‘Cryptocrastination’ Poses New Security Threat for Enterprises

As quantum computing transitions from theoretical concept to practical reality, organizations need to urgently adopt post-quantum cryptography (PQC). 

Jaya Baloo, chief security officer at Rapid7, sits on the advisory boards of the Netherlands National Cyber Security Center, PQCrypto and the EU Quantum Flagship’s Strategic Advisory Board.

In this Q&A, she explores the importance of transitioning to quantum-safe cryptography, warning that delays in action could leave organizations dangerously exposed to emerging security threats as the quantum era approaches. 

Enter Quantum: Why are organizations reluctant to adopt PQC?

Jaya Baloo: A term has been coined for this phenomenon – crypto procrastination or cryptocrastination. There are a couple of foundational reasons why it's happening now. First of all, they think it's a hard problem they can't get their heads around.

When they do, some quantum skeptics think they have plenty of time and don't need to do anything about it now. They're not fully aware of the store now, decrypt later problem, when an antagonist captures the traffic and waits until there's a quantum computer that can decrypt it.

The third issue is chief security officers are busy. They have a lot of problems that are important and urgent at the same time. So they are asking if PQC can wait.

Related:IBM Quantum Data Center Marks Strategic Move for European Capabilities

There's maybe one more category of organizations that know but don't care or fall into the don't know, don't care bucket.

How much of an obstacle is the initial discovery step, when organizations audit where they have cryptography?

There is a foundational issue here because that assumes that there is active recognition of all of the things where they have cryptography. It’s one of those unknown unknowns and many genuinely do not know where cryptographic assets are.

They also don't know how to make the differentiation between cryptographic assets that are their own or shared because they've been given a specific set of keys to use for certain communications, or completely outsourced to a third party.

What is the challenge of PQC ownership?

There is an antagonistic relationship between vendors and their customers because customers are saying the vendors don't have it ready, but the vendors say there’s no PQC demand from customers yet. There’s a Catch-22 situation about who goes first.

It needs to be more systemic from the community of software and hardware makers to say let's go. One of the best examples is Apple, which has already implemented a PQC algorithm into iMessage. Chrome is also going to pick up PQC. When it becomes ubiquitous from really significant vendors, that's when you know real change is going to happen.

Related:How Logical Qubits Power Quantum Computing’s Journey to Stage 2

What are the challenges around PQC for IoT devices?

This is one of the reasons why corporations need to start their PQC journeys now; you need to test everything and not everything will work but you can’t replace it all. You will find areas where the current PQC algorithms may not be lightweight enough to support the memory allocation, bandwidth constraints and resource allocations on those IoT devices. Then you need to figure out which is the best way to set this up. Do these current algorithms do what you need them to do, or should there actually be a call for an additional set of algorithms that we'll be able to run on those devices?