As the security industry braces itself for a post-quantum world – and the dreaded changeover of pretty much every piece of encrypted technology in existence – there's a new buzzword coming to town, and it's called “cryptographic inventory.” Cybernews explains what it is and why you'll be hearing about it for the next 10 years.
Have you heard of Q-day? It’s the day when quantum computers will be able to break even the most secure encryption algorithms in use today – algorithms such as RSA-2048 and ECC-256, that are currently protecting a large portion of the nearly 200 zetabytes of sensitive digitally stored data all over the world.
As scientists continue to get a handle on how to successfully stabilize qubits, the building blocks of quantum computers, leading experts have predicted Q-day could come anytime in the next three to fifteen years.
Security insiders warn of a quantum playground filled with savvy hackers and nation-state threat actors who have been diligently hoarding reams of encrypted data in anticipation – a tactic known as “harvest now, decrypt later.” A cryptographically Relevant Quantum Computer (CRQC) attack could not only expose critical secrets but also result in a loss of trillions of US dollars.
And, citing the IBM roadmap released last month, many quantum researchers now estimate the "quantum apocalypse’"will happen less than a decade from now, by the early 2030s.
These predictions have got the Western world up in arms, with the White House and the European Union scrambling to put together their own post-quantum cryptography (PQC) roadmaps to guide government agencies, critical infrastructure, the financial and crypto sectors, as well as private and public organizations.
In fact, it was only last year that the National Institute of Standards and Technology (NIST) released not only the first official PQC standards guideline (Transition to Post-Quantum Cryptography Standards), but also the first three ready-to-deploy PQC algorithms, with a fourth standardized algorithm said to be on its way.
Created under a new label known as FIPS, or Federal Information Processing Standard, the finalized algorithms were chosen from 82 submissions in a process started by NIST in 2016.
So, where does cryptographic inventory fit in?
One of the core tenets of creating any cybersecurity strategy worth its salt is to start with knowing what you have.
Unless a company has a full and detailed list of its digital assets, how can it know what it needs to protect? Well, the same concept applies here.
The US, UK, and EU member states have put forth timelines where the transition to PQC algorithms must be completed for highly sensitive organizations by 2030 and all others by 2035, essentially making all current public key cryptography methods obsolete.
And, until an organization creates a comprehensive cryptographic inventory, it can not begin to prepare for a successful quantum-safe environment.
Cryptographic infrastructure serves as the cornerstone of the global digital ecosystem, underpinning the very essence of digital trust.
-- Cryptographic Inventory: Deriving Value Today, Preparing for Tomorrow
“Many organizations don’t realize how tremendous this transition is,” said Vladimir Soukharev, Vice President of Cryptographic Research and Development at InfoSec Global, a Keyfactor Company.
In a collaboration with HSBC and Thales, Soukharev is also one of the authors of the freshly published July whitepaper, “Cryptographic Inventory: Deriving Value Today, Preparing for Tomorrow.”
Shared exclusively with Cybernews before its formal release this week, the 31-page insider report delves into the intricacies of how a company can best tackle “today's cryptographic shortcomings while ensuring compliance and prioritising the reduction of business risk” – all within the given timeframes.
The entire process is expected to present technical challenges, impact all partners within the value chain, require substantial resources, and even then, some existing digital systems may not be able to transition to quantum-safe status, the paper states.
“Realistically, it should be done as soon as possible,” Soukharev explains.
“Cryptographic transitions themselves take years to achieve. Thus, if one needs to ensure that their chances of completing it by 2030 are high, they should finish the inventory task no later than the end of 2026,” he says.
Preparing for the advent of quantum computing is a major undertaking, according to the authors. By providing specific goal dates, Soukharev says companies increase their chances of completing the entire transition in time.
“If they only have the final date as their guidelines, they are very likely to underestimate the time and resources needed, leading to delays,” Soukharev says.
CISOs need to start – yesterday
Designed specifically to help technology leaders such as Chief Information Officers (CIOs), Chief Technology Officers (CTOs), and Chief Information Security Officers (CISOs) understand the inventory’s strategic value to overall business success, the authors say that cryptography itself can now be classified as critical infrastructure.
Besides harvest now, decrypt later threats, the research states CRQC attacks could severely impact encrypted network traffic, digital signatures and certificates, all layers of software and hardware systems, most applications, the cloud, Internet of Things (IoT), 5G, robotics, AI, blockchain, and Web3.0.
One of the more interesting aspects of the complicated process will be the need for automation, as discussed in the whitepaper.
The authors say that there will be some level of automated cryptographic discovery due to inefficient manual processes and the continuous changes occurring within an organization's infrastructure.
However, they say human management will also be required.
Very few automated platforms can handle discovery across "on-premises, cloud-native, and hybrid environments, especially with most organizations’ mix of legacy systems, cloud services, and third-party applications involving a vast number of keys, certificates, algorithm instances, and protocols,” it said.
The paper further explains that automation tools often have limited coverage or compatibility, may ignore some artifacts they don’t understand, thus creating blind spots in the overall cryptographic visibility.
Additionally, while automation is expected to play a critical role in inventory discovery, Soukharev is less convinced that artificial intelligence can be used the same way.
“AI might possibly be able to help in the future by speeding up some subprocesses. However, cryptography is a very complicated topic, and currently, AI often provides improper, outdated, and wrong expertise around it,” he says.
As for cybersecurity concerns related to the collected data, Soukharev says, “most of the time, cryptographic inventory would contain highly sensitive items, so sharing it with AI could be dangerous or possibly even out of compliance.”
Furthermore, with most security leaders already aware of the risks associated with the inventory getting into the wrong hands, Soukharev says it would be imperative to only “perform data collection on premises, rather than using a SaaS approach.”
Your email address will not be published. Required fields are markedmarked