Barely heard through the loud, thumping, dubstep that is AI marketing, one of the things that will need attention soon is the move to post quantum cryptography (PQC).
When quantum computers reach a certain level of processing power in the future, it will be possible to use these machines to break today’s ubiquitous and effective encryption.
There is no estimate or even a consensus as to when quantum computers will be able to threaten the encryption infrastructure used today. But that doesn’t fundamentally matter.
Major government organisations, including the US CISA, the UK’s NCSC, and the European Commission have all mandated that organisations move to adopt quantum-resistant encryption by 2035.
This encryption is based on standards created at the US National Institute of Science and Technology (NIST).
Now, 2035 sounds like a long time – but the task of replacing the base encryption used for data in flight and data at rest is a huge task. On top of that, there is worry about a tactic known as store and decrypt, in which bad actors would collect data encrypted with today’s standards, then use quantum computing later to decrypt the data.
US Tariffs are shifting - will you react or anticipate?
Don’t let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.
By GlobalDataGame plan PQC
Most governments have laid out a framework for how to approach the problem of PQC and how to proceed. The steps are broad – but show the scope of the work needed, and the necessity of buy-in by everyone – including the CEO and the Board.
There will also be considerable input from teams that evaluate risk for the organisation. It will require a steering committee, and heavy involvement from both information technology departments (IT) and operational technology departments (OT).
At the end of the day, a plan must be formed, based on the criticality of each system, cost, existing replacement plans, and other risk factors, depending on a given organisation’s needs. Partnering with the organisation’s vendors and service providers to get guidance when they will be supporting PQC will need to be part of the process as well.
Once the discovery, prioritisation and planning stages are done, then implementation can proceed, with the government mandated deadlines kept in mind. With the plan available, then adjustments for unknowns can be made using the criticality and risk evaluations.
The project starts now
Of course, all of this sounds like a nightmare-level project. However, given the distant time horizon, it doesn’t have to be, provided the required organisational buy-in, discovery, evaluation, and planning starts now.
Much of the PQC updates can be part of normal upgrade/lifecycle activity. Planning will allow the move to PQC to be strategic, a way to get several things done at once, and avoid rushed decision making and implementation.
It will also allow the organisation to make hard choices with due consideration, such as systems that cannot be upgraded but need to be. But to get to PQC, organisations need to start now – putting it off will cost, money, time, and puts the organisation at risk.
