JC's Column /

Is PQC Going to Become the Next Y2K?

JC Gaillard's column on cybersecurity

Doing nothing could be dangerously short-termist given how clear the path appears to be around quantum research development.

 

I don’t think we are hearing enough about the importance of post-quantum cryptography across the cybersecurity industry.

And when the topic is present in discussions, quite often it remains shrouded in some form of Sci-Fi aura.

It needs to be seen as a serious matter and has to be on the agenda of tech leaders in many industries: Businesses use cryptography at a large number of levels to protect information integrity and confidentiality; we are heading towards a point where those encryption algorithms are going to be challenged by quantum technology.

How far are we from that moment? The time horizon is not clear; 5 to 10 years seems to be the most common estimate. But the hard reality is that research in that field is progressing every day and AI is already accelerating it further.

Given its inherent technological complexity and the costs involved, it is likely state-backed actors will be first to benefit from it and that should concern all firms active in the defence sector or involved in national infrastructure protection at any level: Utilities, energy firms, transport operators, payment platforms, etc…

Everywhere long shelf-live sensitive data is currently protected by encryption mechanisms, “Harvest-Now-Decrypt-Later” threats must be treated as real.

Where should you start if you are only approaching the problem now?

Good management and leadership common sense dictate to start now without waiting for urgency to set in, and to start with a sound inventory of your tech assets that are using encryption, and how keys are stored.

It may sound like a simple step, but it is likely to challenge cybersecurity practices in many firms:

  • To be exhaustive, the approach will require a comprehensive knowledge of your tech assets to start with.
  • It will also require good relationships between cybersecurity and development teams, because the detailed knowledge is likely to be with developers and support teams.
  • Finally, it will require a comprehensive understanding of the vendor landscape across your supply chain, and sufficiently good relationships with suppliers to assess their quantum readiness.

Cybersecurity practices in many large firms struggle with those three aspects due to the complexification and massive externalisation and digitalisation of their operating environments over the past two decades.

For those, approaching the problem is always going to be complex and expensive, as it will always challenge pre-existing dysfunctions or governance practices.

In addition, business leaders are likely to struggle, over the short term, to give priority to a topic for which there is no clear time horizon.

That’s why I think we may be heading for some form of Y2K moment, when all industry sectors are going to realise that they might be running out of time and will scramble in a mad panic to get their entire environments checked from top to bottom, possibly under the pressure of a fierce regulatory intervention.

For now, overall, I think it is key to take the topic seriously, and beyond monitoring the situation, start taking active steps – at least – to improve readiness.

That should involve addressing existing issues across the board in the three areas highlighted above: Some steps may be relatively easy to take, for example, adding quantum readiness to vendor risk or supplier assessment programmes. Some may be more complex, for example if the asset landscape is poorly mapped out or too fragmented.

But one thing is becoming increasingly certain: Doing nothing could be dangerously short-termist given how clear the path appears to be around quantum research development.

 

JC Gaillard

Founder & CEO

Corix Partners

Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.

Corix Partners is a Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.