Vince Berk, Chief Strategist at Quantum Xchange and founder of FlowTraq, is at the forefront of the quantum computing security discussion. While the mainstream adoption of quantum computing remains uncertain, the threat it poses in terms of data theft and decryption is a significant concern for cybersecurity professionals. Post-Quantum Cryptography (PQC) mathematical algorithms are emerging as the primary defense against quantum threats due to their compatibility with conventional computer hardware through simple software updates.
One of the biggest challenges in transitioning to PQC is ensuring that existing systems can effectively communicate using these new algorithms without needing major updates. The European Commission has directed member states to collaborate on developing a comprehensive strategy for implementing a PQC roadmap in public administration systems and critical infrastructure. Additionally, the National Institutes of Standards and Technology (NIST) in the U.S. has narrowed down a list of quantum-safe algorithms to replace existing public-key encryption (PKE), providing guidance for CISOs on strengthening security systems.
NIST recommends starting the migration towards PQC at the cryptographic level, focusing on identifying potential vulnerabilities through a multifaceted discovery process. It is advised to evaluate current cryptography and create an inventory of existing systems even before finalizing PQC standards. Different approaches, such as inspecting installed certificates, scanning the network, and continuous monitoring, can be used to create a comprehensive inventory of cryptography in preparation for the migration to post-quantum encryption.
Inspecting installed certificates on endpoints can show cryptography “as designed” but may not fully reveal how encryption is actually implemented. Network scanning can identify weak encryption or unencrypted services but may miss instances where clients downgrade cryptography. Continuous monitoring offers a more comprehensive approach by continuously tracking which clients use what encryption and identifying any instances of weak encryption in use. Reacting in near-real time to non-compliant systems is crucial in maintaining a strong security posture during the transition to post-quantum cryptography.
In many cases, enterprises have discovered that their current cryptography is not as robust as initially believed during readiness assessments. Systems that appear to work seamlessly may have vulnerabilities that go unnoticed, putting them at risk of cyberattacks. Continuous scanning provides valuable insights into the security posture of systems and helps identify potential blind spots, creating clarity in preparation for implementing PQC. The insights gained from a comprehensive approach to quantum readiness and the ability to react quickly to non-compliant systems will be crucial in ensuring a smooth transition to post-quantum cryptography.
