It sounds like something out of science fiction. Overnight, all your encryption algorithms are broken, leaving your systems defenseless. All of the data that was secured with unbreakable, military-grade encryption (a marketing term, as such encryption is not available outside the military) was breached a few years ago and is now available in clear text.
The truth is that the day when many encryption algorithms are broken by quantum cryptography is inevitable. However, it remains uncertain whether this will happen by the end of this year, in five years, or in 30 years.
Roger Grimes puts things into perspective in his excellent book Cryptography Apocalypse: Preparing for the Day When Quantum Computing Breaks Today’s Crypto. In it, he explains how to prepare for quantum crypto.
A lot has changed since Grimes wrote his book in 2019. Now, in Becoming Quantum Safe: Protect Your Business and Mitigate Risks with Post-Quantum Cryptography and Crypto-Agility (Wiley), authors Jai Singh Arun, Ray Harishankar, and Walid Rjaibi, all from IBM, present an up-to-date, practical guide to the cryptographic challenges of quantum computing.
As Grimes clearly explained, not all encryption algorithms are vulnerable to quantum computing - an idea the authors addressed.
In under 200 pages, Arun, Harishankar, and Rjaibi explain how to manage risks in the quantum era. They outline the challenges of managing cyber risks in the post-quantum cryptography (PQC) era. The book provides a clear framework for identifying, assessing, mitigating, and monitoring these new threats.
They stress that effective governance starts with executive recognition of the quantum threat. The authors advise organizations to establish a Quantum Risk Council to align strategy, funding, and cross-functional alignment.
The Quantum Risk Council should include stakeholders from cybersecurity, IT operations, legal, compliance, product development, and risk management. Together, they define post-quantum security goals, align them with enterprise risk management, and weave quantum considerations into the enterprise.
One of the most challenging aspects of quantum risk management is achieving full visibility into the use of cryptography across an enterprise. Most organizations use cryptography in far more places than they realize. From Transport Layer Security (TLS) and Secure Shell (SSH) on web servers to embedded encryption in firmware, Application Programming Interfaces (APIs), third-party platforms, Continuous Integration/Continuous Delivery and Deployment (CI/CD) pipelines, and more.
Proactive firms may choose to migrate to post-quantum cryptography. However, this is not a trivial endeavor. Migration to PQC is a journey that can take years. It requires careful planning and execution. For those who remember Y2K, this is a much more complex task.
The quantum threat is real and closer than you think. Quantum computing will render large parts of today’s cryptographic protection obsolete. It is not a distant concern, and the risk is accelerating. CISOs, CIOs, CTOs, and more must act now: assess your organization’s vulnerabilities, develop a quantum readiness roadmap, and begin implementing mitigation strategies today to avoid strategic, security, privacy, regulatory, and reputational fallout.
For those looking to do that, and for a practical guide on their path to PQC, Becoming Quantum Safe is their go-to reference.