In this blog, we will start to outline some thoughts on approaches for the current and coming crypto issues and how these will begin to impact our IT projects, systems, and processes.
But first, let’s provide some context about what we are in fact discussing here – we are not focussed in this specific blog on the challenges posed by the development of quantum computers, their software, the pace of their breakthroughs, or their first use cases. We are, instead, discussing how to create a quantum-safe haven for the protection of our systems, data, identities, and IP – digital trust. We should say, however, that we are very much energized by the myriad possibilities of quantum computing in a wide range of domains and industries.
Creating Digital Trust
There are many dimensions to the issue of creating a new level of digital trust – let’s mention just a few.
Uplifting the Existing
One relates to uplifting the existing set of digital infrastructures and capabilities built and deployed well before first words were spoken on how quantum capabilities might threaten our primary methods of securing such environments through cryptography.
How do we retrofit this patchwork quilt internally with all of our suppliers and with our trading partners? How much time and coordination will be needed to do this? Not all existing infrastructures, data sets, and use cases are of concern, but any that house, exchange, or process personally identifiable information, money, intellectual assets or protect the integrity of our machines and IT systems do require specific attention – now.
Net New Infrastructure
Another dimension relates to what we call net new infrastructures currently being architected and deployed for use cases whose lifespans most certainly will be threatened by quantum capabilities. Examples could include cloud (and their applications), Industrial IoT (including SCADA), identity-linked digital objects of all flavours, digital currency networks, data lakes, and so on. Care should now be taken to ensure that there is a roadmap to making these quantum-safe, or else we are simply adding to a growing to-do list. (When you are in a hole stop digging!)
Can we rely on timely, coordinated, tested, implemented, and updated in lock step cryptographic solutions from these cousins and distant relatives of technology providers? The competitive market rarely works like that even for net new infrastructures. New market leaders may well be required for this next phase.
As we noted in an earlier blog, another dimension is that these two primary areas of concern both relate to the retrofit of the whole of the IT stack – and crucially the silicon each component of the whole of the IT stack runs on. We will need to accommodate hybrid crypto (classical and post quantum will need to be interoperable) for an extended period, and this is just not possible on today’s silicon. So, not only do you have to retrofit the crypto in each component, you also have to retrofit the silicon. Making the new silicon able to be designed and seeded with new cryptographic abilities takes time and expertise. (Hint: this is an important part of our capabilities).
Recently, we were on an industry seminar (IEEE) and picked-up two pieces of information that we thought we should share – first, it took Blackberry, a fully vertically – integrated product company, about 5 years to upgrade their customers from Triple DES to AES for a very simple crypto rotation (no silicon update). Secondly, in one of the talks, a respected quantum professor suggested that we are already within 0-5 years of RSA being broken. (We are not trying to be Chicken Little or the Lazy Squirrel…but is Now a good time?).
Start your Quantum-Safe Journey Now
We think there are a number of ways to begin the process of becoming quantum-safe. One is to think about the value of adopting pre-competitive behaviours for your enterprise and your connected ecosystems. Another is to (collectively) look at supplier roadmaps and ask questions about their own product roadmaps and timelines – do they have to update silicon with new post-quantum root of trust or are they exploring / testing / deploying post-quantum algorithms to secure the integrity of their software? Another basic matter is to understand all the places your crypto is and where it’s growing. Another is to scope for human resources and budgets. And so on.
In coming blogs, we will begin to talk about all of these issues in a bit more depth. We don’t want to create alarm, but we believe these issues should be on the radar. We believe there are benefits to this exercise that include broad benefits for your security in depth approaches to digital trust, not to mention the ability to secure your quantum investments. All this benefits your stakeholders.
Thanks for reading.