Preparing for the quantum revolution

It’s time to act: why quantum technologies demand urgent attention from C-Level executives?

We are gradually entering a new era in technology with the potential to transform the digital security landscape. Experts predict that fully operational quantum computers (QC) will emerge within 5 to 10 years, heralding “Q-Day.” This moment will signify that traditional cryptographic algorithms can be easily breached.

Although the timeline seems distant, some organizational processes may require immediate action. The long lifecycle of critical IT systems, complex production and integration-deployment processes, and the real threat of “harvest now, decrypt later” attacks mean that postponing action could have catastrophic consequences.

This threat impacts current security systems, including cryptocurrencies, blockchain, digital signatures, VPNs, websites (HTTPS), some banking applications, instant messengers, and email. For every large company, identifying and preparing the necessary resources is a task that should begin today.

“Q-Day”: the core of threat

At the heart of the problem is the ability of quantum computers to rapidly solve complex mathematical problems, including the factorization of large numbers, upon which classical public-key cryptography relies. As a result, previously secure digital secrets may become vulnerable to attacks.

One of the most serious threats is the “harvest now, decrypt later” attack. Hackers can already intercept and store encrypted data, knowing that once quantum computers become available, they will be able to decrypt it. This means that long-term validity data, secured with today’s cryptography, is already at risk.

Which sectors are most vulnerable?

The risk can affect all entities, but some sectors are particularly susceptible due to the nature and longevity of the data they store:

• Financial data
• Medical information
• Intellectual property (IP)
• Critical infrastructure and industrial control systems (ICS)
• High-value remote systems and long-life equipment (e.g., satellites)

Virtually all large enterprises and those with high capital turnover will be exposed to the risk of traditional cryptography being broken by quantum computers. One could say the clock is already ticking.

The response: PQC, QKD, and NIST standards

In response to this challenge, the global technological community has developed post-quantum cryptography (PQC) and quantum key distribution (QKD) solutions.

The American National Institute of Standards and Technology (NIST) plays a key role in PQC standardization.

• NIST Standards: On August 13, 2024, NIST published specifications FIPS 203, FIPS 204, and FIPS 205.
• Algorithms: These standards specify algorithms derived from CRYSTALS-Dilithium, CRYSTALS-KYBER, and SPHINCS+.

Regulatory landscape and timelines

The global regulatory landscape is rapidly changing, with most countries aiming for coordinated implementation schedules for algorithms standardized i.e. by NIST. However, specific deadlines and requirements vary depending on the region and critical infrastructure sector.

• European Union (EU): The European Commission recommends that all member states begin transitioning to post-quantum cryptography by the end of 2026. The protection of critical infrastructure is to be migrated to PQC by the end of 2030. Additionally, the Digital Operational Resilience Act (DORA) requires operational resilience to new technological threats, which includes migration to PQC solutions.
• United Kingdom (UK): The NCSC (National Cyber Security Centre) has presented a three-phase schedule aimed at transitioning organizations to quantum-resistant encryption methods by 2035.
• USA: Congress passed the Quantum Computing Cybersecurity Preparedness Act (H.R.7535) in December 2022.

How to Begin Preparations: Guidance for C-Level Executives

The transition to PQC is a challenge greater than a simple software update – it is a global revolution in digital security. Senior management should incorporate quantum risk into current enterprise risk assessment and management practices.

The following steps are recommended:

1. Create a cryptographic inventory: compile a detailed list of all assets, applications, hardware, and services using cryptography. Identify which ones will have a long lifespan and require early migration (e.g., satellite and industrial systems or critical infrastructure).
2. Plan and coordinate: begin coordinating PQC activities with key partners, service providers, and the entire supply chain. Keep in mind that full migration may take more than one investment cycle.
3. Manage long-term data risk (Harvest Now, Decrypt Later): develop a plan to re-encrypt existing sensitive data (especially those with long validity periods) using PQC algorithms. Equally crucial, plan for the secure and effective deletion of all current backups secured with old cryptography, which will become easy to decrypt after migration.
4. Build a testbed environment: it is necessary to create an appropriate environment for testing. Implementing PQC requires careful planning, testing, and integration, often using hybrid standards (combining classical and quantum algorithms).

Modern technologies – including advanced data analytics based on artificial intelligence and quantum computing and communication prototyping – create an ideal environment for opening new opportunities. The private sector is key to protecting digital sovereignty, especially in an era of widespread satellite connectivity.

In summary: All large enterprises are at risk of traditional cryptography being broken by quantum computers in the future. Mitigation will most likely not be a simple task, so time is running out. Senior leadership should incorporate quantum risk into risk assessment and management.

Is Your Company Ready for the Quantum Revolution?

The challenge of transitioning to post-quantum cryptography is complex and requires a strategic approach.

Contact 3 Hazel Tree Partners for support in preparing your company for the Quantum Revolution.