Time For a Post-Quantum Risk Analysis

Three federal agencies just combined resources to issue a fact sheet about the impact of “potentially adversarial, cryptanalytically relevant quantum computer capabilities.” In English, that means cyber-criminals will soon be using some of their loot to purchase quantum computers, and the Cybersecurity and Infrastructure Security Agency, the National Security Agency, and the National Institute of Standards and Technology are urging all organizations to begin the process of “quantum risk assessment.”

Standards are being developed for release in 2024, but having a roadmap and inventory enables quantum risk assessment processes, and makes the application and functional dependencies on public-key cryptography that exist within the operational environment visible. “It is imperative for all organizations, especially critical infrastructure, to begin preparing now for migration to post-quantum cryptography,” said CISA Director Jen Easterly. The fact sheet also provides recommendations for technology vendors whose products support the use of quantum-vulnerable cryptography.