Meanwhile, some people are still unconvinced of the urgency.
Somebody else’s problem
Quantum computing has been ten to twenty years away for decades. Is today any different? I wouldn’t blame someone if they thought that way.
And, according to ICASA’s recent survey of more than 2,600 security and privacy professionals, only 5% say that PQC is a high business priority for the near future.
There’s a lot happening in the business world right now and by the time quantum computers arrive, someone else will be in charge and they can deal with it. Twenty years, ten years, even five years seems like a lifetime right now. Who knows what the world will even look like then or if jobs will even exist?
Plus, who does their own encryption these days, anyway? According to the IBM survey, 62% of executives believe that vendors will handle the PQC transition. And that might move the needle for some organizations, says Thales’ Canavan, but organizations with highly sensitive data, like large financial institutions, aren’t going to rely on blind faith. “Trust but verify is absolutely essential,” he says.
HSBC, for example, brought in a big chunk of its vendor community, he says. “All of us are part of their cryptographic center of excellence,” he says. “And are verifying all the scenarios.”
Signs of progress
In an October report, content delivery network Cloudflare announced that a major milestone had just been passed: More than half of human-initiated traffic on the network is now using post-quantum encryption.
In other news, symmetric encryption is already quantum safe. Symmetric encryption is when the same key is used to both encrypt and decrypt data, and it’s commonly used by organizations when they store their data.
It’s asymmetric encryption, the kind used for public communications, online purchases, and banking transactions, that is most at risk.
Fortunately, TLS 1.3 is here, says CyberArk’s Bocek, and it’s ready for PQC. “We have the ability to perform post-quantum safe key exchange,” he says. “Which is, right out, our best protection against harvest-now, decrypt-later on the network.”
Speaking of TLS, another pressing concern is that starting next year, Microsoft, Google, and Apple will enforce certificate lifecycles. “It will go from over a year validity to 200 days in March, and all the way down to 47 days in 2029,” says Bocek.
This is actually an opportunity for PQC, he says. If a company modernizes its TLS certificate management process today for PQC, it will also be ready to handle the new certificate lifecycles. “That’s an immediate collateral benefit and a business case that I can make immediately — and making the business case for post-quantum encryption is difficult.”
Still, despite the difficulty, companies are beginning to put money towards PQC efforts. Forrester predicts that quantum security spending will exceed 5% of the overall IT security budget next year.
“Leaders increasingly understand that the quantum threat is not a distant possibility but a foreseeable event,” says Chris Hickman, CSO at Keyfactor. “Discussions have moved from awareness to action, focusing on how to gain full visibility into cryptographic assets and prepare for a transition to post-quantum cryptography. This marks a significant change in mindset. The question is no longer ‘Will quantum computing be a threat?’ but rather, ‘How do we prepare our systems, data, and governance now to stay secure in a post-quantum world?’”
