Make 2024 the Time to Inventory Your Cryptographic Assets

Quantum computing and the great security risks it poses to current cryptography continue to be top of mind across government agencies, enterprises, and standards organizations. These organizations are focused on how they can ensure the security of their systems today and in the longer term. 

With cryptography at the core of data security, the National Institute of Standards and Technology (NIST) explains what’s at stake. "Sensitive electronic information, such as email and bank transfers, is currently protected using public-key encryption techniques, which are based on math problems a conventional computer cannot readily solve. Quantum computers are still in their infancy, but a sufficiently powerful one could solve these problems, defeating the encryption. The new standards, once completed, will provide the world with its first tools to protect sensitive information from this new kind of threat." NIST’s goal is to standardize cryptographic algorithms that can resist attacks by quantum computers. 

Leading cryptographic research labs in governments, enterprises, and academic institutions are actively involved in evaluating and testing the post-quantum cryptography (PQC) algorithms proposed for NIST standardization — cryptography that can be implemented today and will be resilient to future quantum attacks — to ensure the security of systems in the era of quantum computing. 

The discussion of post-quantum cryptography has been a pressing topic since 2016, when NIST began the cryptographic algorithms standardization process. November 22, 2023, marked the deadline for the public to provide feedback on draft specifications for three of the algorithms NIST has selected for standardization (ML-KEM, ML-DSA, and SLH-DSA). 

With standards for these three algorithms expected to be finalized in early 2024, what can organizations do today to proactively address security risks, so they don’t fall behind? U.S. government officials are urging that a thorough system inventory is "crucial to understanding where organizations need to begin modernizing from standard public key encryption to quantum-resistant encryption," according to a NextGov article.

According to a National Cybersecurity Center of Excellence (NCCoE) preliminary draft Special Publication (NIST SP 1800-38A, Migration to Post-Quantum Cryptography: Preparation for Considering the Implementation and Adoption of Quantum Safe Cryptography), the challenge is that many of the quantum-vulnerable cryptographic products, protocols, and services used today need to be updated, replaced, or significantly altered to use quantum-resistant algorithms.

Experts Weigh in on Why Inventorying Your Cryptography is Critical
"Evaluate the sensitivity of your organization’s information and determine its lifespan to develop a quantum risk assessment."
-Canadian Centre for Cyber Security

"…We also know that it will take time to develop and implement the quantum-safe encryption systems to replace those we have now... It starts with assessing the potential impact of quantum on your own organization…The resilience of Canada’s financial system depends on it."
-Hisham El-Bihbety, CISO, Bank of Canada, the Canadian Forum for Digital Infrastructure Resilience (CFDIR), Canadian National Quantum-Readiness Best Practices and Guidelines

"A successful post-quantum cryptography migration will take time to plan and conduct. CISA, NSA, and NIST urge organizations to begin preparing now by creating quantum-readiness roadmaps, conducting inventories, applying risk assessments and analysis, and engaging vendors."
-Cybersecurity and Infrastructure Security Agency (CISA), Quantum-Readiness: Migration to Post-Quantum Cryptography

"Your organization should develop and budget for a transition plan to upgrade IT systems and deploy standardized quantum-resistant cryptography when available."
-Government of Canada, Canadian Centre for Cyber Security

"Our recommendation is very similar to what the U.S. government is undertaking internally and that's first to conduct an inventory, to know what you have and know what you need to prioritize."
-Christian Lowry, Section Chief at CISA

"Organizations are often unaware of the breadth and scope of application and functional dependencies on public-key cryptography within their products, services, and operational environments. As a result, an organization may not have complete visibility into and a full inventory of the use of cryptography across their organization. Having a complete inventory of key partners (Software as a Service, software vendors, etc.), where cryptography is being used (on-premises, over public internet, etc.) and what data is associated with those relationships will be instrumental to understand how to prioritize migration."
-NCCoE, NIST SP 1800-38A (preliminary draft)

"While a standard isn’t in place yet, now is the time to understand your risks and put a focus on agility…Organizations should be driven by three basic factors when it comes to security post-quantum: know your risks, focus on crypto agility, start today. Don’t wait for an uncertain future to start building your organization’s lines of defense against the security threats posed by quantum computing."
-Gina Scinta, Deputy Chief Technology Officer, Thales Trusted Cyber Technologies

"The industry is poised to take a quantum leap in both cryptography and computing. The time is now to take that leap."
-Francis Sideco, TIRIAS Research and Forbes contributor

"The United States must prioritize the timely and equitable transition of cryptographic systems to quantum-resistant cryptography…Central to this migration effort will be an emphasis on cryptographic agility, both to reduce the time required to transition and to allow for seamless updates for future cryptographic standards."
-The White House, National Security Memorandum/NSM-10

"Quantum-safe migration is part of a larger opportunity to modernize our IT ecosystems, remediate yesteryear’s security vulnerabilities, and adopt a sustainable model for managing our risks going forward."
-Atsushi Yamada, CEO, ISARA via an interview in Help Net Security

At ISARA, we help customers manage the risks associated with their cryptographic blind spots. We inventory cryptographic assets, assess risks, and provide guidance to mitigate their vulnerabilities and make their systems quantum safe. Organizations can turn to Advance®, ISARA’s cryptographic inventory and risk assessment tool, to help reveal their cryptographic blind spots. "We are futureproofing systems for more than just a PQC perspective — it is longer-term than that. It is about being crypto agile for the long term. Our mission is to make our customers safer today, tomorrow, and for many years to come," added Yamada.