NATO and White House recognize post-quantum threats and prepare for Y2Q

Join today’s leading executives online at the Data Summit on March 9th. Register here.

Over the past decade, encryption has emerged as one of the key solutions that organizations use to secure enterprise communications, services and applications. However, the development of quantum computing is putting these defenses at risk, with the next generation of computers having the capability to decrypt these PKC algorithms.  

While quantum computing technology is still in its infancy, the potential threat of PKC decryption remains. Yesterday, the NATO Cyber Security Center (NCSC) announced that it had tested a post-quantum VPN provider by U.K.-based quantum computing provider Post-Quantum, to secure its communication flows. 

Post-Quantum’s VPN uses quantum cryptography that it claims is complex enough to prevent a malicious quantum computer from decrypting transmissions. 

The development of these post-quantum cryptographic solutions offers a solution that enterprises and technical decision makers can use to protect their encrypted data from quantum computers. 

Concerns grow over quantum computing

NATO isn’t alone in taking post-quantum cyber attacks seriously. The U.S. National Institute of Standards and Technology (NIST) recently announced that it was developing a standard to migrate to post-quantum cryptography to begin replacing hardware, software, and services that rely on public-key algorithms. 

At the same time, the White House is also concerned over the threat raised by post-quantum computing, recently releasing a National Security Memorandum which gave the National Security Agency (NSA) 30 days to update the Commercial National Security Algorithm Suite (CNSA Suite) and to add quantum-resistant cryptography. 

The memorandum also noted that within 180 days, agencies that handle national security systems must identify all “instances of encryption not in compliance with NSA-approved Quantum Resistant Algorithms” and chart a timeline “to transition these systems to use compliant encryption, to include quantum resistant encryption.” 

Why is quantum computing a concern now? 

While quantum computers aren’t capable of decrypting modern public key algorithms like RSA, Post-Quantum’s CEO Andersen Cheng believes that as quantum technology develops we will reach a Y2Q scenario, where all these security measures are obsolete in the face of the computational power of weaponized quantum computers. 

“People frequently talk about commercial quantum computers when referencing this Y2Q moment, and that’s a long way off — potentially 10-15 years away. But from a cybersecurity perspective, we’re not talking about slick commercial machines; a huge, poorly functioning prototype in the basement is all that’s needed to break today’s encryption,” Cheng said. 

“It does not need to go through any benchmark review or certification, and this prospect is much closer and it could happen within the next three to five years,” Cheng said. 

If Cheng is correct that non-commercial quantum computing solutions could be developed to weaponize quantum computing in just a few years, then organizations have a fine timeline to enhance their encryption protections, or they risk handing malicious entities and nation-states a skeleton key to their private data. 

However, it’s not just data that exposed post-Y2Q that’s at risk; potentially any data encrypted data that’s been harvested in the past could then be unencrypted as part of a retrospective attack. 

“Quantum decryption can be applied retrospectively, in that the groundwork for a ‘harvest now, decrypt later’ attack could be laid today. This means that, if a rogue nation-state or bad actor intercepted data today, they could decrypt this harvested data once quantum computers’ capabilities exceed those of classical computers,” he said. 

A look at the post-quantum cryptography market 

As more enterprises recognize the need for quantum cryptography in a post-quantum world, the post-quantum cryptography market is anticipated to reach $9.5 billion by 2029, with more than 80% of revenues from the market coming from web browsers, the IoT, machine tools, and the cybersecurity industry. 

While quantum computing could pose a substantial threat to enterprises down the line, there are a wide range of solution providers emerging who are developing state-of-the-art post-quantum cryptographic solutions to mitigate this.  

One such provider is UK-based post-quantum provider PQShield, which offers a range of quantum-secure solutions from IoT firm to PKI mobile and server technologies, as well as end-user applications. 

Some of PQShield’s most recently developments include researchers and engineers contributing to the NIST Post-Quantum Cryptography Standardization Process, and the company recently raising $20 million as part of a Series A funding round.

Another promising provider is Crypta Labs, which raised £5.5 million ($7.4 million USD) in seed funding in 2020, and recently developed the world’s first space compliant Quantum Random Number Generator, which will be used to securely encrypt satellite data. 

Post-Quantum itself is also in a strong position, with its encryption algorithm NTS-KEM becoming the only code-based finalist in the NIST process to identify a cryptographic standard to replace RSA and Elliptic Curve for PKC in the post-quantum world. 

In any case, the wave of providers developing state of the art cryptographic algorithms means there are plenty of solutions for enterprises to deploy to mitigate the risk of quantum computing, now and in the future, to ensure that their private data stays protected. 

Originally appeared on: TheSpuzz