The CISO’s guide to establishing quantum resilience

Pundits evangelize the benefits and challenges enterprises will face in a post-quantum era, but much still needs to be accomplished before these profound transformations of the computing world will appear to impact the way companies do business.

And yet there is one area where preparations must start now: cybersecurity.

Similar to the Y2K crisis, the potential threats from quantum systems — in this case, overwhelming factorization encryption, among other threats — will force corporate boards to address risks outside many members’ comfort zone. Unlike Y2K, however, there is no target date on when those threats become reality.

In fact, with “harvest now, decrypt later” attacks in play, those threat are a lot closer than many board, C-suite, and even CISOs might think — and it’s causing some federal governments to consider mandates for quantum-resistant encryption.

To help prepare for that uncertain future, industry experts recommend boards, CEOs, general counsels, CFOs, compliance and risk executives, and senior security executives begin putting in place strategies, policies, and procedures, and launch a crypto-agility model to prepare the enterprise’s defenses whenever the so-called cryptographically relevant quantum computers (CRQCs) come online, be in it five, seven, ten or more years down the road.

Here is a practical guide steps CISOs, their teams, and members of their C-suites can take now to prepare the enterprise for the quantum computing paradigm shift.

Initiating the culture shift on quantum resilience

Security executives can’t protect the enterprise from the pending quantum threat if they don’t have direct access to the C-suite and their board of directors. The CISO/CSO and CIO need such access to educate and brief the board and senior executives on advancements in quantum technology, as well as the related implications for business continuity and potential regulatory implications. Relegating quantum advancements to the CSO or CIO as a “technology issue” and not a business imperative is a recipe for disaster.

“The role of the CISO is to make interesting things important and important things interesting,” says J. Wolfgang Goerlich, faculty at IANS Research. “Whatever the board’s interested in, I need to tie that to what is actually important from a security perspective.”

Michael Brown, field CISO at Presidio, says CSOs and CISOs must start laying the groundwork. “Set the seeds in motion early about quantum encryption and just break it down very simply for them; do not get very technical,” he says. Once board members become comfortable with the concept of quantum computing as a business issue, it will “get them thinking about [their responses for] the next board meeting or the one after that.”

The challenges boards face in understanding and addressing the issues relating to quantum computers is not unlike those faced in the run-up to the Y2K threat in the late 1990s, says Jason Soroko, senior fellow at Sectigo. Boards not only took ownership of the risk but also the practical prescription of how to solve the problem.

“They basically told the daily practitioners, ‘Okay, guys, you have a job to do. We need to mitigate this risk,’” he says. The Y2K threat was successfully mitigated because it was driven from the top down.

CISOs need to draw this parallel when educating the board on the quantum threat. They and other security professionals should begin talking to board and C-suite members early about potential threats that could impact revenue and operations to ease them into the discussion and enable them to get accustomed to the lingo. This is key because quantum resilience requires a cultural shift for boards. Only then can a comprehensive quantum readiness plan be developed.

Many cyber insurers will brief boards and corporate executives to understand which quantum-focused security controls will be required to obtain cyber insurance or get preferred rates and terms. CISOs should consider enlisting their insurers to help accelerate the necessary cultural shift.

Board and C-suite action items

With the board on board, the enterprise will be better positioned to develop an effective top-down plan for quantum resilience.

Board members and CEOs should direct the C-suite and other executive stakeholders to join Information Sharing and Analysis Centers (ISACs), Fusion Centers, and other quasigovernmental groups to share insights on post-quantum security. They should also task auditors with oversight of corporate actions to become quantum-resilient across the enterprise and add quantum-related security to the board’s long-term risk management plan.

As for the C-suite,general counsel and compliance/risk officers should be directed to negotiate new contracts with third-party vendors and cloud providers to ensure technology is quantum-resistant, requiring their supply chain to do so as well.

Procurement processes should also be revised to ensure all new devices are quantum resilient, and corporate auditors should begin auditing contracts, RFP/RFQs, and other documents to ensure that all include post-quantum resilience language.

Upstream business partners should also be asked what quantum-related security they require to continue doing business together. This is critical for your largest business partners.

Quantum preparedness also provides a good opportunity for CISOs and their C-suite colleagues to address lingering third-party risk management issues. If your enterprise has key suppliers that are small and cannot afford to build out expensive quantum defenses, consider helping them build out their defenses as part of the fee for services.

And of course, executives should ensure compliance staff has current regulatory data from wherever you do business that relates to quantum-related regulations.

Setting the quantum resilience strategy

While addressing the quantum threat is an enterprise-wise endeavor, CISOs will play a large role in determining strategy. They will need to initiate an enterprise-wide quantum risk assessment to identify top potential vulnerabilities of data, infrastructure, cloud environments, and cryptography.

CISOs should also consider working with their boards and executives to create a cryptographic center of excellence where everyone from the CEO to the practitioners come to the same table to discuss the status of their cryptography and discuss any relevant issues. All efforts here and elsewhere should focus on identifying immediate business impact of quantum threats to put a plan in place to address them by updating policies and procedures to ensure all address how to respond to post-quantum cryptography (PQC) threats.

As CISO, you will also need to prepare your security teams to do their part in ensuring quantum resilience. This includes identifying your most vulnerable systems and data for priority remediation and protecting data in transit to avoid the harvest-now-decrypt-later problem, especially data that will remain valuable in the future (e.g., intellectual property, trade secrets, or personally identifiable information).

Your security architects will need to be informed that quantum resilience should be part of every RFP and RFQ going forward.

It is also worthwhile to begin creating tabletop exercises to expose board members and others to the threats of post-quantum cryptography. To be fully effective, these exercises should require board and C-suite participation.

Prepare your infrastructure

Preparing today’s infrastructure for changes that are perhaps 10 years down the road starts with the procurement process. This can be a daunting exercise. Purchasing network devices that are using NIST or other quantum-ready algorithms over the next several years will eliminate a forklift upgrade later. Ensuring your cloud providers are becoming quantum-ready through contractual agreements is also essential.

Inventory your partners and service providers as you do your own networks, Presidio’s Brown says. If they are not planning an early upgrade or say they do not need to, you still have time to find replacement partners.

Kevin Bocek, chief innovation officer at Venafi, says organizations need to automate their security systems if companies such as Google go ahead with plans to require TLS and other certificate updates every 90 days. Most organizations are not set up to update their certificates manually that frequently, he notes.

Additional infrastructure action items include the following:

• Use quantum preparedness to pay off tech debt by improving infrastructure, network devices, software, and encryption.
• Identify assets protected under GDPR regulations. These assets should already be protected with AES 256, lowering their priority on your protection program.
• Evaluate your existing encryption strategy. Data in transit, at rest, and in memory will be at risk if you use encryption based on factorization.
• Review your key management strategy.
• Recognize that quantum preparedness is an IT and OT issue and should be treated as such.         

Cryptography: A central issue

Cryptography is likely to be the most challenging aspect for security teams. Any encryption technology that utilizes factorization is expected to become obsolete immediately. It doesn’t matter how many bits are used for encryption; factorization will fail.

A report issued last month by the Foundation for Defense and Democracies includes target dates when various standards and regulations are expected to be completed, along with its own list of things to do in preparation for quantum computers from a cryptographic perspective. The report also reviews various government efforts that will help guide board and security team activities.

“Acting now to transition to a quantum-resistant architecture is not merely about mitigating future risks. It is also about seizing strategic advantages, safeguarding critical data, and positioning organizations for long-term success,” the report states. “A well-planned transition to quantum-resistant architecture will minimize disruption and cost.”

Goerlich notes that as current security algorithms become obsolete or vendors, such as Google, require key rotations to occur every 90 days as opposed to annually, security teams will need to employ automation to keep up because traditional approaches cannot keep up with the anticipated workload. In addition to rotating keys more frequently, key distribution, random number generators, and incident response operations also will need to be automated, he says.

Cryptography action items for security teams include the following:

• Employ a crypto-agility model, in which the system, platform, or application can adapt cryptographic mechanisms and algorithms rapidly by implementing policies and procedures that respond to changing threats, technological advances, or vulnerabilities.
• Name a corporate quantum champion to shepherd through the transition process from existing cryptography to quantum-resilient technology.
• Develop a realistic transition plan to PQC from existing factorization-based encryption.
• Monitor existing encryption controls and migrate to quantum-resilient models as appropriate.
• Consider migrating to AES 256 or hashing encryption from RSA or elliptic curve cryptography (ECC).