The time is now for quantum-safe security

Despite large scale quantum computing being several years away from being a practical reality, government experts are deservedly concerned about the cybersecurity implications today. The sooner an organization can lay the foundation for quantum cybersecurity, the better equipped it will be when bad actors start adding quantum hacking to their arsenal.

This was underscored in May 2022, when the National Security Memorandum on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems (NSM 10) provided requirements and timelines for quantum-resistant cryptography. In announcing the memo, President Joe Biden noted that “America must start the lengthy process of updating our IT infrastructure today to protect against this quantum computing threat tomorrow.”

The memo continued by underscoring that “central to this migration effort will be an emphasis on cryptographic agility, both to reduce the time required to transition and to allow for seamless updates for future cryptographic standards.”

The concern for more immediate action in cryptographic agility is understandable. Even if a quantum computer is a decade away, bad actors can take note of potential vulnerabilities now, and exploit them later.

Today’s non-PQ (post-quantum) encryption absolutely will break (or be broken) in the future, affecting security features such as authentication, code-signing and digital signatures. If hackers can break the algorithm for the private key, they can, for example, impersonate the software update channel. What happens if an adversary gains the capability to “update” the firmware within an agency’s IT infrastructure?

The quantum challenge: Data’s necessary expiration date

Today’s encrypted data has an expiration date. All data that is encrypted today using classic PKI-based cryptography is quantum vulnerable, with little if any protection against potential vulnerabilities that may become apparent later. Meanwhile, however, all of that data also has a timespan for which it must remain secure.

The data we encrypt today is already decaying, because its risk of exposure increases over time. When data encrypted data using current…