Healthcare Havoc: Idaho Hospitals Forced to Divert Ambulances After Cyber Attack
PQShield’s Ben Packman Talks Post-Quantum Cryptography and Cybersecurity
2023 serves as a pivotal moment for cybersecurity and the emerging quantum technology ecosystem. While advances in quantum computing have brought the world to the brink of technological revolution, the emergence of quantum has also opened a 'pandora’s box' of cyber risks.
Large-scale quantum computers will soon be powerful enough to solve computational problems that were previously thought impossible, posing a significant security risk as encryption methods used to protect virtually all of the world’s sensitive information are rendered obsolete.
With the threat of quantum attacks rapidly evolving, the development of cryptographic systems that can mitigate attacks launched by quantum computers has accelerated.
Driven by the need to mitigate immediate and emerging threats, public and private entities are beginning the process of migration to post-quantum cryptography (PQC) to strengthen their security posture and fight off malicious actors using quantum.
At Economist Impact’s Commercialising Quantum Global, we spoke to Ben Packman, Senior Vice President of Strategy at PQShield, about how businesses can take advantage of PQCs to protect themselves against the quantum threat.
Ellis: Quantum computing is obviously a powerful and exciting technology, but why are governments and national security agencies so concerned about its threat to cybersecurity?
Ben: “Put simply, quantum computers happen to be particularly good at the maths that sits behind the encryption we are writing today. So effectively a quantum computer at a certain level of power and capability can break cryptography as we know it today. That's the concern.
“PQC has been developed, not just by PQShield, but by the global cryptography community over the last five years while the National Institute of Standards and Technology (NIST) has been standardising it, to come up with new cryptography based on different maths that quantum computers find hard.
"This has now evolved into a set of standards that NIST announced for algorithms last in July last year. PQShield co-authored all four of those algorithms, and the the standardisation process will be complete and new standards will be in place next year.
The @WhiteHouse has released its National Cybersecurity Strategy. Not surprising Post-Quantum #Cryptography (#PQC) migration is Federal objective but also "The private sector should follow the government’s model in preparing its own networks and systems”.https://t.co/G2760lvGti pic.twitter.com/u7OyYSe2Xp
— PQShield (@PqShield) March 2, 2023
“Now we're talking about new standards of cryptography that people need to comply with. Whether the quantum computer will break cryptography or not has become a different problem.
"Where the quantum computer horizon comes in is how long have we got to do the migration. New standards are coming along and will be with us before we know it, and therefore people should be starting migration now.
"How long people have got to migrate will depend on how fast the development of quantum computers happens over the next five or ten years. But most people are betting on a ten-year window."
Ellis: What steps should businesses take today to identify their exposure to quantum attacks and keep themselves quantum secure?
Ben: “For most companies, if they're not building secure products themselves, the problem is 80 per cent in their supply chain.
“Let's face it, no CISO or CTO is going to go and upgrade their Microsoft Exchange server with their own flavour of PQC. It's just not going to happen. They're going to wait for Microsoft to do it.
"So 80 per cent of the problems are in the supply chain. [Companies] should do a simple desktop exercise to look at the systems that they have in place and identify what they control and what’s in their supply chain. Most companies will find 80 per cent of vulnerabilities in there.
"Then [companies] need to engage with their vendors. But that's very different to planning and migration. That's a technology refresh project which people know how to manage. That's not new anymore. We know how to do that. We can get outsource contractors to help us do that.
To read more about protecting the supply chain, visit our Business Continuity Page.
"It's about them needing to understand what PQC is, and what implementations look like so that they can be asking their supply chain for the right thing. That to me is the priority for enterprise.
"For somebody in the business of building a secure product, the challenge is actually harder for them in a way. They need to reimagine and redesign how their product works because PQC works slightly differently.
"There are different trade-offs and different design decisions to be taken, and their product may well have to be re-certified, which is a big and expensive process for a lot of companies.
“So if you were to ask me what is slowing down the migration of PQC, my answer would be the supply chain not going at it aggressively enough. I've spoken to lots of vendors who say they’re not getting enough demand, but they’re also not shaking the tree.
"Because of the complexity of the topic, [vendors] need to help their customers break this down a bit. This is an opportunity to bake in in some future revenue streams for themselves if they go at it on the proactive approach."
Ellis: If you could use one word to describe the current state of Quantum computing, what would it be and why?
Ben: “I would say maturing.
“We've gone through this transition point where at one point quantum was a bit like sticking 'i' in front of any product you ever developed. It was just a thing that you just tagged on because it had some value, a bit like AI was a few years ago. Obviously, that's changed recently.
"[Quantum] is moving through that migration, and I think at one point all the vendors in this space were a bit guilty of trying to sell everything to everyone. Whereas now people are much more confident.
“From talking to customers, our presentations have been usually split into two parts. The first part is what's PQC and why I need it. And the second part is PQShield and why you need us. I'm actually skipping the first part of that presentation more and more nowadays with customers.”