At its Trust Summit conference today, DigiCert released the results of a global survey that found 61% of respondents are not or will not be prepared to address the security implications of post-quantum computing (PQC).
Conducted by the Ponemon Institute, the survey polled 1,426 IT and cybersecurity practitioners and found nearly three-quarters (74%) were also concerned cybercriminals will harvest encrypted data today in the hope they can decrypt it later when quantum computers become more accessible.
A total of 41% estimated their organization has less than five years to get ready, with more than half (52%) acknowledging they are in the dark about the characteristics and locations of their cryptographic keys. Slightly more than half (52%) reported their organization is currently taking an inventory of the types of cryptography keys used and their characteristics. Only 39% said they are prioritizing cryptographic assets, with 36% making an effort to determine if data and cryptographic assets are located on-premises or in the cloud.
Almost half of respondents (49%) said their organizations’ leadership is only somewhat aware (26%) or not aware (23%) about the security implications of quantum computing, and only 30% reported their organizations are allocating budget for post-quantum computing (PQC) readiness. The top challenges identified by survey respondents are insufficient allocation of resources (51%), uncertainty about the implications of quantum computing (49%) and lack of clear ownership of the issue (47%).
Diana Jovin, vice president at DigiCert, said it’s apparent IT and cybersecurity leaders need to spend more time making senior business leaders aware of the implications of what will be a seismic cybersecurity event when quantum computers start being used to decrypt data.
At its most fundamental level, rather than working with bits, a quantum computer employs particles in the form of qubits that can be in superposition; in other words, they can take the value of 0, 1 or both simultaneously. The capability will enable quantum computing platforms to crack encryption schemes such as AES, RSA or ECDSA that have been widely used to encrypt data. Organizations will either need to replace the encryption technologies employed in those legacy applications or replace those applications altogether.
Application developers are already being advised to implement encryption in a way that is more easily upgradable. The National Institute of Standards and Technology has defined four draft standards for implementing quantum-safe encryption in the wake of the passage late last year of the U.S. Quantum Computing Cybersecurity Preparedness Act.
Unfortunately, the survey found most organizations still have a lot of work to do to prepare. Only 36% of respondents have some type of crypto-management strategy that is applied to certain applications or use cases. A quarter of respondents do not have a centralized crypto-management strategy (25%).
Overall, survey respondents reported that cyberattacks are becoming more sophisticated (60%), targeted (56%) and severe (54%). Only 50% said their organization is very effective in mitigating risks, vulnerabilities and attacks across the enterprise.
The most strategic priority is to hire and retain qualified personnel (55%), followed closely by achieving crypto-agility (51%), which is the ability to efficiently update cryptographic algorithms, parameters, processes and technologies to better respond to new protocols, standards and security threats.
Despite being forewarned of the threat quantum computing represents to cybersecurity, the biggest issue that most organizations will encounter is all the competing priorities vying for their share of limited funding. It’s easy, given the scarcity of quantum computing platforms today, to delay implementing quantum-safe encryption. However, it’s only a matter of time before sensitive data that organizations have encrypted for decades using legacy schemes will be made readily available for anyone to see using a next-generation platform that every country in the world is now racing to perfect.
Via a Darwin update, Palo Alto Networks this week added six capabilities to its cloud-native application protection platform (CNAPP).
Law enforcement agencies throughout Europe and the United States took a big swing at the notorious RagnaLocker ransomware group, arresting…
Many thanks to DEF CON 31 for publishing their terrific DefCon Conference 31 presenters content. Originating from the conference events…
Part 9: Perception vs. ConceptionThe concepts discussed in this post are related to those discussed in the 9th session of…
At some point we must say goodbye to our beloved products. Mend.io VP of Product Jeff Martin explains why letting…
via the webcomic talent of the inimitable Daniel Stori at Turnoff.US. Permalink