RAND Corporation Report: Quantum Threat

By Philip Lafrance

Published April 29, 2020

Time to stop putting off your quantum-safe migration planning

This month the RAND corporation released a new report investigating the quantum threat. The authors consider three key timelines in the coming paradigm shift to quantum-safe cryptography. They investigated when a large-scale quantum computer might be built, how long it might take to complete standards for post-quantum cryptographic algorithms, and the rate at which the new algorithms might be adopted.

The report describes the quantum-threat as “urgent, but manageable”, which I find to be an incredibly interesting and powerful designation. On one hand, organizations that have not yet begun planning their quantum-safe migration can take some solace and relief in hearing that it might not be too late to start; although importantly, the timelines for action will be different for different organizations.

On the other hand, the window of time until the threat becomes an unmanageable one is unsure, and if committed action is not taken soon, the window might close, and organizations might be left with an unmanageable security threat. Indeed, the authors of the report write that “[t]here is little to no margin of safety for beginning the migration to PQC.”

I am of the opinion that organizations should be careful not to be tricked by the window of time I mentioned above. Still having time on the clock is certainly something to be grateful for, but the migration to quantum-safe cryptography can be an extraordinarily complex one, and organizations should not underestimate the time it can take to plan. In fact, I expect to write a future article on that exact topic!

Call for a national strategy to manage the quantum threat

The comprehensive RAND report makes a call to the US Government to incentivize and enact a whole-of-nation approach to defend against the oncoming quantum-threat. The approach advocated in the report not only includes adding quantum-safe protections to things like critical infrastructures or governmental supply chains, but it also advises that the government engage in awareness raising of post-quantum cryptography among vulnerable organizations and provide guidance for quantum-safe migrations.

The recommendations made in the RAND report resonate strongly with the mission of ISARA. By building crypto-agile technologies into your organization’s current security infrastructure, you can seamlessly migrate to new or updated cryptographic algorithms now, and to quantum-safe algorithms in the future. And by hybridizing classic cryptography with quantum-safe algorithms, you can prevent future attackers from reading the critical communications you make today, thus protecting your organization from ‘harvest and decrypt’ attacks.