Just 5% of Enterprises Have Deployed Quantum-Safe Encryption
The vast majority of businesses in the US, UK and Australia have not yet deployed post-quantum cryptography (PQC), despite a majority believing that quantum computing will break current encryption within five years, according to DigiCert.
The TLS/SSL certificate authority (CA) polled around 1000 senior and C-level cybersecurity managers in the three countries, in organizations of various sizes, nearly half of which had over 1000 employees.
Just 5% said they have quantum encryption already in place, although over half said they feel “very prepared” (38%) or “extremely prepared” (19%) for the coming threat posed by cryptographically relevant quantum computers (CRQCs).
These are machines capable of solving the mathematical problems on which modern asymmetric encryption relies, thus potentially compromising the security of everything from emails and financial transactions to web browsing and VPNs.
Some 69% of DigiCert respondents said they thought that these machines will appear on the horizon in just five years.
However, the quantum threat could theoretically exist today, with groups such as Europol warning of “store now decrypt later” (SNDL) attacks, where threat actors harvest large volumes of encrypted data with a view to unmasking it in the future when CRQCs allow them to do so.
In fact, the five-year timeline may be somewhat optimistic. Yesterday, the National Cyber Security Centre (NCSC) CTO, Ollie Whitehouse spoke of a “decade-long, national-scale technology change” for UK organizations to adapt to PQC.
However, the scale and complexity of the challenge means that larger enterprises in critical industries should already be planning their transition to quantum safety. British banking body UK Finance issued such a warning back in 2023.
The NCSC’s Whitehouse confirmed the gravity and size of the challenge. He told CYBERUK attendees that it would require “a complex change programme that makes fixing the Millennium Bug look easy.”
Four Steps to Quantum Safety
Kevin Hilscher, senior director of product management at DigiCert, argued that the journey to PQC represents an “inflection point” in enterprise security.
“Organizations should already be into the early phases of their quantum readiness plan – starting with asset discovery, risk assessment, and crypto-agility,” he added.
“The groundwork being laid today will determine which organizations are positioned to maintain trust and resilience when quantum computing becomes a reality.”
With that in mind, DigiCert recommended the following four steps to help the transition to PQC:
- Inventory cryptographic assets, including certificates and algorithms, prioritize them based on criticality, and decide which need to be upgraded or replaced
- Prioritize replacing encryption algorithms that must be trusted for a long time, such as those used for roots of trust and firmware for long-lived IoT devices
- Explore and test the ways the organization incorporates PQC algorithms. Implementors of cryptographic libraries and security software must start integrating these algorithms into products now
- Become crypto-agile, which means gaining visibility into assets, establishing methods for deploying encryption technologies and responding quickly when security issues arise
