How to protect your organization against post-quantum attacks

Quantum computing, once seen as the realm of science fiction, is moving quickly from labs to the real world. This new technology holds tremendous promise, with the potential to enable better fraud detection, more efficient logistics, and the engineering of lifesaving drugs.

But quantum computing also presents risks, as a functioning quantum computer will be able to break today’s encryption algorithms—the ones that currently protect everything from state secrets to individual healthcare and finance information. While no one knows exactly when this will happen,  the date is often referred to as Q-day.

Uncertainty can’t become an excuse for inaction. In attacks known as “harvest now, decrypt later,” malicious actors are stealing encrypted information, to be stored until quantum computing allows them to break the encryption protecting it. The technology to make data, applications, and networks quantum-safe exists today. But becoming quantum-safe relies on modern networks and applications. If your network technology is ten years old, you’ll need to upgrade it before moving on to make it quantum safe. That’s why, for many organizations, becoming quantum-safe will be a multi-year project. The quantum race isn’t merely about building quantum computers, it’s about upgrading your infrastructure before quantum computers make today’s defenses obsolete.

In the U.S., the National Institute of Standards and Technology (NIST) has said it will deprecate current encryption algorithms by 2030. In the E.U., all critical infrastructure must use post-quantum cryptography by 2030. That makes it imperative to start planning now, identifying and understanding your vulnerabilities and classifying systems based on data sensitivity.

Start with a point of view on Q-day

The first step is to develop a point of view on when Q-day is coming. NIST works on the premise that traditional cryptography will be broken in 2030. Some CIOs think Q-day is coming sooner, while others think they have more time. Once you decide on a date, you can work backward to set a timeline to secure your data, applications and networks.

Most large organizations won’t be able to address every single vulnerability before Q-day, making it imperative to find your most critical vulnerabilities and address those first. You should also investigate the possibility of including quantum security in any planned or ongoing upgrades, such as mainframe modernization, network modernization, or digital transformation. Moving from a legacy SAP installation to S/4Hana in the cloud, for example, is a great opportunity to also address quantum security. Anything new that the organization chooses to build or buy should also support a quantum-safe IT environment. This is where organizations can benefit by making sure the business, IT, and procurement work closely together, rather than operating in silos.

Identify and prioritize critical vulnerabilities

One approach is to try to secure your most vulnerable systems and services in the next 12-24 months. In this scenario, your major vulnerabilities would be secured by 2027, allowing time to address secondary services.

Start with the systems and services that are most critical to your business. In the case of a decryption event, where would the biggest impact be? If you’re an insurance company, your biggest vulnerability might be claims. That means you need to look at the network, data, and platforms that support claims.

Once you’ve determined where a decryption event could do the most damage, construct an end-to-end digital profile of that service. The network may be the front door, but what about your data centers, cloud providers, or other entry points? Even fiber-optic cables—our most secure means of transmission—can be tampered with. Would you notice if your cable frequencies were fluctuating?

An investigation into critical services will no doubt lead you to data. Finding weaknesses in your data protection has implications for the services that use that data.

Understand critical and persistent data

A data audit is a key part of preparing for quantum security. Where does your critical data reside, and is it encrypted with high-quality algorithms? For U.S. organizations, NIST provides guidance on the use of algorithms expected to remain secure for the next few years.

The concept of critical data gains an additional dimension when considering ‘harvest now, decrypt later’ attacks. Critical data still includes sensitive customer data, for example, or data that is covered by regulations. But it also includes data that could be valuable years after it is stolen. The health records of politicians or high-level executives are one obvious example. Swiss bank accounts also have associated data that is extremely long-lived, as does some intellectual property and trade secrets.

If you don’t know where your critical data lives or how it’s encrypted, you’re likely to have operational issues, such as broken certificates, long before Q-day. If, on the other hand, you’re able to identify and locate all your critical data, and you know which algorithms are being used to encrypt it, you’re in a relatively good place to begin becoming quantum-safe.

For organizations in this position, it may be most efficient to encrypt closer to the application and to the data, ensuring end-to-end security. It's also important to implement a structured, controlled, and automated process to rotate your cryptographic keys.

Quantum security at the network layer

If you don’t have a complete inventory of your data and the algorithms used to encrypt it, or you’re not certain that those algorithms are strong enough to withstand a post-quantum attack, encryption at the network level is another alternative. This may also be a good choice for organizations that aren’t able to thoroughly protect at the application level, or those that have very sensitive data moving through their networks.

Networks can be made quantum-safe by using symmetric key distribution to secure data center interconnects. This is not a great candidate for a DIY project: if not done properly, it can interrupt your business. And symmetric key distribution won’t protect you if other aspects of your network are easily compromised. In that case, while you’ve secured the front door, you may still have a backdoor held shut with a flimsy latchkey.