Industry Experts Weigh in on Crypto-Agility

Crypto-agility is a term that has come to the forefront in the last two years. Today, the industry is abuzz with talk about how crypto-agility can be used to defend against the cryptographic risks posed by quantum computing. “The idea behind crypto-agility is to adapt to an alternative cryptographic standard quickly without making any major changes to infrastructure,” writes TechTarget. Learn more quantum computing vocabulary and processes, which are critical to our collective IT security this year and beyond.

There is no greater cryptographic migration than the one which some CISOs and CIOs have started preparing for: from classical, public-key cryptography to quantum-safe cryptography. “[Quantum computing] will be highly disruptive for our current security equipment and systems,” warns Help Net Security. Adds Roger A. Grimes, author and columnist, “The power of quantum computing brings the day closer when the conventional encryption we all rely on can no longer protect us.”

In a recent Forbes article, “Getting The Big Banks To Confront The Quantum Challenge,” author Arthur Herman questions what the big banks are doing to protect their assets and America’s financial industry against future quantum attack. He asserts, “Getting the big banks to lead the charge in getting America quantum ready is as...fundamental to our national security as it is a matter of their bottom lines.”

However, not enough CISOs and CIOs have started to address this threat or perhaps understand the sheer magnitude of what’s at stake, the time to fix the problem, the resources and budget required, or what the first step to quantum-safe preparation should be. We have spoken to some who have said there just isn’t time today to worry about a threat that is a few years away — not when faced with numerous serious threats today — any of which can severely derail a business operation of any size.

This could be a fatal mistake for business continuity, especially when the harvest and decrypt is a real issue today. Do you need a refresher on quantum-related vocabulary? For a glossary of quantum computing terms and a hype-free explanation of what’s at risk and what you can do, download Managing Cryptographic and Quantum Risk.

The industry consensus is that we’ll likely see a quantum computer in the next few years. If organizations don’t take actions now with cryptographic management, such as implementing a Cryptographic Center of Excellence (CryptoCoE) and quantum-safe, crypto-agility solutions, it will be too late to start. The latest update from NIST indicates that everything is moving forward with the post-quantum cryptography (PQC) standardization project, with lots of progress being made. Read more about that here.

Planning Now for the Quantum Threat Ahead

Now is the time to start planning for the quantum-safe cryptography migration journey by gaining some familiarity with the new cryptographic algorithms, inventorying assets, and conducting an impact analysis. “Make sure your organization is making plans to be ahead of the quantum threat. Do your research. Do a quantum risk analysis, and make sure somebody is designated to be in charge of crypto-agility with regards to quantum computers,” recommends Dustin Moody, Ph.D., NIST mathematician.

Why is it important to talk about crypto-agility now and start taking action? “Today, almost every application and IT system that you interact with on a daily basis contains cryptography; it's found throughout all the various layers of an organization’s infrastructure, whether on-premises or cloud-based...With cryptography at the core of every secure data transmission and transaction, an organization’s cryptography requires constant management,” writes Mike Brown, CTO of ISARA, in his Forbes article, “A Gardener’s Perspective On Cryptographic Management.”

Here are some published industry leaders’ thoughts about quantum preparedness and the importance of crypto-agility:

'Securing devices/applications and becoming “crypto agile” is fundamental to an organization’s effort to become and stay secure, today and in the future...A common issue most security professionals face is not having a full understanding of where crypto is being used throughout the IT infrastructure. Maintaining a software inventory is something security professionals are familiar with, and they need to develop the same insight into all connected devices.”


"Every industry’s security — including government, energy, financial services, automotive, aviation, military, and enterprise — will be affected by quantum technology. Quantum planning and migration to crypto agile solutions are critical to organizations in all industries. This is particularly serious for organizations with security that is underpinned by public key cryptography. This includes those with long-lifespan Internet of Things (IoT) devices such as satellites, automobiles, and critical infrastructure components that rely on cryptography for code signing.”


“It is inevitable that many IoT devices will operate for durations that extend well beyond the effectiveness of their cryptographic keys. With this predestined outcome, readiness becomes a necessity. Not the readiness to respond to broken algorithms and their impact on data and communications, although that is also important, but the readiness to respond to crypto risk. The ability to act before threats become real, and to take action that results in a state where cryptography and its usage, whether for data in motion or data at rest, has its integrity upheld.”


“Start protecting your mission-critical connected devices today using advanced quantum-safe digital certificates and secure key management for IoT connected devices...Although the post-quantum era is still a few years away, practicing crypto agility now will help avoid expensive security retrofitting in the future as quantum computing becomes more prevalent.”


“Achieving crypto-agility is more difficult than it first appears, especially for large organizations. Most don’t know how many keys or certificates they have, where they are located in their infrastructure or who on their staff has the access and knowledge to correct them.”


Future-Proofing Organizations’ Infrastructures

To prepare for the immense cryptographic transition coming, organizations should start identifying the information and systems that may be vulnerable to quantum-enabled attacks. Then, determine where crypto-agility tools and solutions are needed to transition from classical to quantum-safe measures to safeguard critical assets.

ISARA’s Paul Lucier recommends, “By starting now with a crypto management strategy, you will better equip your organization to confront the very real difficulties of the transition, and manage unwelcome surprises that could derail and delay quantum-safe migration efforts and create soaring back-end costs.”