Should you be doing something about Post Quantum Cryptography (PQC)?
The answer is Yes, but probably not in the way you are thinking.
For most organizations there is no urgent need to make near term changes to your application and network encryption strategy. The threat of quantum computing to encryption is real, but most security researchers feel that a practical threat to current encryption methods is still in the future. Of course, there may be certain highly sensitive information that should be protected now to prevent future loss due to network capture and archiving, but this probably affects a very small segment of organizations who fall into this category. Think intelligence and defense organizations. So, most organizations do not need to be making software changes right now.
But there is something you should be doing!
You will need a team with a plan and you will need a good security inventory of your systems. Waiting until there is a real threat is a really bad idea. The executive team will not have the information and understanding they need to make decisions, and you won’t have a prioritized list of the most sensitive items to tackle first. That would be a painful situation to be in. And we will all be in that situation some day!
Where can you get some help with organizing these initial tasks?
There are multiple sources of information about post quantum cryptography planning. But the one I like the best is from the Cloud Security Alliance. It has practical guidance about how to talk to key decision makers in the organization, and how to build an initial team that includes management, IT and users. The CSA framework recognizes that there will need to be common agreement about tackling this problem as it will require both human and financial resources. The CSA document is titled “Practical Preparations for the Post Quantum World” and you can find it here:
https://cloudsecurityalliance.org/artifacts/practical-preparations-for-the-post-quantum-world/
This plan starts with the education of the management team and users first. That is exactly the right place to start. When it comes time to start taking inventory of your applications and systems, the management team will need to approve the use of employee’s time. And there may be a need to engage outside vendors in the discussion.
So, now is the time to get started. Remember the Y2K panic? The PQC transition is going to be much larger and more complicated, in my opinion. You won’t regret being ahead of the curve.
The CSA main website is here:
https://cloudsecurityalliance.org/
And you can follow CSA on LinkedIn here:
https://www.linkedin.com/groups/1864210/
Patrick
#encryption #PQC #postquantumcryptography #postquantumencryption