Preparing industry for the quantum age

Before quantum computers become readily available, a Toronto Metropolitan University (TMU) researcher is preparing to protect our data with a roadmap for improving cybersecurity. 

Today’s standard encryption algorithms, used to protect sensitive and confidential data online and in enterprise data centres, could be catastrophically broken by quantum computers that can solve encryptions that are too complex for classical computers. To prevent that from happening, information technology management professor Atefeh Mashatan is helping industry build a holistic quantum readiness roadmap that will prepare organizations for the migration to quantum-resistant cryptography. The roadmap outlines different paths organizations can take to transition their cybersecurity before, during and after quantum-resistant cryptography becomes standardized. It also recommends steps organizations can take to protect their data today.

As a cybersecurity expert, director of TMU’s Cybersecurity Research Lab and Canada Research Chair in Quality of Security Framework for Internet of Things, professor Mashatan has led previous cryptographic migrations. However, she says the migration to quantum-resistant cryptography will be a more arduous task.

“It’s not going to happen overnight. Some of the implementations are going to be so involved, so time-consuming, so complex,” said professor Mashatan. “This time around, with quantum-resistant migration, it’s going to be more involved because standards aren’t set yet, and timelines will be tight for some data owners.”

The National Institute of Standards and Technology (NIST), a U.S. government agency, is expected to standardize quantum-resistant public-key cryptographic algorithms in 2024. While quantum-resistant cryptography already exists, major organizations like government agencies and banks are unlikely to implement new cryptography without standardization, as they must still meet today’s cybersecurity compliance requirements.

Professor Mashatan says organizations need to start planning their migration to quantum-resistant cryptography now, since their sensitive data are already vulnerable to quantum threats. For example, hackers can harvest and store encrypted data through data breaches today, then wait for quantum computers to decrypt it. If the data remains valuable to the owner, such as Social Insurance Numbers or banking information, it will still be attractive to the hackers once scalable quantum computers become available. 

Drawing on lessons learned from previous cryptographic migrations and from gathering information from cybersecurity professionals working in industry, professor Mashatan recommends that organizations begin two tasks as soon as possible. First, organizations need to understand their cryptographic footprint – where they use cryptography and what their vulnerabilities are. The second task is to start the triage and risk assessment processes to see what data is most vulnerable to future decryption. This is particularly important for sectors that store high-value data such as in health, government and finance, as data tied to individuals for the duration of their lives could be very lucrative to hackers.

“For high-value data owners, the solution in the meantime is to implement hybrid cryptography that combines existing standardized quantum-vulnerable cryptography together with quantum-resistant cryptography,” said professor Mashatan. “This gives organizations a little bit more protection and helps them not be taken by surprise by quantum advances. It buys them some time, too.”

Professor Mashatan’s recommendations on how to execute the migration to quantum-resistant cryptography continue to evolve as researchers learn more about quantum-resistant cryptography and work to develop industry standards. She suggests organizations ensure they have crypto agility and are not locked to specific hardware and software vendors in case those vendors are not prepared to move quickly as quantum computing becomes a reality.

It’s not going to happen overnight. Some of the implementations are going to be so involved, so time-consuming, so complex.

Read “The Complex Path to Quantum Resistance (external link, opens in new window) ” in the journal Communications of the ACM.