A majority (71%) of global organizations see the emergence of quantum computers as a large threat to security, according to a new study from DigiCert, Inc., a provider of TLS/SSL, IoT and PKI solutions.
Most anticipate tangible quantum computer threats will begin arriving within three years. The survey was conducted by ReRez Research in August 2019, within 400 enterprise organizations in the U.S., Germany and Japan from across critical infrastructure industries.
Quantum computing is on the minds of many and is impacting their current and future thinking. Slightly more than half (55 percent) of respondents say quantum computing is a “somewhat” to “extremely” large security threat today, with 71 percent saying it will be a “somewhat” to “extremely” large threat in the future.
The median prediction for when post-quantum cryptography (PQC) would be required to combat the security threat posed by quantum computers was 2022, which means the time needed to prepare for quantum threats is nearer than some analysts have predicted. Post-quantum cryptography (PQC) refer to algorithms that can withstand the threat of quantum computing.
PQC can bring about a lot of benefits together with challenges. It can potentially address many problems too difficult for today’s digital computers to tackle. Examples are machine learning, medical sciences, and particle physics that can benefit from the development of quantum computing.
However, it can also break today’s most sophisticated encryption algorithms easily, leading to security and data issues. Once-safe products can become a liability, such as automobiles with sensors, IoT devices with connection to the Internet, and even the processes when manufacturing these devices/products. DigiCert hopes to encourage the industry to develop new cryptographic algorithms—ones that are able to withstand quantum computing threats, through a call to action.
Top Challenges
With the threat so clearly felt, 83 percent of respondents say it is important for IT to learn about quantum-safe security practices. Following are the top three worries reported for implementing PQC:
- High costs to battle and mitigate quantum threats
- Data stolen today is safe if encrypted, but quantum attacks will make this data vulnerable in the future
- Encryption on devices and applications embedded in products will be susceptible
95 percent of respondents reported they are discussing at least one tactic to prepare for quantum computing, but two in five see this is as a difficult challenge. The top challenges reported include:
- Cost
- Lack of staff knowledge
- Worries that TLS vendors won’t have upgraded certificates in time
“It is encouraging to see that so many companies understand the risk and challenges that quantum computing poses to enterprise encryption,” said Tim Hollebeek, Industry and Standards Technical Strategist at DigiCert. “With the excitement and potential of quantum technologies to impact our world, it's clear that security professionals are at least somewhat aware of the threats that quantum computers pose to encryption and security in the future. With so many engaged, but lacking good information about what to do and how to prepare, now is the time for companies to invest in strategies and solutions that will help them get ahead of the game and not get caught with their data exposed when the threats emerge."
Preparing for PQC
Enterprises are beginning to prepare for quantum computing, with a third reporting they have a PQC budget and another 56 percent working on establishing a PQC budget. In terms of specific activities, not surprisingly, “monitoring” was the top tactic currently employed by IT. Understanding their organization’s level of crypto-agility came next. This reflects the understanding that when the time comes to make a switch to PQC certificates, enterprises need to be ready to make the switch quickly and efficiently.
Rounding out the top five current IT tactics were understanding the organization’s current level of risk, building knowledge about PQC and developing TLS best practices.
New skills will be needed in the realm of consultants, products and staff resources, and it’s crucial for businesses to understand risk and the level of crypto-agility and how fast they can switch to PQC solutions quickly and efficiently when the time comes in order to prepare themselves.
Recommendations
The DigiCert 2019 Post Quantum Crypto Survey points to three best practices for companies ready to start planning their strategies for securing their organizations for the quantum future:
- Know your risk and establish a quantum crypto maturity model.
- Understand the importance of crypto-agility in your organization and establish it as a core practice.
- Work with leading vendors to establish digital certificate best practices and ensure they are tracking PQC industry progress to help you stay ahead of the curve, including with their products and solutions. Change rarely happens quickly, so it’s better not to wait, but to address your crypto-agility now.