In an era where data security is paramount, current encryption algorithms are sufficient to safeguard sensitive information. However, the advent of quantum computing, especially in the hands of malicious actors, poses a significant threat.
For example, a nation-state actor could intercept vast amounts of encrypted communications. While the data remains secure at the time, this adversary could wait to decrypt the information once they achieve necessary quantum computing capabilities.
This is particularly alarming for national security-related information that needs to be secured over long periods. Adversaries can collect encrypted data now and decrypt it later with quantum technology, highlighting the urgent need for organizations to accelerate their shift to post-quantum cryptographic solutions.
Implementing these measures is crucial to defend against future quantum threats and ensure the security of sensitive information against this emerging risk. With quantum computing capabilities advancing daily, organizations must act now to ensure data safeguards, which involves taking a comprehensive approach.
Migrating to PQC
For background, quantum computing is a form of computer science that harnesses the qualities of quantum mechanics to solve problems beyond the ability of even the most powerful classical computers. It includes quantum hardware and quantum algorithms and has the ability to solve complex problems and solve challenges that supercomputers can’t address.
To address quantum’s emerging threat, NIST recently published its finalized post-quantum cryptography (PQC) standards. This flagship guidance from NIST will help organizations protect against decryption capabilities enabled by quantum computers. These standards signify a concerted effort for organizations to implement Post-Quantum Cryptography (PQC) as an element of a modern security posture.
The recently published PQC standards are pivotal in the ongoing fight against emerging quantum computing threats. These standards are essential to build a robust cybersecurity framework. As adversaries evolve, so must our encryption methods and NIST’s guidance provides organizations with a proactive defense.
That being said, PQC is undoubtedly a must-have. The tradeoff lies in balancing immediate implementation costs with the long-term security benefits. In short, NIST’s PQC standards provide foundational guidance, but federal agencies and their partners must start implementing these measures to remain ahead of emerging quantum threats.
Importance of a com prehensive approach
While NIST’s standards are necessary to encourage PQC implementation for government agencies and other organizations, adopting PQC in large government enterprises poses several challenges. Namely, the complexity of integrating cryptographic solutions into legacy systems, staying agile in the face of emerging cyber threats, and matching the most appropriate algorithm to the business risk. In addition, these upfront investments can incur significant costs in terms of resources and time, but they are necessary to safeguard sensitive data against quantum-based decryption in the future.
Successfully migrating to PQC systems requires strategic technology integration, organizational culture, and change management. Many organizations struggle to balance the demands of daily operational support with the resource-intensive requirements of implementing new technology initiatives. This implementation must occur while remaining compliant with regulatory and compliance standards, requiring substantial resources, training, and executive focus.
Therefore, a comprehensive approach is necessary for organizations ready to migrate to post-quantum cryptology agility, which includes an assessment of the current environment, selection and testing of algorithm performance impact in the cryptologic policy plane, migration and validation of functionality, and a post-migration operations phase. Another strategy to consider is having a quantum computing center of excellence to manage algorithms and quantum centrally.
Looking ahead
Migrating to post-quantum encryption requires a multi-year, multi-pronged approach toward complying with PQC mandates and safeguarding digital assets against future quantum threats. Although this isn’t an easy transition, it’s a necessary one. Both industry and government are being held accountable under recent mandates, such as M-23-02, Migrating to Post-Quantum Cryptography, and the Quantum Computing Cybersecurity Preparedness Act.
At the end of the day, proactive PQC, simplified, is risk management. Like more familiar cybersecurity initiatives like zero trust, PQC focuses on enhancing security in the face of evolving threats and securing sensitive information. The federal government and its partners should mitigate risk where possible to have a successful cybersecurity posture. Those who do not take this threat seriously will have major consequences ahead.
The ability of quantum computing to “harvest now, decrypt later” means adversaries can collect data today and decrypt it once they have quantum capabilities. This vulnerability could compromise classified information, exposing critical defense, intelligence, and operational data, severely impacting national security and long-term strategic interests.
Delays in adopting PQC can lead organizations to fall short of compliance requirements mandated by recent guidelines, such as NIST’s PQC standards and directives like M-23-02. Non-compliance could result in legal repercussions, loss of funding, or exclusion from contracts for federal contractors. In mission-critical environments, security must take precedence over performance, especially as quantum computing capabilities advance.
About the Author
As CTO of Tyto Athene, Peter O’Donoghue has over two decades of experience in the technology industry, a history of executive leadership positions at several Fortune 500 companies, and an impressive track record of success in cloud computing, cybersecurity, and IT modernization.
Recognized by WashingtonExec as one of the Top Cloud Executives to Watch in 2023, Peter’s eye for identifying new business opportunities and his ability to drive the development of new products and services to support client needs, ensures that Tyto Athene remains at the forefront of innovation in digital modernization.
In previous roles, Peter served as a Director at CSC where he oversaw the creation of a new practice for applications engineering work for all CSC federal sector programs, and the establishment of a private cloud for the Department of Homeland Security. He then moved on to an executive role as Chief Technology Officer and Vice President of Solutions for General Dynamics Information Technology CSRA, where he established a successful market strategy for cloud adoption, DevOps, agile application development, cyber, data and analytics, and outsourced business process capabilities.
Peter also held VP-level positions at both Unisys and Idemia before becoming Senior VP, Civil Group Chief Technology Officer at Leidos where he continued to drive growth and innovation.
To learn more, please visit Peter on LinkedIn at https://www.linkedin.com/in/peter-o-962154/ and Tyto Athene online at https://gotyto.com/.