{"id":4161,"date":"2025-07-30T07:00:00","date_gmt":"2025-07-30T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4161"},"modified":"2025-07-30T07:00:00","modified_gmt":"2025-07-30T07:00:00","slug":"prepping-for-the-quantum-threat-requires-a-phased-approach-to-crypto-agility","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4161","title":{"rendered":"Prepping for the quantum threat requires a phased approach to crypto agility"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Enterprises need to act now to address the threats future quantum computing advances pose to current encryption standards.<\/p>\n<p>But the <a href=\"https:\/\/www.csoonline.com\/article\/3552701\/the-cisos-guide-to-establishing-quantum-resilience.html\">transition to post-quantum cryptography<\/a> can only be achieved by a phased migration rather than a forklift upgrade, advise financial services execs at the forefront of establishing quantum resiliency at their organizations.<\/p>\n<p>Current quantum computers are still limited by high error rates but <a href=\"https:\/\/www.csoonline.com\/article\/3995036\/breaking-rsa-encryption-just-got-20x-easier-for-quantum-computers.html\">recent progress<\/a> suggests that most traditional public key cryptography (PKC) algorithms might soon be vulnerable to attack, possibly within five years. This includes RSA, Diffie-Hellman, and other PKC methods that rely on mathematical problems such as factoring large numbers or computing discrete logarithms to encrypt data.<\/p>\n<p>Sensitive, long-lived data (financial, legal, health, drug discovery, etc.) is particularly vulnerable because attackers may already be collecting encrypted data to crack once quantum computing technology matures, through so-called <a href=\"https:\/\/www.csoonline.com\/article\/571721\/collect-today-decrypt-tomorrow-how-russia-and-china-are-preparing-for-quantum-computing.html\">harvest now, decrypt later attacks<\/a><strong>.<\/strong><\/p>\n<h2 class=\"wp-block-heading\"><strong>Phased migration to PQC<\/strong><\/h2>\n<p>To defend against such attacks, enterprises must transition to <a href=\"https:\/\/www.csoonline.com\/article\/654887\/11-notable-post-quantum-cryptography-initiatives-launched-in-2023.html\">post-quantum cryptography<\/a> (PQC) as soon as they can.<\/p>\n<p>In August 2024, the US National Institute of Standards and Technology (NIST) <a href=\"https:\/\/www.nist.gov\/news-events\/news\/2024\/08\/nist-releases-first-3-finalized-post-quantum-encryption-standards\">released its first three finalized PQC standards<\/a> after an extensive, multi-year evaluation process. NIST and other agencies such as the UK\u2019s National Cyber Security Centre <a href=\"https:\/\/www.ncsc.gov.uk\/guidance\/pqc-migration-timelines\">have published roadmaps for a phased migration<\/a> to quantum-secure systems by 2035.<\/p>\n<p>Investing in PQC readiness is both a security necessity and, increasingly, a compliance requirement.<\/p>\n<p><a href=\"https:\/\/ie.linkedin.com\/in\/sudhaeiyer\">Sudha E Iyer<\/a>, chief cybersecurity architect for data security and CISO data management at Citi, said that financial resilience is a top order priority for the bank, which started its PQC migration project in 2021.<\/p>\n<p>\u201cNow that NIST has given [ratified] standards, it\u2019s much more easier to implement the mathematics,\u201d Iyer said during a recent webinar for organizations transitioning to PQC, entitled \u201c<strong><a href=\"https:\/\/resources.fortanix.com\/your-data-is-not-safe-quantum-readiness-is-urgent-on-demand-webinar\">Your Data Is Not Safe! Quantum Readiness is Urgent<\/a>.\u201d<\/strong> \u201cBut then there are other aspects like the implementation protocols, how the PCI DSS and the other health sector industry standards or low-level standards are available.\u201d<\/p>\n<p>She continued: \u201cSo we are looking forward to these standards coming out and reference architectures coming out. And once they are out, it would be easier to implement them.\u201d<\/p>\n<p>Richard Searle, chief AI officer at Fortanix, cautioned CISOs against delaying PQC strategies.<\/p>\n<p>\u201cYou\u2019re not going to be able to do this as a single big bang approach,\u201d <strong>he said<\/strong>. \u201cIf it takes you until 2028 to figure out which legacy systems are not going to be able to support that cryptography or where the impact is going to be, it\u2019s going to be very difficult to then make the transition to PQC-safe algorithms by the dates for deprecation of our legacy cryptography that have been set down by those regulatory agencies that are leading the global effort.\u201d<\/p>\n<h2 class=\"wp-block-heading\"><strong>Missing pieces<\/strong><strong><\/strong><\/h2>\n<p><a href=\"https:\/\/www.digicert.com\/blog\/author\/michael-smith\">Michael Smith<\/a>, field CTO at DigiCert, noted that the industry is \u201cyet to develop a completely PQC-safe TLS protocol.\u201d<\/p>\n<p>\u201cWe have the algorithms for encryption and signatures, but TLS as a protocol doesn\u2019t have a quantum-safe session key exchange and we\u2019re still using Diffie-Hellman variants,\u201d Smith explained. \u201cThis is why the US government in their latest <a href=\"https:\/\/iapp.org\/news\/a\/trump-administration-issues-first-cybersecurity-executive-order-what-you-need-to-know\">Cybersecurity Executive Order<\/a> required that government agencies move towards TLS1.3 as a crypto agility measure to prepare for a protocol upgrade that would make it PQC-safe.\u201d<\/p>\n<p><a href=\"https:\/\/www.linkedin.com\/in\/davidalanchapman\/\">David Chapman<\/a>, director of identity access management at PenFed Credit Union, advised other enterprises to plan for a PQC world despite current gaps in technological development.<\/p>\n<p>\u201cThis is not something that can just be kicked down the road until everything is all in place out there in the industry and all the ciphers are out and everybody is fully supporting it,\u201d Chapman advised at the webinar.<\/p>\n<p>Upgrading to quantum-safe cryptography needs to be proceeded by an inventory of all cryptographic assets \u2014 known as a cryptographic bill of materials (CBOM) \u2014 to determine which are most vulnerable to quantum attacks.<\/p>\n<p>Businesses should prioritize upgrading critical assets to quantum-resistant algorithms, testing updated systems in controlled environments before putting them into production. Combining current and PQC solutions allows phased rollouts and reduces operational risk.<\/p>\n<p>\u201cEven if you\u2019re not doing post-quantum computing, you need a good [cryptographic] inventory because the CAB [Certification Authority Browser Forum] has recently released the fact that your certificate lifetimes are now going to shrink [progressively] from 397 days down to 47 days by March 2029,\u201d PenFed\u2019s Chapman noted.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Achieving crypto agility<\/strong><\/h2>\n<p><a href=\"https:\/\/uk.linkedin.com\/in\/daniel-cuthbert0x\">Daniel Cuthbert<\/a>, global head of cybersecurity research at Santander, told CSO: \u201cWe need more vendors helping us understand what current crypto capabilities exist in their products. This is where the CBOM really starts to shine and show its importance.\u201d<\/p>\n<p>As things stand, the process of cryptographic discovery is still difficult.<\/p>\n<p>\u201cThere are a handful of commercial tools, which are very expensive, and then only a smattering of open-source tools of which myself and Mark Carney have open-sourced from a Santander perspective,\u201d Cuthbert explained. \u201cUntil we make these tools as easy to use and available to all, that\u2019s where some of the struggle is occurring in organizations.\u201d<\/p>\n<p><a href=\"https:\/\/www.linkedin.com\/in\/ali-kaafarani-b732792a\/\">Dr. Ali El Kaafarani<\/a>, CEO and co-founder of post-quantum cryptography vendor PQShield, and one of the architects of the NIST standards, agreed that upgrading from legacy to PQC-based systems is far from trivial.<\/p>\n<p>\u201cPQC isn\u2019t plug-and-play; there\u2019s serious work needed to identify where vulnerable cryptography lives, what can be swapped, and what needs a more bespoke solution to maintain performance requirements,\u201d Dr. Kaafarani told CSO, noting that PQC requires more computing resources and more memory than legacy encryption technologies.<\/p>\n<p>Enterprise CISOs must also push their vendors on their PQC roadmaps.<\/p>\n<p>\u201cI believe the overwhelming majority of enterprises will find that 80% of their cryptography is in their supply chain, which means a lot of the modernization can take place through conversations with vendors,\u201d Dr. Kaafarani added.<\/p>\n<p>PenFed\u2019s Chapman agreed: \u201cQuestion your hardware and software vendors: Are you ready for PQC?\u201d<\/p>\n<p><a href=\"https:\/\/uk.linkedin.com\/in\/nigel-edwards-170591\">Nigel Edwards<\/a>, vice president at Hewlett Packard Enterprise (HPE) Labs, said that more <a href=\"https:\/\/www.csoonline.com\/article\/4002749\/cisos-urged-to-push-vendors-for-roadmaps-on-post-quantum-cryptography-readiness.html\">customers are asking for PQC-readiness plans<\/a> for its products.<\/p>\n<p>\u201cWe need to sort out [upgrading] the processors, the GPUs, the storage controllers, the network controllers,\u201d Edwards said. \u201cEverything that is loading firmware needs to be migrated to using PQC algorithms to authenticate firmware and the software that it\u2019s loading. This cannot be done after it\u2019s shipped.\u201d<\/p>\n<p>Experts quizzed by CSO consistently argued that early adoption of PQC offers businesses a potential competitive advantage as well as the opportunity to comply with growing regulatory demands.<\/p>\n<p>\u201cThe EU have set far more aggressive deadlines compared to the US, but I think this will drive more adoption overall,\u201d Cuthbert told CSO. \u201cOrganizations will have to act, even with diminished budget.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Enterprises need to act now to address the threats future quantum computing advances pose to current encryption standards. But the transition to post-quantum cryptography can only be achieved by a phased migration rather than a forklift upgrade, advise financial services execs at the forefront of establishing quantum resiliency at their organizations. Current quantum computers are [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":4162,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4161","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4161"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4161"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4161\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4162"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4161"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4161"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4161"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}