Cybersecurity Awareness Month Commentary
September 2023 by Philip George, Executive Technical Strategist, Merlin Cyber
Philip George, Executive Technical Strategist, Merlin Cyber comments the Cybersecurity Awareness Month this October.
Time to Understand – and Act On – Quantum Risk
One critical aspect of cybersecurity that deserves much more attention and focus is the advancement of quantum computing. While quantum computing is poised to enable researchers to tackle complex problems through simulation in a way that simply wasn’t possible before, it also has very serious implications for cryptography – the foundation upon which functionally all modern cybersecurity relies. A cryptographically relevant quantum computer (CRQC) could render linear cryptography ineffective, meaning sensitive data and critical systems protected in this way will be exposed to anyone with quantum computing capabilities. The reality is that our adversaries are inching closer and closer to achieving a CRQC every day and in the meantime are collecting sensitive encrypted data to access later also known as a “store now, decrypt later” approach. Certain cryptographic standard bodies estimate that we have approximately 7-10 years before quantum cryptographic relevancy is achieved – however we’ve already seen instances of adversaries exploiting our growing reliance and implicit trust with current cryptography, like in the SolarWinds SUNBURST Backdoor and Microsoft Storm-0558 forged tokens attacks. With the executive direction to adopt zero-trust architectures (ZTA) across IT/OT portfolios, the industry cannot afford to delay the inclusion of a quantum-readiness (QR) roadmap (see the joint CISA/NSA Quantum Readiness memo) into said ZTA modernization plans. Especially considering how heavily they will rely upon cryptography across every facet of the maturity model. A major component of the QR roadmap is the execution of a cryptographic discovery and inventory report, which would provide valuable insight into quantum vulnerable cryptographic dependencies as well as overall cryptographic usage. The results of which would provide critical insight into strategic risk management decisions for Y2Q (years to quantum) planning and operational cyber threat-hunting purposes.
The era of implicit cryptographic trust and reliance on an iterative standard process is coming to a close, the industry needs to fully incorporate cryptographic risk into its vulnerability management and remediation programs before Y2Q. This will ensure a more cryptographically agile and robust zero trust ecosystem is achieved across newly modernized environments.