The emerging cybersecurity threat posed by quantum computing has prompted the US government to begin forcing public and private organizations to adopt stricter privacy policies.
The National Institute of Standards and Technology in late August released the final set of tools designed to withstand cyber attacks.
Cybersecurity and Infrastructure Security Agency on Sept. 27 publicly released its instructions to federal agencies on the migration to what is known as “post-quantum cryptography”—replacing old encryption algorithms with more difficult-to-break versions.
The government’s preparation for the new age of cyber threats shows a significant difference between the government and the private sector. Even cloud infrastructure giants like
Information and cyber security officials in business and government alike “have a lot to do, even if you’re doing it right. And if you’re not doing it, you’ve got a lot of money to do when you’re trying to close these gaps,” said Matthew Scholl, CEO of the Computer Security Division in NIST’s Information Technology Laboratory, told Bloomberg Law. “So the question is, where does this fall on your criteria?”
Moving Forward
Modern cryptography depends on how difficult it is to find the prime factors of a very large number. Solving these problems takes today’s computers too long to be worth the time and effort of many cybercriminals, explained Sudeep Kesh, head of innovation at S&P Global Ratings.
But while breaking the security of this encryption system would take months on a modern computer, most computers can do it in an hour, Kesh said.
Quantum computing in particular can pose a threat to public encryption systems such as Rivest-Shamir-Adleman-RSA- and elliptic-curve encryption algorithms, which sign data using two keys. They are widely used to encrypt data in transit and authenticate customers for online transactions.
“There have been advances that mean the reality of quantum computing is no longer in some physics lab at MIT or IBM or wherever — it’s approaching the commercial world,” said Martin Whitworth, lead internet strategist at S&P Global Ratings.
NIST, CISA, and other government agencies are encouraging non-governmental organizations to begin the transition to post-quantum computing encryption principles. He encourages organizations to do research to understand what recruiting methods they use, where they are sent, and for what purposes. That portion alone could be huge, cyber security experts warned.
“Cryptography is everywhere, on every device, on every app, on every critical device, and it’s a fundamental part of the Internet. It’s in every application,” said Phil Venables, director of security at Google Cloud.
As organizations begin to take action, strengthening their practices will require time, money, and close collaboration with partners around the world.
“There will be a lot of IT investment from all kinds of organizations,” said Nigel Smart, researcher and head of education at open source cryptography company Zama. He added, “Everybody has to change what they’re doing.”
Smart says it could “take five to 10 years” for some businesses to complete the transition to security.
‘The Great Connection’
Companies’ policies regarding cyber security – and how they meet best corporate practices and government regulations – have been put under the microscope amid increasing cybercrime and data breach cases.
This extensive analysis has shown that even Big Tech giants can still struggle to comply with today’s privacy policy: Last month.
It would not be realistic to expect businesses and other organizations to immediately jump in with a full security overhaul to protect against quantum computing – especially before binding requirements are established, said data privacy, artificial intelligence and cyber security lawyer Lily Li, founder of Metaverse Law.
“There is a big discrepancy between NIST’s standards and what private companies are trying to adopt,” Li said.
Expecting them to change their minds quickly on the current crisis would be a big leap, according to Li. Companies responsible for privacy and security – such as hospitals and commercial airlines – are still working to meet the government’s rapidly evolving cyber requirements.
“I think it’s important for NIST to issue this guidance, because it’s a big risk, and companies need to prepare for the game,” Li said. “But in terms of how we live in cybersecurity, we have to bring everyone down to the ground floor. So let’s figure out the next step.”
‘Crypto Agility’
The government’s push for the private sector to move to post-quantum computing encryption also includes promoting the implementation of a new scalable security system it calls “crypto agility”—the ability to exchange algorithms or private keys on demand.
“We’re about to fix the world for the first time, and it’s going to take a lot of work,” Venables said. “We can do the job in a way that allows for other upgrades to be done easily,” he added.
The concept of crypto agility requires frequent updates to algorithms and standards as the young branch of mathematics that includes post-quantum cryptography evolves.
“You have to change your algorithms in a minute, and you have to know what algorithms you have and be able to evaluate and improve them,” Smart said.
It also aligns with the Biden administration’s efforts to protect Americans’ personal data from foreign adversaries. Adopting consistent and consistent storage standards now can help protect data and long-term interest or security needs going forward.
The most important thing for the private sector is not to ignore the government’s calls to start preparing for the age of quantum computing, cyber experts said.
“In other words, doing your crypto research is finding out what you’re using and where it’s the best thing to do,” Smart said. “And these recent changes are forcing people to do what they had to do 30 years ago.”
#QuantumComputing #Threats #Steps #Powerful #Encryption