Speaking on day one of Infosecurity Europe today, a panel debated the challenges facing governments and organizations as the clock runs down to the production of a cryptographically relevant quantum computers (CRQCs).
These machines will be capable of breaking asymmetric encryption, and thereby exposing thefinancial transactions, sensitive data and secure communications on which much of the world depends.
The panel argued that, although this is a fixable problem, it is still not being taken seriously enough in many organizations, especially supply chain partners. Work needs to start now on transitioning to post quantum cryptography (PQC), particularly for secrets that may need to be stored for a long time, they said.
“If you have long-duration secrets, you should really think about this now, or you should have been thinking about it for years, and you should have a plan for that,” said Lastwall CEO Karl Holmqvist. “It’s somewhat concerning to run into people who say ‘we’ll deal with that later.’”
Read more quantum threats: How Quantum Computing Could Reshape Security
Santander global head of cybersecurity research, Dan Cuthbert, argued that CISOs should ask more of their vendors, to help with the transition.
“If you go to all the vendors outside, ask them what PQC readiness they have,” he urged the audience. “As customers, we need to start to ask these vendors ‘what’s your roadmap?’ ‘When is it going to happen?’ ‘Are you PQC ready?’ Put the cost onto them, because we are product driven.”
Lastwall’s Holmqvist went a step further, arguing that customers should demand cryptography bills of materials (CBOMs) from their vendors, in the same way they already do with software (SBOMs).
“[Tell them:] Show us the list of cryptography that’s used in your product stack,” he urged. “And ask ‘when will you have this ready, if you don’t already?”
Anne Leslie, IBM cloud risk and controls leader, noted that some erstwhile competitors in supply chains and sectors are coming together to “augment what they individually know through collective action.”
She added: “If you are a practitioner who’s struggling to get traction, latch onto these groups which are really making great strides.”
Leslie also argued that regulation could help CISOs to make the case for investment at a board level, claiming that both NIS2 and DORA expect complying organizations to continually maintain and harden their cryptography as threats evolve.
“People aren’t paying attention to that but it’s in there. If nothing else, board members should be paying attention to it,” she added. “In some cases, regulation can actually be an ally.”
What Happens Next?
If CISOs do manage to secure funding for post-quantum computing projects, the best place to start is to understand where and what the corporate crown jewels are, said Lastwall’s Holmqvist
“People need to take a really hard look and ask ‘what information, if lost, would sink our company? A lot of companies surprisingly don’t really have a clear list,” he argued.
The second stage should be an audit of how cryptography is used inside the organization, including analysis of traffic flows and requesting CBOMs from vendors, argued Santander’s Cuthbert.
No tags.
