Quantum computing: Are we facing another Y2K crisis?

Frank J. Ohlhorst
28 October 2019

Tweet
Facebook
LinkedIn
Send to

The quantum computing era is almost upon us, promising incredible computing power that could rapidly move technology forward. However, the question remains: is IT ready for what quantum computing really means?

Digicert's 2019 Post Quantum Crypto survey offers some insight behind what the post quantum era means to business and the channel. In the survey, Digicert points out that within the next decade quantum computers will be able to break today's most sophisticated encryption algorithms, which will lead to profound security issues.

It is the advent of quantum computing that creates both an opportunity and a burden for solution providers. Yet ignorance seems to reign supreme about the potential threat.

Digicert claims that only 63 per cent of enterprise IT respondents could define what PQC (post quantum cryptography) actually is - a troubling statistic for enterprise IT pros. Yet it indicates that, in the realm of the SMB, ignorance of PQC is high. Solution providers, MSPs and others need to get the word out about the potential threat of quantum computers making today's encryption technologies ineffective.

It is not a stretch to compare the threats of the post quantum era to the Y2K issues of last century, where businesses of all sizes had to check their applications to make sure that any dates after 1999 would be properly recognized or risk a potential data meltdown. While preparing for PQC is a completely different process than what Y2K was, a sense of urgency should be embraced and businesses need to protect their data nevertheless.

Digicert recommends five migration strategies to prepare for the PQC era, each of which could become a service for solution providers to offer to their clients.

Monitoring: Businesses will need to identify and monitor their current crypto capabilities. In other words, certificates deployed, encrypted data at rest and in motion, as well as the technologies that use certificates must be identified, cataloged, and tracked. Only will a complete inventory of encryption technologies and encrypted data will a business be able to glean the insights needed to move ahead. Solution providers can provide the muscle and technology to make that possible.

Determine crypto-agility: Businesses will have to determine the ease of quickly replacing existing certificates with PQC certificates. In other words, as PQC certificates become available, solution providers may need to deploy those certificates quickly to prevent the theft of data. Knowing the how/why/where of legacy certificate deployment and encryption is critical for preparing those legacy technologies for replacement.

Risk Assessment: The level of risk is a critical metric for businesses that have encrypted data. Yet, understanding how that risk impacts business operations and data protection is often miscalculated. Solution providers can audit systems to create a measurement of current risk, potential risk, and acceptable risk. For example, an encrypted database of real estate transactions may be low risk, since it is also publically available via government agencies. However, an encrypted database of financial transactions may prove to be a high risk element, meaning additional protection will be needed immediately.

Building Knowledge: IT and associated personnel will need to learn about quantum safe security practices. The same could be said about solution providers who provide security services. Determining what are quantum safe security practices will become the crux of defining policy and educating users, as well as technologists. Here, solution providers can become experts and share that knowledge with their customers, helping them to define policies.

Create Best Practices: Each organization may have a unique crypto environment, meaning that best practices may not be universal. Building best practices based upon specifics will be a necessity to meet the post quantum threat head on. For solution providers, those best practices may include the steps to replace TLS/SSL certificates already in use, or migrating legacy data to newer encryption technologies.

While fear, uncertainty, and doubt may still surround the future of encryption, solution providers can be well positioned to assuage that FUD by explaining to their clients to potential risk and the steps that can be taken now to prevent a post quantum meltdown of data protection. Yet there is still some urgency to the situation.

The National Institute of Standards (NIST) predicts that within the next 20 or so years, sufficiently large quantum computers will be built to break essentially all public key schemes currently in use. NIST further illustrates the importance of establishing post-quantum cryptography (PQC) now with the statement: "Historically, it has taken almost two decades to deploy our modern public key cryptography infrastructure. Therefore, regardless of whether we can estimate the exact time of the arrival of the quantum computing era, we must begin now to prepare our information security systems to be able to resist quantum computing."

For managed service providers, the rise of PQC may spell out significant change for an industry trying to keep up with the latest threats. "Protecting our client's data is of the most critical importance. If PQC can improve that protection then it is a technology we must embrace." said Raj Mehta, president and CEO of RAJ Technologies, a Plainview, New York-based IT services provider. "The real challenge will be one of educating people of the threat and then deploying PQC." added Mehta.