Below is our recent interview with Tim Hollebeek from DigiCert:
Q: So DigiCert just announced the results of a survey focused on post quantum computing (PQC) and its expected impact on security. What factors led to your decision to conduct a survey on this topic?
A: DigiCert decided to conduct a survey on PQC after realizing that the industry urgently needed more research on quantum computing and the possibility that quantum computers may one day threaten advanced encryption algorithms.
In January, IBM introduced the world’s first circuit-based commercial quantum computer, the IBM Q System One. The promise of quantum computing could disrupt machine learning, medical sciences and particle physics. But it’s important to consider the risks as well.
Before the first full commercial availability of quantum computers, we wanted to delve into what quantum computing could mean for security. These threats could impact even once-safe products like IoT devices and applications with long life cycles.
Q: Tell us a little about the survey. Who did you survey, and were there any key industries targeted?
A: ReRez Research surveyed 400 IT directors, IT security managers and IT generalists in August 2019. They represented enterprise organizations in the United States, Germany and Japan. The survey focused on enterprises with more than 1,000 employees, and those surveyed were evenly spread across four key industries – financial, healthcare, transportation and industrial. We asked survey respondents about their knowledge of PQC, their thoughts on the threat quantum computing poses to cryptography, and the ways they’re preparing to combat this threat.
Q: I think our readers are well aware of the term PQC, but I wonder how many have given it thought and understand how PQC will impact their computing environments in the future. Did your survey give any insight into this?
A: Unfortunately, confusion remains about the term PQC. While seven in 10 of survey respondents said they are “somewhat” to “completely” aware of PQC, less than two-thirds knew the correct definition of it.
One of the biggest revelations of our survey was that 55 percent of respondents consider quantum computing a “somewhat” to “extremely” large threat today and 71 percent believe quantum computing will be a “somewhat” to “extremely” large threat in the future. And survey respondents think that future is imminent. The year 2022 is the median prediction for when PQC would be required to combat the security threat of quantum computing. Only one in four predicted that PQC won’t be needed until 2025 or later.
To counter the threat of quantum computing, eight out of 10 survey respondents told us it is “somewhat” to “extremely” important for IT to learn about quantum-safe security practices.
Q: When do you foresee quantum computing advancing to the point of being able to crack existing cryptographic algorithms?
A: We predict that within the next decade, quantum computers will be able to break today’s most sophisticated encryption algorithms. Serious security issues will emerge as a result – and with them, the need for the industry to develop new cryptographic algorithms that can withstand these quantum computing threats.
Q: Beyond learning about PQC, what else is IT doing to prepare?
A: The good news is that enterprises are taking action to prepare for PQC, with 35 percent reporting that their companies have a PQC budget. Another 56 percent say they’re discussing developing a budget for PQC. That budget will be “somewhat” to “extremely” large, according to 59 percent of respondents, and will fund consultants, products and staff.
To prepare, they’re also considering a number of tactics, including monitoring, developing Transport Layer Security (TLS) best practices, and increasing their knowledge of PQC. They also want to understand, both their organization’s current level of risk and its ability to agilely switch to PQC certificates when needed. Ninety-five percent reported discussing at least lone of these tactics.
Q: What fears does IT have beyond the cryptographic risks they face from quantum computing?
A: Beyond the cryptographic risks, enterprises worry about the high costs associated with battling and mitigating quantum threats. They also are concerned that data that’s stolen today but safe because it’s encrypted could become vulnerable in the future because of quantum attacks. The worry that the current TLS vendor won’t offer a sufficient PQC certificate in time. And they fear that Internet of Things (IoT) devices, cars and ATMs ultimately could be at risk.
Q: How can companies prepare for PQC and stay ahead of the curve and be proactive about this issue, rather than reactive?
A: Besides creating a PQC budget, there are a few actions companies can take to prepare. They should know their risk and establish a quantum crypto maturity model. I recommend that they understand the importance of crypto-agility in their organizations and establish it as a core practice. This means admitting that cryptography changes rapidly and that algorithms must be switched our fast without crashing their networks.
In addition, they should work with leading vendors to establish digital certificate best practices and ensure they are tracking PQC industry progress to help mitigate the risks.