Malicious hackers aren’t yet using quantum computing technology to decrypt sensitive data that they’ve exfiltrated from their victims. However, that doesn’t mean companies should dillydally when it comes to implementing the new post-quantum encryption standards just released this month by the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST).
Anticipating the advent of quantum-based decryption, cybercriminals are adopting a strategy known as “steal now, decrypt later” – stealing encrypted data from victim organizations with the expectation that, down the line, they will have the tools needed to undo the protections.
And thus it behooves organizations to take advantage of NIST’s standards by beginning to implement them before a sudden advance in quantum computing catches the cybersecurity community by surprise sometime over the next decade.
“NIST is providing invaluable expertise to develop innovative solutions to our quantum challenges, including security measures like post-quantum cryptography that organizations can start to implement to secure our post-quantum future,” said Deputy Secretary of Commerce Don Graves in a recent press release issued by NIST. “As this decade-long endeavor continues, we look forward to continuing Commerce’s legacy of leadership in this vital space.”
The new standards, and the algorithms that accompany them, include Federal Information Processing Standard (FIPS) 203, which NIST identified as the “primary standard for general encryption.” NIST noted that the chief advantage of this standard is its relatively “small encryption keys that two parties can exchange easily,” in addition to its speed of operation.”
FIPS 2023 is complimented by FIPS 204, which was designed to protect digital signatures, and FIPS 205, which was also created to safeguard digital signatures, but as a back-up in case vulnerabilities emerge in FIPS 204.
In a public information sheet last year, NIST, the National Security Agency and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) explained why now is the time to prepare for the eventuality of quantum computing, noting that it will take time to successfully plan out and execute a post-quantum cryptography migration.
For instance, companies will need to identify where among their IT and OT systems they use cryptography that will ultimately become outdated and susceptible to quantum-based algorithms – much like organizations already conduct attack surface management and asset management exercises to look for vulnerable or rogue IT devices in their organization.
“CISA, NSA, and NIST urge organizations to begin preparing now by creating quantum-readiness roadmaps, conducting inventories, applying risk assessments and analysis, and engaging vendors…” the aforementioned information sheet stated, warning that today’s cryptographic algorithms will not hold up to quantum-based decryption. “Early planning is necessary as cyber threat actors could be targeting data today that would still require protection in the future (or in other words, has a long secrecy lifetime), using a catch now, break later or harvest now, decrypt later operation.”