantum-safe tunnels to ensure that even if they are harvested, not even a future CRQC can decrypt the data.
5. Quantum-safe tunnels can contain any kind of data
There are plenty of different protocols that encrypt our existing digital communications (like SSH, RDP, TLS, HTTPS, and more). Upgrading all of them to be quantum-safe takes time, and some of them will have quantum-safe algorithms available earlier than others.
The good news is that quantum-safe tunnels built using one of the most common security protocols on the planet - the Secure Shell protocol (SSH) - can contain any data. Just wrap up your connections inside a quantum-safe SSH connection tunnel and any data is safe in transit again.
6. Choosing a hybrid approach builds a fail-safe solution
Nothing is perfect, and that includes a new breed of algorithms that will have to outsmart quantum computers. The best route to a post-quantum future is a hybrid approach. This allows your enterprise to utilize existing algorithms concurrently with quantum-safe algorithms to build a fail-safe solution.
The classic algorithms that are already in place will always protect confidential data instead of leaving it exposed and decrypted. And quantum-safe algorithms will protect your data for the future.
7. Large-scale migration takes time
Even though CRQCs don’t exist yet, time is not on your side.
As NIST points out: “It has taken almost two decades to deploy our modern public key cryptography infrastructure. Therefore, regardless of whether we can estimate the exact time of the arrival of the quantum computing era, we must begin now to prepare our information security systems to be able to resist quantum computing.”
The migration is a gradual process and the longer your organization waits, the bigger the risks will become.
For example, as stated in the Quantum Computing Cybersecurity Preparedness Act: “The rapid progress of quantum computing suggests the potential for adversaries of the United States to steal sensitive encrypted data today using classical computers, and wait until sufficiently powerful quantum systems are available to decrypt it. [...] a strategy for the migration of information technology systems of the Federal Government to post-quantum cryptography is needed.”
8. Recommended by the US Government and authorities, like NIST, ETSI, NATO, and NCSC
The National Institute of Standards and Technology (NIST), the National Cyber Security Centre (NCSC), and the European Telecommunications Standards Institute (ETSI) are all recommending that organizations take the quantum threat seriously.
The US Government requires that government agencies present a plan on how they can stay safe from quantum computers. The plan needs to be ready this year, 2023.
BSI in Germany and ANSSI in France are currently testing and standardizing new quantum-safe algorithms. The process is still ongoing but these algorithms can be deployed in our software immediately after they are released. NIST has already approved one quantum-safe algorithm (CRYSTALS-Kyber) and others are to follow.
9. Path to quantum-safe communications
While taking stock of your most valuable assets of long-term value, it is a good opportunity for you to get a complete picture of how secure your communications inside your organization and with external stakeholders are.
The next step is to take stock of your authentication credentials (keys) that establish the cryptography. It is important to make sure that all of your credentials are up-to-date and meet at least the minimum standards for safe encryption.
All the chosen connections can be then updated into quantum-safe tunnels. In this process, classic encryption and quantum-safe encryption work together (hybrid approach). Quantum-safe cryptography (QSC) contains various keys of different levels to ensure that only those in possession of the right key and access rights can enter the communication.
Path to quantum-safe communication is easy to start. And luckily, you have nothing to lose if you improve your cybersecurity posture against current and future threats.
10. Choose an expert partner: SSH Communications Security
We at SSH Communications Security are the inventors of the Secure Shell (SSH) protocol. It is a canonical invention for secure communications between servers and applications - and when people access them. SSH enabled secure internet as we know it, and millions of connections are protected with it as we speak.
Building on this foundation, we offer a unique software portfolio and expertise for securing communications ranging from UNIX-based environments to modern Kubernetes-orchestrated ecosystems. We’ve taken a head start in offering quantum-safe solutions to the market and were one of the first companies to do so.
Migrating into the post-quantum era is fairly easy and does not require huge investments from your company. Our team of highly experienced experts is here for you, every step of the way.
We are working constantly to make sure our clients are at the top of the encryption game. Our solutions can migrate to standardized quantum-safe algorithms as soon as they are available. They already support one: CRYSTALS-Kyber.
Learn more about how you can secure your communications against the threat of quantum computers by exploring our Quantum-safe Cryptographic Security Solutions >>>
Learn how to take the first step to becoming quantum-safe
Jani Virkkula
Currently employed by SSH.COM as Product Marketing Manager, Jani is a mixed-marketing artist with a strong background in operator and cybersecurity businesses. His career path of translator->-tech writer -> marketer allows him to draw inspiration from different sources and gives him a unique perspective on all types...