Day Zero: The Standardization of Post-Quantum Cryptographic Algorithms

Day zero was August 13, 2024.  It is a day that cybersecurity and quantum computing experts have been warning about for many years and it arrived one mild day in the middle of August to no fanfare and minor media attention. On that day, the National Institute of Standards and Technology (NIST) published the long-awaited post quantum cryptographic standards in one of the most significant cybersecurity milestones in recent memory. The publication of the standards is the signal for organizations everywhere to start their transition to the new digital signature and general encryption algorithms. Doing so quickly is our best defense against future quantum enabled cyberattacks against our most sensitive encrypted data and it is time to start. Many organizations face challenges with undertaking a mass cryptography transition because of the nature of quantum computing itself. It is entirely different (not better, not worse) from classical computing requiring a rethinking of what cybersecurity means in a world that includes cryptoanalytically relevant quantum computers (CRQC). This challenge is more than technical and requires strategically minded leaders to undertake a not just a technological transition, which should have begun on August 13, but also a workforce education program to realign cybersecurity awareness organization wide.   The threat posed to our data from quantum computers is easy to say but more difficult to understand why. The why is truly the key and understanding why this threat exists is the ultimate key to post quantum cybersecurity. Understanding quantum computers, why they are different, and how they threaten our data will lead organizations to take the right policy, strategy, and procurement steps to remain secure and protect their value and reputations in a post quantum world.   Quantum computers harness the quirky behaviors of sub-atomic particles to create a new kind of computation that produces capabilities that are not present in our classical computers. Once fully developed, they will be capable of computational capacity far surpassing our most powerful machines and be able to undertake complex simulations and problem-solving operations which are not possible using our current form of computer. That is stated in the future tense because of the development of quantum computers capable of the types of worlds changing operations described here . Their development is still underway leading many organizational leaders to believe that the quantum threat is too far away to worry about or that it perhaps may never materialize. This is dangerous thinking that is playing fast and loose with critically important data such as intellectual property, personally identifiable information, and other sensitive data. It also risks slowing the cryptographic transition that is our best defense against a future quantum threat. The time for short sighted thinking is past and Day Zero is also behind us.  Quantum computers, once they reach the developmental threshold of CRQC, will be able to break the current algorithms we use for public key encryption. That is the factorization-based cryptologic algorithm that uses a public key and a private key to decode messages and internet traffic. The implications of the ability to break encrypted files and data transmissions is significant and led NIST to undertake an effort to replace those algorithms over 8 years ago.  Since that time, the US government has published numerous policies and laws regarding post quantum cryptography such as the DHS Post Quantum Cryptography Roadmap , National Security Memorandum-10 , and the Quantum Cybersecurity Preparedness Act . All these documents envisioned a preparation for the standardization of the post quantum cryptographic standards because there are real stakes involved.   Beyond potential impacts to an organization’s value and reputation, there are geopolitical stakes. Such impacts can seem far away from private corporations and small startups, but the leaders of those organizations should be the most concerned. It is well documented that the People’s Republic of China is developing its own quantum computer, and the funding levels are completely unknown. It is also well known that cyber actors sponsored by the Chinese Communist Party engage in the theft of intellectual property from Western technology firms, whether it is encrypted or not. Stealing encrypted information that you cannot read does not make sense unless you plan to break the encryption in the near term. This should be a major wake up for all cyber-savvy leaders, entrepreneurs, and individual contributors across sectors. The problem is that despite the proven capabilities of CRQCs, the funding levels into quantum research, the cybersecurity threat, and the geopolitical motives, many do not understand the quantum threat, and our transition will suffer for it.   Some of the earliest public communications about the quantum threat to encryption were to prepare for the transition early so that on Day Zero, the transition could begin. That day has come. There are several implementation challenges ahead and there will be technical issues identified despite the considerable testing done by NIST. While this technology gets integrated into technology products, there are things organizations should be doing now.   Educate your Workforce: Cybersecurity in the age of quantum computers is fundamentally different. Many of the assumptions that underpin our cybersecurity practices today will be upended by a CRQC. Understanding the threat will drive smart policy, strategy, and procurement decisions for years to come.  Plan your Transition: “The best time to plant a tree was twenty years ago. The second-best time is today.” If you have not been planning your transition, you need to begin immediately. Knowing what encryption you are running in your organization and where it lives is the first step. Identify what data is behind that encryption and the sensitivity. Be ready to make the switch as soon as the algorithms are commercially available.   Communicate with your Vendors: This will not be the last cryptographic transition we undertake. We need to move toward cryptographically modern & agile hardware and software and that move requires a market demand. The next time we do this could be a simple software push, but that need must be communicated to the market. The new cryptographic standards are a step toward future proofing your organization and cryptographic agility is another key step. It is also critical to note that a significant amount of hardware currently deployed cannot run these new algorithms.  The most dangerous outcome is that August 13, 2024 passes without thought or action from organizational leaders and cybersecurity professionals. This moment is a true milestone in modern cybersecurity that requires action. This is not the finish line, but the start line and the gun has just gone off. The race is between organizations with truly valuable data and the state sponsored malicious cyber actors who wish to steal it for their economic and geopolitical advantage. It does not matter whether your organization has billions of dollars in annual revenue, or you just got your first seed round. What you have is valuable and protecting it will only get more difficult. The transition is underway and now is the time to educate yourself and your organization broadly about the new assumptions underpinning cybersecurity. Day Zero is behind us now. That means each day forward is a day closer to a CRQC and a smooth and efficient transition is our best defense against the cyber threats of the future.